No, HIPAA does not protect all of your private medical information

The Health Insurance Portability and Accountability Act of 1996, widely known as HIPAA, is a federal law that restricts the release of medical information without a person’s consent.

HIPAA has been a major topic of conversation over the past few years, especially as it relates to protecting health data from period apps after Roe v. Wade was overturned and asking about a person’s COVID-19 vaccine status. VERIFY has answered many questions about what may or may not violate the law.

However, there remains a lot of confusion online about what HIPAA does and doesn’t protect.

Multiple VERIFY readers, including Elle and Ron, want to know if all of your private medical information is protected under HIPAA.

THE QUESTION

Does HIPAA protect all of your private medical information?

THE SOURCES

• U.S. Department of Health and Human Services
• U.S. Centers for Disease Control and Prevention
• Consumer Reports
• Kayte Spector-Bagdady, J.D., lawyer, bioethicist and interim co-director at the University of Michigan’s Center for Bioethics and Social Sciences in Medicine

THE ANSWER

No, HIPAA does not protect all of your private medical information.

WHAT WE FOUND

Sign up for the VERIFY Fast Facts newsletter here. 

It’s a common misconception that HIPAA protects all of your private medical information. HIPAA’s privacy rule only applies to groups known as “covered entities” and many other organizations with access to your private medical information aren’t required to follow it.

“People often feel like HIPAA protects them from being asked about their medical information or prohibits other people from asking about their medical information. Neither is true,” Kayte Spector-Bagdady, J.D., a lawyer and bioethicist, previously told VERIFY.

When HIPAA became law in 1996, it established national standards to protect sensitive patient health information from being shared without the patient’s consent or knowledge, according to the Department of Health and Human Services (HHS) and the Centers for Disease Control and Prevention (CDC).

The HIPAA privacy rule sets regulations and limits on who can look at and receive a person’s private medical information, whether electronic, written or oral.

The type of medical information that is protected under HIPAA includes conversations your doctor has about your care or treatment with nurses and others, as well as information your doctors, nurses and other health care providers put in your medical record.

Medical information in your health insurer’s computer system and billing information about you at your clinic are also protected under HIPAA, according to HHS.

The privacy rule also gives people rights over their protected health information, including rights to examine and obtain a copy of their health records, to direct a covered entity to transmit to a third party an electronic copy of their protected health information in an electronic health record, and to request corrections.

But the privacy rule only applies to three groups known as covered entities, meaning these groups are required to follow the HIPAA laws. Covered entities include:

• Health plans — health insurance companies, HMOs, company health plans and certain government programs that pay for health care, such as Medicare and Medicaid.
• Most health care providers — those that conduct certain business electronically, such as electronically billing your health insurance, including most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies and dentists.
• Health care clearinghouses — entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

“HIPAA prohibits health professionals, such as your doctor, from sharing your identified health information without your permission in most circumstances,” Spector-Bagdady said.

Business associates of covered entities must also follow parts of the HIPAA rules, according to HHS. Examples of business associates include:

• Companies that help doctors get paid for providing health care, including billing companies and companies that process health care claims
• Companies that help administer health plans
• People like outside lawyers, accountants and IT specialists
• Companies that store or destroy medical records

“Covered entities must have contracts in place with their business associates, ensuring that they use and disclose your health information properly and safeguard it appropriately,” HHS says. “Business associates must also have similar contracts with subcontractors.”

But many organizations that may have access to your private medical information are not required to follow HIPAA rules, HHS says. These organizations include: 

• Life insurers
• Employers
• Workers compensation carriers
• Most schools and school districts
• Many state agencies like child protective service agencies
• Most law enforcement agencies
• Many municipal offices

Because school districts generally are not covered entities, HIPAA’s privacy rule does not apply to them. Student health records, for example, are considered “education records” under the Family Educational Rights and Privacy Act, also known as FERPA, “and, thus, not ‘protected health information’ under HIPAA,” HHS says.

HIPAA rules also don’t protect your private medical data when you’re browsing the internet for health information, wearing a smartwatch device like an Apple Watch or a Fitbit, fielding questions about your vaccination status, or using most period tracking apps, according to Consumer Reports.

“Many people believe that HIPAA creates special protections for any information related to your health, but that is not the case,” Consumer Reports says.