HIPPA

During the course of the pandemic, when looking to protect their personal autonomy and privacy as to vaccinations, positive COVID-19 test results, and mitigation measures such as masking, many Americans have referenced a federal statute under the acronym “HIPPA.”1Sara Morrison, HIPAA, the Health Privacy Law That’s More Limited Than You Think, Explained, Recode (July 30, 2021, 8:41 AM), https://www.vox.com/‌recode/‌22363011/‌hipaa-not-hippa-explained-health-privacy (last visited Mar. 15, 2022). But that statute does not exist. It is not the correct acronym for the actual statute, and—more importantly—it generally does not provide the protections claimed by those who invoke it. This misunderstanding of federal law’s very limited scope leads to some easy dunks from the other side. When Representative Marjorie Taylor Greene asserted that Americans’ vaccination records were private under “HIPPA”2Marjorie Taylor Greene (@mtgreenee), Twitter (May 19, 2021), https://twitter.com/‌mtgreenee/‌status/‌1395023563049127946 [https://perma.cc/‌2QP8-VTMG] (“Vax records, along with ALL medical records are private due to HIPPA rights.”). Representative Greene’s Twitter account has since been deleted, but a reference to the tweet can be found at Victoria Bekiempis, Trainers, Doctors, Therapists: Is It OK to Ask Professionals if They’re Vaccinated?, Guardian (Aug. 9, 2021, 6:00 AM), https://www.theguardian.com/‌world/‌2021/‌aug/‌09/‌vaccination-status-covid-question [https://perma.cc/‌AF84-89DR]. and later claimed that questions about her personal vaccination decision were in fact violations of the law,3Philip Bump, That’s Not How Any of This Works, Marjorie Taylor Greene, Wash. Post (July 21, 2021, 11:42 AM), https://www.washingtonpost.com/‌politics/‌2021/‌07/‌21/thats-not-how-any-this-works-marjorie-taylor-greene [https://perma.cc/‌35Z5-TJLQ]. her erroneous asservations drew justifiable derision.4Josephine Harvey, Rep. Marjorie Taylor Greene’s ‘HIPAA Rights’ Excuse Brutally Mocked on ‘Late Night,’ Huffington Post (July 23, 2021, 05:09 AM), https://www.huffpost.com/‌entry/‌seth-meyers-marjorie-taylor-greene-hipaa-rights_‌n_‌60fa50f4e4b0e92dfec1a0ad (last visited Mar. 15, 2022).

The real statute at issue—the 1996 Health Insurance Portability and Accountability Act5Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936 (codified as amended in scattered sections of 18, 26, 29, and 42 U.S.C.).—is in fact easy to misunderstand.6William McGeveran, Privacy and Data Protection Law 764 (2016) (describing HIPAA regulations as “a veritable spaghetti of intertwining cross-references and definitions”); Frank Qin, Comment, The Debilitating Scope of Care Coordination Under HIPAA, 98 N.C. L. Rev. 1395, 1405 (2020) (noting that “HIPAA regulations . . . are numerous and complex in nature, making it hard for covered entities to ensure they comply”). Although centered on the concept of privacy, the sole “P” in HIPAA stands for “Portability,” highlighting the statute’s purpose to facilitate the electronic transfer of data between health care entities. HIPAA is in fact the type of law that should be unfamiliar to most people: it only applies to a narrow subset of regulated entities, and it is enforced against those entities by an obscure subdivision of a federal agency. But HIPAA has found new prominence in the national debate about our personal health decisions and the confidentiality and autonomy accorded to them. In the midst of a deadly outbreak, “HIPPA” serves as a linguistic anchor—a flawed metonym for personal rights against forced decisions and community sanctions. When people reference “HIPPA” to keep their health information confidential, it may engender a smug chuckle. But it should also occasion reflection on the state of our personal health privacy, and the law that protects it.

Our federal privacy apparatus has something of an ad hoc, ramshackle quality to it.7Daniel J. Solove & Woodrow Hartzog, The FTC and the New Common Law of Privacy, 114 Colum. L. Rev. 583, 587 (2014) (“Privacy law in the United States has developed in a fragmented fashion and is currently a hodgepodge of various constitutional protections, federal and state statutes, torts, regulatory rules, and treaties.”). Originally created to protect consumers against antitrust violations and fraud, the Federal Trade Commission (FTC) has become our foremost national protector of consumer data privacy.8Id. at 598–600. The agency has assumed an important role in our privacy ecosystem, but its notable actions have largely been waged against tech behemoths, seeking to enforce privacy policies and security measures.9See, e.g., Stipulated Order for Civil Penalty, Monetary Judgment & Injunctive Relief, United States v. Facebook, Inc., No. 19-CV-2184 (D.D.C. July 24, 2019), https://www.ftc.gov/‌system/‌files/‌documents/cases/‌182_‌3109_‌facebook_‌order_‌filed_‌7-24-19.pdf [https://perma.cc/‌DNU9-JPGZ] (providing for a fine of $5 billion for violations of prior FTC order and the FTC Act). The FTC’s role in social media and e-commerce regulation is growing, but it focuses on data extraction and use practices that lurk in the shadows, designed to be hidden from the user.10For an in-depth exploration of these practices, see Shoshana Zuboff, The Age of Surveillance Capitalism 128–75 (2019). A wide variety of other federal statutes cover only slivers of privacy, including such matters as video tape rentals or polygraph tests.11Video Privacy Protection Act of 1988, Pub. L. No. 100-618, 102 Stat. 3195 (codified as amended at 18 U.S.C. § 2710); Employee Polygraph Protection Act of 1988, 29 U.S.C. §§ 2001–2009. Beyond that, states protect privacy through their statutes and common law, but again these protections are siloed, specific, and limited in scope.12       See McGeveran, supra note 6, at 165 (noting that privacy protections outside of the consumer context “tend to cover only certain practices, or to protect only certain types of data”). There is little overall sense of where to turn for redress for many instances of privacy invasions.13     See Ari Ezra Waldman, Designing Without Privacy, 55 Hous. L. Rev. 659, 663 (2018) (noting weak U.S. privacy norms due to “ambiguous privacy theory, lax U.S. legal approaches to privacy, siloed organizational structure, and isolated and homogeneous design teams”).

When it comes to health privacy, however, HIPAA stands out in the American mind. Passed just as the internet was becoming a presence in many people’s lives, HIPAA sought to enable the transfer of health records from written files to electronic data.14Nicolas P. Terry, To HIPAA, a Son: Assessing the Technical, Conceptual, and Legal Frameworks for Patient Safety Information, 12 Widener L. Rev. 133, 134–35 (2005) (discussing “HIPAA’s mandate to introduce transactional standards for healthcare electronic exchanges”). The free flow of personal health information was seen as a great boon to medical care, as a multitude of providers would have much easier access to a patient’s health history.15Stacey A. Tovino, A Timely Right to Privacy, 104 Iowa L. Rev. 1361, 1367 (2019). But Congress recognized that protection of personal privacy was critical for the system to work. The Act tasked the U.S. Department of Health and Human Services (HHS) to develop protocols protecting the confidentiality of personal health information.16Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191, § 264(c)(1), 110 Stat. 1936, 2033. Over time HHS developed the Privacy Rule, the Security Rule, the Breach Notification Rule, and an Omnibus Rule pursuant to this purpose.17See Cecilia Thai, Note, Gilded, but Not Gold: How an Obsolete HIPAA Is Unable to Fight Medical Software Breaches, 20 J. High Tech. L. 373, 385 (2020); Stacey A. Tovino, Assumed Compliance, 72 Ala. L. Rev. 279, 282 (2020).

HIPAA and its associated administrative rules do provide protection for the privacy of personal health information. A covered entity needs individual consent in order to disclose personal health information, and that consent is generally provided through a signed and written document.1845 C.F.R. § 164.508 (2022). Most Americans are likely familiar with HIPAA because of these forms required before examinations and procedures. Even though HIPAA supplies critical privacy infrastructure within the health care system, however, it is far from a comprehensive scheme of health privacy. HIPAA only covers health plans, health care providers, and health care clearinghouses, as well as “business associates” of these entities.19Id. § 160.103 (defining “covered entity” as a “health plan,” a “health care clearinghouse,” or a “health care provider”); id. (defining “business associate”); id. §§ 164.500(a)–(c) (applying the Privacy Rule to covered entities and business associates). Non-health-related businesses are not covered.20Id. § 160.103. Employers are not covered unless they directly provide health care or self-administered health insurance coverage.21See id. §§ 164.103, 164.105; Sharona Hoffman, Employing E-Health: The Impact of Electronic Health Records on the Workplace, 19 Kan. J.L. & Pub. Pol’y 409, 419 (2010) (“Employers who are self-insured can receive medical information from providers for payment purposes without their employees’ authorization. Such employers are considered ‘hybrid’ entities whose business activities include both covered (insurance) and non-covered (employment) functions.”). Covered entities need not comply with HIPAA as to their own employment records. See 45 C.F.R. § 160.103. In addition, covered entities may provide employee health information to employers in order “[t]o evaluate whether the individual has a work-related illness or injury.” Id. § 164.512(b)(v)(A)(2); see also id. § 164.504(f)(1) (as a condition of providing the information, the covered entity must require the employer to protect the information and not use it for employment-related actions). In addition, consent is not required for “TPO” uses: treatment, payment, or health care operations.22Tovino, supra note 17, at 288. When it comes to an individual’s health care information, HIPAA restricts only a small subset of health care industry disclosures.

HIPAA is also not really an option for people looking to vindicate their rights personally. Individuals cannot bring private actions under HIPAA. The regulations are enforced by the Office of Civil Rights within HHS, as well as state attorneys general.23Tovino, supra note 15, at 1381; U.S. Health & Hum Servs., How OCR Enforces the HIPAA Privacy & Security Rules, https://www.hhs.gov/‌hipaa/‌for-professionals/‌compliance-enforcement/‌examples/‌how-ocr-enforces-the-hipaa-privacy-and-security-rules/‌index.html [https://perma.cc/‌9BWX-3ZKS]. Commentators have argued that the agency’s enforcement of HIPAA has been “lax and inconsistent,” failing to protect patient privacy.24Morgan Leigh Tendam, Note, The HIPAA-Pota-Mess: How HIPAA’s Weak Enforcement Standards Have Led States to Create Confusing Medical Privacy Remedies, 79 Ohio St. L.J. 411, 419 (2018); see also McGeveran, supra note 6, at 767 (“Critics object that HHS lacks the resources to properly enforce the Privacy Rule and that its enforcement actions are too often ‘slaps on the wrist.’”). Some states have permitted plaintiffs to proceed under common-law negligence for HIPAA violations,25See, e.g., Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C., 102 A.3d 32 (Conn. 2014); R.K. v. St. Mary’s Med. Ctr., Inc., 735 S.E.2d 715 (W. Va. 2012); Acosta v. Byrum, 638 S.E.2d 246 (N.C. Ct. App. 2006). but the practice is not universal.26Sheldon v. Kettering Health Network, 40 N.E.3d 661, 675–76 (Ohio Ct. App. 2015).

Given the obscurity of HIPAA’s workings for the average person, it is thus especially surprising to see it invoked so frequently as a shield against prying into personal health matters. HIPAA is generally invoked to shield the person from any obligation to disclose medical information. As mentioned above, perhaps the most infamous example is Representative Marjorie Taylor Greene, who invoked HIPAA on several occasions to claim that she or others had the right not to answer questions about their vaccination status.27Bump, supra note 3. In fact, Representative Greene claimed it was a violation of HIPAA for reporters to even ask about her vaccination status.28Id. (noting that Greene told a reporter, “Your first question is a violation of my HIPAA rights. You see with HIPAA rights we don’t have to reveal our medical records, and that also involves our vaccine records.”). As a sitting member of Congress, Representative Greene should know better. But she is not alone. As vaccination status became a hot political, cultural, and public health topic, numerous public figures invoked HIPAA as justification for not disclosing whether they had been vaccinated.29See, e.g., Jelani Scott, Dak Prescott Declines to Divulge Vaccination Status: ‘I Don’t Necessarily Think That’s Exactly Important,’ NFL (July 24, 2021, 6:43 PM), https://www.nfl.com/‌news/‌dak-prescott-declines-to-divulge-vaccination-status-i-don-t-necessarily-think-th [https://perma.cc/‌2PRR-Y4D2] (noting that after being asked by a reporter of his vaccination status, Dallas Cowboys quarterback Dak Prescott said “I don’t necessarily think that’s exactly important. I think that’s HIPAA[.]”); A.J. Gonzalez, NBA Fans Are Dunking on Kyle Kuzma on Social Media Over Vaccination Tweet, Fan Nation (Sept. 27, 2021), https://www.si.com/‌nba/‌lakers/‌news/‌nba-fans-are-dunking-on-kyle-kuzma-on-social-media-over-vaccination-tweet [https://perma.cc/‌3DN6-UAB5] (“It appears Kuzma referenced HIPAA thinking it exempted him from answering questions about his vaccine status.”); Raahib Singh, “Dwight Howard, That Is Not What HIPAA Is!”: Reporter Schools the Lakers’ Veteran Who Tried to Dodge the Question on His Vaccination Status Citing the HIPAA Law, Sports Rush (Sept. 29, 2021), https://thesportsrush.com/‌nba-news-dwight-howard-that-is-not-what-hipaa-is-reporter-schools-the-lakers-veteran-who-tried-to-dodge-the-question-on-his-vaccination-status-citing-the-hipaa-law [https://perma.cc/‌AQ6R-LH89].. Social media was rife with posts to this effect.30Anne Geggis, COVID-19 Vaccination Status Inquiry Draws Florida Pols’ Ire, Fla. Pol. (Aug. 4, 2021), https://floridapolitics.com/‌archives/‌-covid-19-vaccination-status-inquiry-draws-politicians-ire [https://perma.cc/‌U2GW-RC97] (noting that “many of those who responded to [Florida state Congressman Blaise] Ingoglia’s tweet appear to think that an inquiry about one’s vaccination status is a HIPAA violation, but it’s not”). Vaccine-related “HIPPA” claims may be the most prominent examples of HIPAA misuse, but they are not the first. Earlier in the pandemic, some consumers presented cards that said they did not need to wear masks inside of stores because of HIPAA.31Robert H. Shmerling, Does HIPAA Prohibit Questions About Vaccination?, Harv. Health Publ’g Blog (Aug. 19, 2021), https://www.health.harvard.edu/‌blog/‌does-hipaa-prohibit-questions-about-vaccination-202108192575 [https://perma.cc/‌PP8X-64ZC] (“Throughout the pandemic, fake mask exemption cards have been available online. These cards are intended to allow the owner to forego wearing a mask for medical reasons. Some fake cards state that because of HIPAA, the card’s owner is not required to answer any questions about their medical condition.”).

These improper understandings of the nature of HIPAA’s protections have generated their own backlash. Numerous commentators have pointed out the misguided nature of Greene’s attempt to fend off questioners with HIPAA.32See, e.g., Bump, supra note 3; Allyson Chiu, Explaining HIPAA: No, It Doesn’t Ban Questions About Your Vaccination Status, Wash. Post (May 22, 2021, 8:00 AM), https://www.washingtonpost.com/‌lifestyle/‌wellness/‌hipaa-vaccine-covid-privacy-violation/‌2021/‌05/‌22/‌f5f145ec-b9ad-11eb-a6b1-81296da0339b_‌story.html [https://perma.cc/‌2UN9-QFF7]; Erin Schumaker, What Is a HIPAA Violation?, ABC News (Aug. 5, 2021, 6:00 AM), https://abcnews.go.com/‌Health/‌hipaa-violation/‌story?‌id=79114788 [https://perma.cc/‌J5HD-VH5Y]. Mainstream media efforts to educate the public have laid out the basics of HIPAA and how it works.33See, e.g., Morrison, supra note 1; Shmerling, supra note 31; Devon Link, Fact Check: Businesses Can Legally Ask if Patrons Have Been Vaccinated. HIPAA Does Not Apply., USA Today (May 19, 2021, 9:00 PM), https://www.usatoday.com/‌story/‌news/‌factcheck/‌2021/‌05/‌19/‌fact-check-asking-vaccinations-doesnt-violate-hipaa/‌5165952001 [https://perma.cc/‌UWP3-MSJA]. But the popular misconceptions remain. And the “HIPPA” acronym lives on as well, as a quick search for “#HIPPA” on Twitter will reveal.34The account Bad HIPPA Takes collects many of these. Bad HIPPA Takes (@BadHippa), Twitter, https://twitter.com/‌BadHippa [https://perma.cc/‌P9ZY-F9XM]. Some quipsters have adopted the acronym sarcastically or ironically to denote failed efforts to deploy the statute’s protections. But it is not just the average person who gets the acronym wrong; the “HIPPA” acronym has been cited in over 2,000 cases35Westlaw search conducted on October 29, 2021, on the “Federal and State Cases” database (CASES) and using the search “adv: HIPPA” (2,187 results). and used over 800 times in Westlaw’s database for law reviews and journals.36Westlaw search conducted on October 29, 2021, on the “Law Reviews & Journals” database (JLR) and using the search “adv: HIPPA” (808 results).

If one does understand the basics of HIPAA—that it only applies to covered entities and their business associates, that it limits their ability to disclose and not the patient’s, that it cannot be privately enforced—then it is easy and even fun to deride those who do not get it. This is especially so in a polarized political climate, when those misusing the term are usually backing a political agenda that is hostile to pandemic suppression efforts. But it is worth pondering for a moment why so many are wielding HIPAA like a shield, grabbing at the only law that seems remotely applicable to their situation. They want HIPAA to protect their health information and decision making—they want the statute to intercede on their behalf against nosy and intrusive outsiders. HIPAA does not do that. But then why do so many believe to the contrary?

The idea of “HIPPA” reflects a misunderstanding, an intuition, a desire that the law protects personal health information from exposure. The Act “has entered popular culture as a synonym for all things related to healthcare ‘privacy.’”37Common Misconceptions About HIPAA Can Threaten Patient Safety, Quality of Care, Relias Media (Sept. 1, 2020), https://www.reliasmedia.com/‌articles/‌146740-common-misconceptions-about-hipaa-can-threaten-patient-safety-quality-of-care [https://perma.cc/‌WX88-FU3E] (quoting Bob Dupuis, “vice president of enterprise architecture and security at Arcadia, a population health management services company in Boston”). It has become, in a sense, a “shorthand for privacy” in the context of personal health information.38Chiu, supra note 32 (quoting Joshua Sharfstein, “a public health expert at Johns Hopkins Bloomberg School of Public Health”). Because it is a federal law that most people encounter on visits to their local physicians, HIPAA is the logical placeholder for all presumed protections for one’s health privacy.39Id. (“People think it does a lot more than it’s actually doing.” (quoting Glenn Cohen, Harvard Law School professor)).

And it does not seem so far-fetched that one’s personal health history would in fact be shielded under the law. HIPAA prevents doctors, nurses, and other care professionals from blabbing about our health care information without our consent.40HIPAA Privacy Rule, 45 C.F.R. §§ 164.500–164.534 (2022). Another federal statute—the Americans with Disabilities Act (ADA)—forbids medical examinations as part of a job application process.4142 U.S.C. § 12112(d); see Matthew T. Bodie & Michael McMahon, Employee Testing, Tracing, and Disclosure as a Response to the Coronavirus Pandemic, 64 Wash. U. J.L. & Pol’y 31, 37–38 (2021) (discussing the EEOC’s allowance for COVID testing during the pandemic). Our genetic information is protected by the Genetic Information Nondiscrimination Act (GINA); not only are employers prohibited from using genetic information to make employment decisions, they also cannot inquire about information that might relate to genetics, including family medical history.4242 U.S.C. § 2000ff(4)(A); see also Bradley A. Areheart & Jessica L. Roberts, GINA, Big Data, and the Future of Employee Privacy, 128 Yale L.J. 710, 716–17 (2019). State law is a source of protections as well. In many jurisdictions, state common law provides two torts to vindicate privacy rights more generally: intrusion upon seclusion and public disclosure of private fact. Both torts have been found to protect individuals’ personal health information.43See, e.g., Doe v. High-Tech Inst., Inc., 972 P.2d 1060, 1071 (Colo. App. 1998) (concluding that an “unauthorized request to test plaintiff’s blood sample for HIV . . . is sufficient to state a claim for relief based on invasion of privacy by intrusion upon seclusion”); Miller v. Motorola, Inc., 560 N.E.2d 900 (Ill. App. Ct. 1990) (allowing case for tort of public disclosure of private fact to go forward when an employer disclosed employee’s mastectomy to other employees); Y.G. v. Jewish Hosp. of St. Louis, 795 S.W.2d 488 (Mo. Ct. App. 1990) (allowing public disclosure case to go forward with respect to celebration for couples who had undergone in vitro fertilization).

Despite this array of protections, Americans still feel vulnerable about their health privacy. The invocations of “HIPPA” reflect an expectation that an individual’s decisions about their personal health should remain private and out-of-bounds for the public discourse. That expectation is largely reflected in reality, as most health decisions remain private to the extent that people want them to remain so. But during a pandemic, when one person’s personal health choices affect everyone else, information about those choices suddenly becomes relevant to others.

Even established privacy rights give way under extreme circumstances, and the COVID-19 crisis would certainly appear to qualify. In the European Union, where the General Data Protection Regulation (GDPR) provides much more robust and comprehensive privacy protections, personal privacy has had to yield to concerns about public safety and health.44Dan Cooper, Helena Milner-Smith, Vicky Ling & Anna Oberschelp de Meneses, COVID-19: Processing of Vaccination Data by Employers in Europe, Inside Priv. (July 19, 2021), https://www.insideprivacy.com/‌covid-19/‌covid-19-processing-of-vaccination-data-by-employers [https://perma.cc/‌YH5Q-4N34]. The GDPR itself expressly allows for data processing when “necessary in order to protect the vital interests of the data subject or of another natural person” or “necessary for the performance of a task carried out in the public interest.”45Regulation 2016/679 of the European Parliament and of the Council of Apr. 27, 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation), art. 6(1)(d)–(e), 2016 O.J. (L 119) 36. The processing of health data is specially protected under the GDPR, but it allows such processing when “necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health.”46Id. art. 9(2)(i), at 38. Countries within the European Union have had varied responses to the issues of vaccine mandates, vaccine status disclosure, and the recording of health data such as temperatures and illness, illustrating the complexity of these issues.47See Cooper et al., supra note 44. Policies continue to evolve. In summer 2021, France  started requiring a health pass, or passe sanitaire, with proof  of vaccination or a negative test for those aged twelve and older to enter public spaces such as bars, libraries, and hospitals. Jeremy K. Ward, Fatima Gauna, Amandine Gagneux-Brunon, Elisabeth Botelho-Nevers, Jean-Luc Cracowski, Charles Khouri, Odile Launay, Pierre Verger & Patrick Peretti-Watel, The French Health Pass Holds Lessons for Mandatory COVID-19 Vaccination, 28 Nature Med. 232 (2022), https://www.nature.com/‌articles/‌s41591-021-01661-7 [https://perma.cc/‌U4SY-KFVT]. In October 2021, Italy adopted a mandatory “Green Pass” for all on-site workers, requiring either vaccination or a negative test within the past seventy-two hours. Katie Nadworny, Italy Implements Mandatory Green Pass for Workers, SHRM (Oct. 12, 2021), https://www.shrm.org/‌resourcesandtools/‌hr-topics/‌global-hr/‌pages/‌coronavirus-italy-green-pass.aspx [https://perma.cc/‌YR8B-8HPN]. Germany changed its policies as of November 24, 2021, requiring that employees can enter “workplaces only if they show so-called 3G certification that they’re vaccinated against COVID-19, have tested negative or have recovered from the coronavirus.” Dinah Wisenberg Brin, Germany Imposes New Workplace Restrictions as Coronavirus Surges, SHRM (Dec. 9, 2021), https://www.shrm.org/‌resourcesandtools/‌hr-topics/global-hr/‌pages/‌coronavirus-germany-new-workplace-restrictions.aspx [https://perma.cc/‌QJA5-TWSM].

The desire to shield one’s vaccination status or other health data from others, in the midst of a national health crisis, reflects the state of rights discourse in our polity. By asserting that federal law shields their information even from questioning, those who claim “HIPPA” protection are erecting a rights infrastructure around their personal choices. This move is a powerful example of the rights fetishization or “rightsism” discussed in Jamal Greene’s How Rights Went Wrong.48Jamal Greene, How Rights Went Wrong: Why Our Obsession with Rights Is Tearing America Apart (Houghton Mifflin Harcourt 2021). As Greene describes in his book, rights discourse tends towards absolutes. Rights are deemed to allow complete discretion to the rights holder, leading to conflict:

When recognizing our neighbor’s rights necessarily extinguishes our own, a survival instinct kicks in. Our opponent in the rights conflict becomes not simply a fellow citizen who disagrees with us, but an enemy out to destroy us. Law becomes reducible to winners and losers, to which side you are on, which tribe you affiliate with. With stakes this high, polarization should not just be expected but is indeed the only sensible response.49Id. at xvii.

As Greene describes, this rights-based discourse serves us poorly in a pandemic. It serves to glorify an individualistic approach to problems that must be attacked on a societal level. In discussing the vaccine rollout, Greene described our tendency to take “an excessively legalistic approach that flattens conflicts over rights into a false binary: A right gives license to rights-holders; lack of a right leaves people at the mercy of the state.”50Jamal Greene, America’s Legalistic Culture Is About to Become a Problem, Atl. (Mar. 4, 2021), https://www.theatlantic.com/‌ideas/‌archive/‌2021/‌03/‌during-a-pandemic-rights-arent-just-for-individuals/618198 [https://perma.cc/‌5APN-4Z26]. As Greene foresaw, “this binary does not help resolve the kind of dilemmas that will confront Americans more and more as the vaccination rollout continues.”51Id.

Those who do not want to get vaccinated believe that “HIPPA” will give them a federal right to assert their autonomy to decide. They object to the mandate of an employer, a restaurant, or a government organization over their personal health decisions. With regard to vaccinations, some have echoed the rights rhetoric of the pro-choice movement—“my body, my choice.”52Tish Harrison Warren, The Limits of ‘My Body, My Choice,’ N.Y. Times (Sept. 26, 2021), https://www.nytimes.com/‌2021/‌09/‌26/‌opinion/‌choice-liberty-freedom.html [https://perma.cc/‌F962-3HJB]. Similar claims were made with respect to masks.53See Shmerling, supra note 31; see also Lois Shepherd, COVID-19 State Mask Mandates Can’t Be Avoided Using HIPAA or Constitutional ‘Exemptions,’ Think (Aug. 11, 2020, 4:31 AM), https://www.nbcnews.com/‌think/‌opinion/‌covid-19-state-mask-mandates-can-t-be-avoided-using-ncna1236342 [https://perma.cc/‌37AE-LVPE]. These assertions may have come from a genuine belief in an individual right to make personal health choices. But these assertions also reflect an ignorance or an active disdain for the needs and interests of others in the community, especially those who are particularly vulnerable to the novel coronavirus.

Sincere personal beliefs about health choices must give way when it comes to life-and-death public health measures in the midst of a pandemic. Indeed, many of the actual requirements imposed by HIPAA were officially put on ice by the declaration of a public health emergency.54See Stacey A. Tovino, COVID-19 and the HIPAA Privacy Rule: Asked and Answered, 50 Stetson L. Rev. 365, 365–67 (2021). But the cutting ripostes to those who erroneously claim protection under HIPAA also reflect the dangers of our rights discourse. Vaccination proponents—generally those on the left side of the political spectrum—have almost gleefully noted the limitations of HIPAA and its complete absence of protections against inquiries or employer mandates.55See, e.g., Bump, supra note 3 (“But to suggest that I’m violating some right by asking Greene herself [about her vaccination status] is like saying that there’s some law that prevents me from asking someone whether they color their hair. There is not.”). When workers have been terminated for failure to get a vaccine, their numbers have been minimized as only a small percentage of the overall workforce.56See, e.g., Beth Mole, Vaccine Holdouts Are Just 1.8% of NY’s Largest Health Provider—Now They’re Fired, Ars Technica (Oct. 5, 2021, 1:59 PM), https://arstechnica.com/‌science/‌2021/‌10/‌1-8-of-staff-fired-from-nys-largest-health-care-provider-for-vaccine-refusal [https://perma.cc/‌R5HA-NZBU]. Thousands of workers have been fired.57Andrea Hsu, Thousands of Workers Are Opting to Get Fired, Rather than Take the Vaccine, NPR (Oct. 24, 2021, 7:00 AM), https://www.npr.org/‌2021/‌10/‌24/‌1047947268/‌covid-vaccine-workers-quitting-getting-fired-mandates [https://perma.cc/‌AR4H-AZRE]. The irony is that the trammeling of anti-vaxxers’ choices is possible because of the at-will rule, which enables an employer’s right to fire employees for any reason, or no reason at all.58Employment in the United States is generally presumed to be at will unless otherwise agreed. See, e.g., Fitzgerald v. Salsbury Chem., Inc., 613 N.W.2d 275, 280 (Iowa 2000) (describing the employment-at-will rule). The at-will rule has historically been critiqued by progressives as giving too much power to management to exercise power over workers.59See Richard A. Epstein, In Defense of the Contract at Will, 51 U. Chi. L. Rev. 947, 949 (1984) (“The contract at will is thus thought to be particularly unwise because it invites the exercise of arbitrary power by persons with a dominant economic position against individuals whose mobility is said to be limited by the structure of labor markets.”); Joseph E. Slater, The “American Rule” That Swallows the Exceptions, 11 Emp. Rts. & Emp. Pol’y J. 53, 55 (2007) (“[T]he at-will rule is inherently destructive of rights widely viewed as fundamental, and this must be considered in debates about employment discrimination law, labor law, and the future of employment at will itself.”).

One’s rights under “HIPPA” are a mirage—an imagined set of legal protections that do not exist. But the perception that they do exist—that they are so intuitive they must exist—illustrates more than the confusing complexities of the actual federal statute. “HIPPA” reflects our common expectations in the privacy of our personal health. Only something as serious as a pandemic can upset our expectations so significantly and justifiably. Rather than simply viewing our rights as an on-or-off proposition, our political discourse must recognize the need to mediate, to conciliate, and to balance competing claims and interests. This work will be messy, but necessarily so.