Public Interest

What HIPAA Actually Covers, Plainly

About this blog: Irving Steel is a law student, not a licensed attorney. Nothing on this site is legal advice. Reading this blog does not create an attorney-client relationship. For advice about your specific situation, consult a licensed lawyer in your jurisdiction. This blog reflects personal views and is not affiliated with any law school, firm, or employer.

HIPAA may be the most confidently misquoted law in America. People invoke it when a store asks about vaccination status, when an employer asks why they called in sick, when a neighbor gossips about a surgery. Almost none of that is HIPAA. Before law school I earned a Master of Public Health, and the gap between what people think HIPAA does and what it actually does came up constantly.

HIPAA in one sentence

HIPAA’s privacy rules restrict how a specific list of organizations, mostly health care providers, health plans, and their contractors, may use and share your identifiable health information. It regulates them, not everyone.

Who HIPAA actually binds

The privacy and security rules apply to covered entities and their business associates:

  • Health care providers that bill electronically: doctors, hospitals, clinics, pharmacies, dentists, most therapists.
  • Health plans: insurers, HMOs, Medicare, Medicaid, employer-sponsored group health plans.
  • Health care clearinghouses, the billing intermediaries most patients never see.
  • Business associates: vendors that handle health information for the above, such as billing companies, cloud hosts, and, relevant to my corner of the world, lawyers and accountants working for providers.

If an organization is not on that list, HIPAA generally does not bind it. That single fact resolves most HIPAA myths.

What counts as protected information

Protected health information (PHI) is health information that identifies you, or reasonably could, held by a covered entity or business associate: diagnoses, treatment notes, prescriptions, billing records, even the fact that you are a patient somewhere. Strip out the identifiers properly and the data is de-identified and outside the rule, which is how large health datasets get used in research.

The myths, corrected

“They can’t ask me about my health, that’s a HIPAA violation.” HIPAA restricts disclosure by covered entities. It says nothing about questions. A store, an airline, or your gym asking about your vaccination status is not violating HIPAA. You can decline to answer; they can often decline service. Whether that is fair is a different legal conversation, but it is not this statute.

“My employer can’t ask why I’m out sick.” Your employer is generally not a covered entity (the group health plan it sponsors is, which is a different thing). Other laws, like the ADA and FMLA, do limit what employers may ask and require about medical information. People often mean those laws when they say HIPAA.

“My friend told people about my surgery, I’ll sue under HIPAA.” Two problems. Your friend is not a covered entity. And HIPAA has no private right of action: individuals cannot sue under HIPAA at all. Enforcement belongs to the federal Office for Civil Rights and state attorneys general. A person harmed by a leak may have state-law privacy claims, but the lawsuit will not be “a HIPAA case.”

“HIPAA means my records can never be shared without my signature.” HIPAA permits disclosure without authorization for a long list of purposes: treatment, payment, health care operations, public health reporting (disease surveillance is built on this), certain law enforcement requests, and more. The rule is a framework of permitted flows, not a lockbox.

What HIPAA gives you

The underrated half of the law is affirmative rights. You can get a copy of your records (providers must respond within set timeframes and may charge only limited fees), request corrections, ask for an accounting of certain disclosures, and request restrictions. In my experience the right of access is the one worth knowing cold: patients who ask for their complete records, in writing, citing their HIPAA right of access, tend to get them.

Where the rest of the protection comes from

HIPAA is a floor with a narrow footprint. Around it sit state medical privacy and confidentiality laws (often stricter), 42 CFR Part 2 for substance-use treatment records, the ADA and FMLA on the employment side, and the FTC’s authority over health apps and wearables that HIPAA never reached. If your fitness tracker sells your data, the problem is real, but the statute is not HIPAA.

Knowing which law actually governs is half of health privacy. The other half is knowing your access rights and using them.

Further reading

I am a law student, not a lawyer. Nothing on this site is legal advice. If you are facing a legal issue, talk to a licensed attorney in your state.

Irving Steel

Irving Steel

Irving Steel is a second-year law student at Roger Williams University School of Law who writes in plain language about how the law works and who it affects. Before law school he studied international relations, led business ventures in the U.S. and China, and earned a public health degree. He spent his 1L spring break doing pro bono legal work with the Sugar Law Center in Detroit.