Recently, a physician in Indiana publicly revealed that a 10-year old child rape victim from Ohio had to travel to Indiana to get an abortion. Some in the media stated that the physician should be prosecuted for violating HIPAA privacy laws. But did she?
I recently encountered a second HIPAA question. When asked if she had received a COVID vaccine, an acquaintance who is opposed to vaccines told me: “If I told you, I would be breaking the HIPAA law”. But would she?
Both of these cases illustrates common misconceptions about HIPAA and how HIPAA can be weaponized, in the first case by abortion prohibitionists and in the second case by anti-vaxxers.
HIPAA is the Health Insurance Portability and Accountability Act of 1996 that set a national standard for the protection of certain health information. In other words, it set into law what a healthcare provider can and cannot say publicly about patients. The penalties for not complying with HIPAA are severe. Violators can be subject to civil penalties of $100 – $50,000 per violation (depending on circumstances) and up to $1,500,000 total per year. In addition, violators can be subject to criminal penalties of up to $250,000 and 10-years imprisonment. Hospitals, health insurance companies, and others who manage health information are highly motivated to maintain strict compliance programs to ensure that all employees adhere to HIPAA requirements.
At the core of HIPAA is protected health information that cannot be made public without a person’s consent. The law identifies 18 specific personal identifiers that are considered to be protected health information when those personal identifiers are associated with information about a person’s physical or mental health:
- Name (either full name or last name + first initial)
- Address and geographic locators smaller than a state EXCEPT for the initial three digits of a zip code if the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people
- Dates (other than year) directly related to the patient including:
- birth date
- admission date
- discharge date
- death date
- age in years (only if older than 89 years of age)
- Phone numbers
- Fax numbers
- Email addresses
- Social security number
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- License and certificate numbers
- Vehicle license plate numbers and motor vehicle identification numbers
- Device serial numbers and identifiers
- Web URLs (uniform resource locators)
- IP (internet protocol) addresses
- Biometric identifiers (finger prints, voice prints, retinal prints)
- Facial photos or other personally identifying images
- Any other unique identifying number, characteristic, or code
The HIPAA law does not apply to everyone. The specific groups covered by HIPAA are: (1) healthcare providers, (2) health plans and insurance companies, (3) health clearinghouses, and (4) business associates. There are exceptions in order to permit a person’s health information to be disclosed for treatment, payment, and healthcare operations. For example, this permits a physician consultant to convey a patient’s health information in a referral letter to the patient’s primary care physician. It also permits a physician to submit payment for healthcare services rendered to the patient’s health insurance company. In addition, a person can give written consent for a physician or hospital to release their medical records, for example, for a life insurance application or for a disability determination.
HIPAA permits use and disclosure of personal health information, without an individual’s authorization or permission, for 12 specific national priority purposes:
- When required by law
- Public health activities
- Victims of abuse or neglect or domestic violence
- Health oversight activities (eg, Medicare audits)
- Judicial and administrative proceedings
- Law enforcement
- Functions concerning deceased persons (such as identification)
- Cadaveric organ, eye, or tissue donation
- Research, under certain specific conditions
- To prevent or lessen a serious threat to health or safety
- Essential government functions (eg, military operations and national security operations)
- Workers’ compensation
So, let’s go back and take a look at the first case. Did the Indiana physician violate HIPAA laws by publicly disclosing that a 10-year old from Ohio had come to Indiana to get an abortion? The child’s age (in years) was mentioned but that is permissible under HIPAA as long as the patient is younger than 89-years-old. No birth date or hospital admission date was listed. Neither the girl’s name nor any personal identifying images or numbers were listed. The physician disclosed that the girl lives in Ohio, however, it is permissible under HIPAA to disclose the state that the patient lives in. Although the physician did not disclose that the girl lives in Columbus (as was later reported by the Columbus Dispatch newspaper), the physician could have done so since the first 3 digits of the Columbus zip codes are 432.. and the total population of all 432.. zip codes is greater than 20,000 people.
The verdict: the physician did not violate HIPAA.
In the second case, the woman stated that she could not publicly reveal whether or not she had received a COVID vaccine. Would doing so have been a HIPAA law violation? HIPAA only applies to release of personal health information by healthcare providers, insurance organizations, and business associates. It does not apply to the general public and certainly does not apply to personal disclosure by oneself.
The verdict: voluntarily stating whether or not you have received a COVID vaccine does not violate HIPAA.
The HIPAA law provides important protections to the public by prohibiting release of people’s personal health information without their permission. But there are many misconceptions about HIPAA and it is often used as a justification for political or social agendas.
July 17, 2022