HIPAA: what it is and isn't

So, the whole Somerville debacle and the e-mails I've received about it, as well as some recent discussions on a professional listserv, have prompted me to write a little blurb about what HIPAA is and isn't.

In the context of these various discussions, I've learned that many people, including a lot of health care professionals, seem to believe that HIPAA is:

a) a set of confidentiality guidelines that apply to all aspects of information about health care

b) something new that's only been around for a decade or so

c) something that can be maintained or violated by any person including health care providers, patients, city departments, bystanders, etc.

The only part of this that is accurate is b, in that HIPAA was enacted in 1996. The idea of protecting information is hardly new though, as all health care providers have had a duty to protect confidentiality for at least the last half a century. Other entities such as schools and employers might not have an explicit code of ethics around health care confidentiality, but will generally lose lawsuits if they make secondhand disclosures of people's medical information for no good reason, and this is also not anything new and has nothing to do with HIPAA.

HIPAA only applies to "covered entities," which refers to individuals or agencies that transmit medical information electronically for billing and similar purposes. This means that a good number of private providers who do not take insurance or salaried providers who work outside of the insurance system (school nurses, etc.) are not affected by HIPAA. They still are bound by confidentiality standards given by their professional organization, licensing board, state laws, etc., but this is not the same thing as HIPAA.

Basically, someone is only maintaining or violating HIPAA if they are someone who bills insurance electronically. And if they are such a person, they also would be violating confidentiality. In everyday speech and writing, it makes a lot more sense to refer to protecting or violating confidentiality, not HIPAA, since you likely don't know whether a provider is a covered entity (and, apparently, a lot more providers think they are covered entities than actually are).


ericjay said...

Sheesh, am I glad to see this. The term "HIPAA" really has become a catch-all for anything remotely related to patient/client privacy, and it's so often mis-used.

Mr Punch said...

As I understand it, all this is true insofar as health care providers are concerned. But the big expansion of confidentiality under HIPAA is that it covers employers who provide health insurance benefits -- i.e., millions of entities that previously weren't considered to be involved in health care at all, except as customers.