Editor’s Note: HIPAA Becomes a Catchall for ‘None of Your Business’
By Lee DeOrio
For The Record
Vol. 33 No. 6 P. 4
While in line at the grocery store the other day, the person ahead of me had forgotten her rewards card. The pimply teenage check-out kid said he could look it up via the phone number associated with the account.
The woman took exception to that possibility, noting that “I believe that’s a HIPAA violation.”
I immediately grabbed my gallon of milk and clobbered her over the head. She dropped like the sack of flour that slipped off the conveyor belt, crashing into the PIN pad on her way down to the floor and opening a gash that would surely send her to the emergency department. “Now you’ll find out firsthand how HIPAA really works,” I shouted.
Of course, only half of that tale is true (the HIPAA-ignorant woman is doing fine). Seriously, the pandemic has spawned numerous health care calamities, including a grave misunderstanding of how to apply HIPAA. It seems no one is immune from incorrectly citing the longstanding and controversial regulation. From perturbed shoppers being asked to wear a mask to professional athletes refusing to answer journalists’ questions, HIPAA is rising up the ranks of the excuse tree nearly as fast as “I don’t recall” and “I was just a kid.”
The situation became so dicey that Health and Human Services (HHS) felt the need to issue guidance on how HIPAA applies to various entities’ requests for information related to an individual’s COVID-19 vaccination status. In the bulletin, HHS emphasized that the Privacy Rule applies only to covered entities. Last time I checked, star quarterbacks did not fall under this umbrella.
According to HHS, employers, schools, stores, restaurants, and many others may request that an individual disclose whether he or she has been vaccinated without violating the Privacy Rule. Granted, news from HHS rarely sends the Twitterverse into a frenzy, generates adorable TikTok videos, or produces subject matter on a “white woman’s Instagram” (apologies to Bo Burnham). Still, by now you would think that most people would know that they can’t shout HIPAA every time they are asked for information pertaining to their vaccination status.
Kelly McLendon, RHIA, CHPS, senior vice president of compliance and regulatory affairs at CompliancePro Solutions, says HIPAA is so vast and complex that it is rife for misunderstanding—especially for the public. “I think that [the federal government] should be issuing as much guidance for public consumption as they can about privacy and what and how HIPAA helps them and what it does not do. Much of what they issue is for those who know the rules, not as much for the public,” he says.
As these misapplications of HIPAA occur, McLendon says that’s the time to hammer the point about what is correct and what is not. The bad news? “I don’t think the public really will learn the details enough to ameliorate the situation enough not to make erroneous assumptions,” he says. In other words, shoppers beware.