HIPPA

During the course of the pandemic, when looking to protect their personal autonomy and privacy as to vaccinations, positive COVID-19 test results, and mitigation measures such as masking, many Americans have referenced a federal statute under the acronym “HIPPA.”1 But that statute does not exist. It is not the correct acronym for the actual statute, and—more importantly—it generally does not provide the protections claimed by those who invoke it. This misunderstanding of federal law’s very limited scope leads to some easy dunks from the other side. When Representative Marjorie Taylor Greene asserted that Americans’ vaccination records were private under “HIPPA”2 and later claimed that questions about her personal vaccination decision were in fact violations of the law,3 her erroneous asservations drew justifiable derision.4

The real statute at issue—the 1996 Health Insurance Portability and Accountability Act5—is in fact easy to misunderstand.6 Although centered on the concept of privacy, the sole “P” in HIPAA stands for “Portability,” highlighting the statute’s purpose to facilitate the electronic transfer of data between health care entities. HIPAA is in fact the type of law that should be unfamiliar to most people: it only applies to a narrow subset of regulated entities, and it is enforced against those entities by an obscure subdivision of a federal agency. But HIPAA has found new prominence in the national debate about our personal health decisions and the confidentiality and autonomy accorded to them. In the midst of a deadly outbreak, “HIPPA” serves as a linguistic anchor—a flawed metonym for personal rights against forced decisions and community sanctions. When people reference “HIPPA” to keep their health information confidential, it may engender a smug chuckle. But it should also occasion reflection on the state of our personal health privacy, and the law that protects it.

Our federal privacy apparatus has something of an ad hoc, ramshackle quality to it.7 Originally created to protect consumers against antitrust violations and fraud, the Federal Trade Commission (FTC) has become our foremost national protector of consumer data privacy.8 The agency has assumed an important role in our privacy ecosystem, but its notable actions have largely been waged against tech behemoths, seeking to enforce privacy policies and security measures.9 The FTC’s role in social media and e-commerce regulation is growing, but it focuses on data extraction and use practices that lurk in the shadows, designed to be hidden from the user.10 A wide variety of other federal statutes cover only slivers of privacy, including such matters as video tape rentals or polygraph tests.11 Beyond that, states protect privacy through their statutes and common law, but again these protections are siloed, specific, and limited in scope.12 There is little overall sense of where to turn for redress for many instances of privacy invasions.13

When it comes to health privacy, however, HIPAA stands out in the American mind. Passed just as the internet was becoming a presence in many people’s lives, HIPAA sought to enable the transfer of health records from written files to electronic data.14 The free flow of personal health information was seen as a great boon to medical care, as a multitude of providers would have much easier access to a patient’s health history.15 But Congress recognized that protection of personal privacy was critical for the system to work. The Act tasked the U.S. Department of Health and Human Services (HHS) to develop protocols protecting the confidentiality of personal health information.16 Over time HHS developed the Privacy Rule, the Security Rule, the Breach Notification Rule, and an Omnibus Rule pursuant to this purpose.17

HIPAA and its associated administrative rules do provide protection for the privacy of personal health information. A covered entity needs individual consent in order to disclose personal health information, and that consent is generally provided through a signed and written document.18 Most Americans are likely familiar with HIPAA because of these forms required before examinations and procedures. Even though HIPAA supplies critical privacy infrastructure within the health care system, however, it is far from a comprehensive scheme of health privacy. HIPAA only covers health plans, health care providers, and health care clearinghouses, as well as “business associates” of these entities.19 Non-health-related businesses are not covered.20 Employers are not covered unless they directly provide health care or self-administered health insurance coverage.21 In addition, consent is not required for “TPO” uses: treatment, payment, or health care operations.22 When it comes to an individual’s health care information, HIPAA restricts only a small subset of health care industry disclosures.

HIPAA is also not really an option for people looking to vindicate their rights personally. Individuals cannot bring private actions under HIPAA. The regulations are enforced by the Office of Civil Rights within HHS, as well as state attorneys general.23 Commentators have argued that the agency’s enforcement of HIPAA has been “lax and inconsistent,” failing to protect patient privacy.24 Some states have permitted plaintiffs to proceed under common-law negligence for HIPAA violations,25 but the practice is not universal.26

Given the obscurity of HIPAA’s workings for the average person, it is thus especially surprising to see it invoked so frequently as a shield against prying into personal health matters. HIPAA is generally invoked to shield the person from any obligation to disclose medical information. As mentioned above, perhaps the most infamous example is Representative Marjorie Taylor Greene, who invoked HIPAA on several occasions to claim that she or others had the right not to answer questions about their vaccination status.27 In fact, Representative Greene claimed it was a violation of HIPAA for reporters to even ask about her vaccination status.28 As a sitting member of Congress, Representative Greene should know better. But she is not alone. As vaccination status became a hot political, cultural, and public health topic, numerous public figures invoked HIPAA as justification for not disclosing whether they had been vaccinated.29 Social media was rife with posts to this effect.30 Vaccine-related “HIPPA” claims may be the most prominent examples of HIPAA misuse, but they are not the first. Earlier in the pandemic, some consumers presented cards that said they did not need to wear masks inside of stores because of HIPAA.31

These improper understandings of the nature of HIPAA’s protections have generated their own backlash. Numerous commentators have pointed out the misguided nature of Greene’s attempt to fend off questioners with HIPAA.32 Mainstream media efforts to educate the public have laid out the basics of HIPAA and how it works.33 But the popular misconceptions remain. And the “HIPPA” acronym lives on as well, as a quick search for “#HIPPA” on Twitter will reveal.34 Some quipsters have adopted the acronym sarcastically or ironically to denote failed efforts to deploy the statute’s protections. But it is not just the average person who gets the acronym wrong; the “HIPPA” acronym has been cited in over 2,000 cases35 and used over 800 times in Westlaw’s database for law reviews and journals.36

If one does understand the basics of HIPAA—that it only applies to covered entities and their business associates, that it limits their ability to disclose and not the patient’s, that it cannot be privately enforced—then it is easy and even fun to deride those who do not get it. This is especially so in a polarized political climate, when those misusing the term are usually backing a political agenda that is hostile to pandemic suppression efforts. But it is worth pondering for a moment why so many are wielding HIPAA like a shield, grabbing at the only law that seems remotely applicable to their situation. They want HIPAA to protect their health information and decision making—they want the statute to intercede on their behalf against nosy and intrusive outsiders. HIPAA does not do that. But then why do so many believe to the contrary?

The idea of “HIPPA” reflects a misunderstanding, an intuition, a desire that the law protects personal health information from exposure. The Act “has entered popular culture as a synonym for all things related to healthcare ‘privacy.’”37 It has become, in a sense, a “shorthand for privacy” in the context of personal health information.38 Because it is a federal law that most people encounter on visits to their local physicians, HIPAA is the logical placeholder for all presumed protections for one’s health privacy.39

And it does not seem so far-fetched that one’s personal health history would in fact be shielded under the law. HIPAA prevents doctors, nurses, and other care professionals from blabbing about our health care information without our consent.40 Another federal statute—the Americans with Disabilities Act (ADA)—forbids medical examinations as part of a job application process.41 Our genetic information is protected by the Genetic Information Nondiscrimination Act (GINA); not only are employers prohibited from using genetic information to make employment decisions, they also cannot inquire about information that might relate to genetics, including family medical history.42 State law is a source of protections as well. In many jurisdictions, state common law provides two torts to vindicate privacy rights more generally: intrusion upon seclusion and public disclosure of private fact. Both torts have been found to protect individuals’ personal health information.43

Despite this array of protections, Americans still feel vulnerable about their health privacy. The invocations of “HIPPA” reflect an expectation that an individual’s decisions about their personal health should remain private and out-of-bounds for the public discourse. That expectation is largely reflected in reality, as most health decisions remain private to the extent that people want them to remain so. But during a pandemic, when one person’s personal health choices affect everyone else, information about those choices suddenly becomes relevant to others.

Even established privacy rights give way under extreme circumstances, and the COVID-19 crisis would certainly appear to qualify. In the European Union, where the General Data Protection Regulation (GDPR) provides much more robust and comprehensive privacy protections, personal privacy has had to yield to concerns about public safety and health.44 The GDPR itself expressly allows for data processing when “necessary in order to protect the vital interests of the data subject or of another natural person” or “necessary for the performance of a task carried out in the public interest.”45 The processing of health data is specially protected under the GDPR, but it allows such processing when “necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health.”46 Countries within the European Union have had varied responses to the issues of vaccine mandates, vaccine status disclosure, and the recording of health data such as temperatures and illness, illustrating the complexity of these issues.47

The desire to shield one’s vaccination status or other health data from others, in the midst of a national health crisis, reflects the state of rights discourse in our polity. By asserting that federal law shields their information even from questioning, those who claim “HIPPA” protection are erecting a rights infrastructure around their personal choices. This move is a powerful example of the rights fetishization or “rightsism” discussed in Jamal Greene’s How Rights Went Wrong.48 As Greene describes in his book, rights discourse tends towards absolutes. Rights are deemed to allow complete discretion to the rights holder, leading to conflict:

When recognizing our neighbor’s rights necessarily extinguishes our own, a survival instinct kicks in. Our opponent in the rights conflict becomes not simply a fellow citizen who disagrees with us, but an enemy out to destroy us. Law becomes reducible to winners and losers, to which side you are on, which tribe you affiliate with. With stakes this high, polarization should not just be expected but is indeed the only sensible response.49

As Greene describes, this rights-based discourse serves us poorly in a pandemic. It serves to glorify an individualistic approach to problems that must be attacked on a societal level. In discussing the vaccine rollout, Greene described our tendency to take “an excessively legalistic approach that flattens conflicts over rights into a false binary: A right gives license to rights-holders; lack of a right leaves people at the mercy of the state.”50 As Greene foresaw, “this binary does not help resolve the kind of dilemmas that will confront Americans more and more as the vaccination rollout continues.”51

Those who do not want to get vaccinated believe that “HIPPA” will give them a federal right to assert their autonomy to decide. They object to the mandate of an employer, a restaurant, or a government organization over their personal health decisions. With regard to vaccinations, some have echoed the rights rhetoric of the pro-choice movement—“my body, my choice.”52 Similar claims were made with respect to masks.53 These assertions may have come from a genuine belief in an individual right to make personal health choices. But these assertions also reflect an ignorance or an active disdain for the needs and interests of others in the community, especially those who are particularly vulnerable to the novel coronavirus.

Sincere personal beliefs about health choices must give way when it comes to life-and-death public health measures in the midst of a pandemic. Indeed, many of the actual requirements imposed by HIPAA were officially put on ice by the declaration of a public health emergency.54 But the cutting ripostes to those who erroneously claim protection under HIPAA also reflect the dangers of our rights discourse. Vaccination proponents—generally those on the left side of the political spectrum—have almost gleefully noted the limitations of HIPAA and its complete absence of protections against inquiries or employer mandates.55 When workers have been terminated for failure to get a vaccine, their numbers have been minimized as only a small percentage of the overall workforce.56 Thousands of workers have been fired.57 The irony is that the trammeling of anti-vaxxers’ choices is possible because of the at-will rule, which enables an employer’s right to fire employees for any reason, or no reason at all.58 The at-will rule has historically been critiqued by progressives as giving too much power to management to exercise power over workers.59

One’s rights under “HIPPA” are a mirage—an imagined set of legal protections that do not exist. But the perception that they do exist—that they are so intuitive they must exist—illustrates more than the confusing complexities of the actual federal statute. “HIPPA” reflects our common expectations in the privacy of our personal health. Only something as serious as a pandemic can upset our expectations so significantly and justifiably. Rather than simply viewing our rights as an on-or-off proposition, our political discourse must recognize the need to mediate, to conciliate, and to balance competing claims and interests. This work will be messy, but necessarily so.


* Callis Family Professor, Saint Louis University School of Law.