What Does HIPAA Actually Do?
HIPAA, the Health Insurance Portability and Accountability Act, is name dropped a lot, but frequently misunderstood. Many are surprised to find that the “P” stands for portability, not privacy.
Misunderstandings about what’s protected under the law go way deeper than its name. The law outlines protections only for health information shared between patients and health care providers. This means that any personal health data shared with someone who is not specifically mentioned in the law is not covered.
If a period tracking app shares personal health information with Facebook, that’s not a violation of HIPAA. Neither is asking for someone’s vaccination status.
Guest host Maddie Sofia talks with Tara Sklar, professor of health law and director of the Health Law & Policy Program at the University of Arizona, to explain what’s actually covered under HIPAA.
Invest in quality science journalism by making a donation to Science Friday.
MADDIE SOFIA: This is Science Friday. I’m Maddie Sofia, in for Ira Flatow this week.
You’ve probably heard about HIPAA, the ubiquitous health privacy law. And if you’ve ever gone to the doctor, inside that stack of intake forms, there’s a HIPAA release. But do you know what that acronym stands for? The Health Insurance Portability and Accountability Act. The P stands for portability, not privacy. And misunderstandings about what’s protected under the law go way deeper than its name.
Asking for somebody’s vaccination status. Nope. Not in violation of HIPAA. Your period app tracking your personal health information and sharing it with Facebook. That’s not violating HIPAA either.
So what does HIPAA actually cover? Joining me now to explain that and more is my guest, Tara Sklar, professor of health law and director of the Health Law and Policy Program at the University of Arizona, based in Tucson, Arizona. Professor Sklar, welcome to Science Friday.
TARA SKLAR: Oh, thank you. Great to be with you.
MADDIE SOFIA: Let’s start at the start. What was the original focus of HIPAA when it was enacted 25 years ago?
TARA SKLAR: Right. That was quite a long time ago and related to what’s happening today. It was a response to technology. There was a big increased reliance on how computers were starting to become more mainstream and being used in health care transactions.
So with that, there was this growing concern among the public and Congress about how to help keep health information safe and secure, as well as an administrative simplification process with this new computer technology. So it was passed with bipartisan support from Senator Edward Kennedy, a Democrat, and Nancy Kassebaum, a Republican, and then signed into law by Bill Clinton to really address a number of different areas.
But those were the primary ones, where as technology was becoming much more used within these health care transactions, how to help people feel safe in sharing this information about their private health care diagnosis and treatments and payment of, along with really trying to reduce those building administrative costs as different states and agencies and health systems were all operating very differently in terms of providing health care.
MADDIE SOFIA: OK. So it’s logistical. It was about getting health care computers to be able to talk with each other.
TARA SKLAR: Yeah, in many ways. And that’s an interesting fact about HIPAA, is it really had a very limited scope, right? It was really meant to just help those health care transactions become more simplified by helping the people feel more protected. So it only applies in this very specific clinical health care setting.
But back then, the big technology advancement was computers. Now it’s exploded in all these different ways.
MADDIE SOFIA: Yeah. So what security and privacy protections does HIPAA provide for your health data?
TARA SKLAR: Well, it’s really what would be involved in your typical electronic medical record, so anything about your care, what your diagnosis might be, your treatment, operation, therapies. Importantly related to this is payment of such treatment. So you defined the acronym really clearly and said where the P is for portability, not privacy. And I’d just like to add that, that the I is for insurance, not information.
MADDIE SOFIA: Yeah, I think there might be this assumption out there that HIPAA protects all of your personal health data. But that’s not really the case, right? It’s actually based on who you are and who you are sharing your health information with. So who’s covered under HIPAA, and who’s not?
TARA SKLAR: Yeah, that’s such an important delineation. It absolutely only covers what you might think of in a clinical health care setting. So it would be your doctor, clinicians, anyone providing health care in a reimbursement setting where you have then your payers, your large health insurers.
And then there are other entities related to that. They’re called business associates that help manage those types of services. But it all specifically pertains to your diagnosis and treatment of care and payment of.
MADDIE SOFIA: OK. That’s interesting because I do notice that sometimes a health app, like a meditation app or something like that, says it’s HIPAA compliant. What does that mean? Can it actually be HIPAA compliant?
TARA SKLAR: Yeah, there’s HIPAA compliant, and there’s also HIPAA certified is another one that–
MADDIE SOFIA: Oh, sneaky. OK.
TARA SKLAR: –these mobile health apps or wellness apps that have become so prevalent, and for a real need. I use them too. I think they can be quite helpful in terms of what they provide.
But they can’t be HIPAA compliant because they’re not a covered entity. They can operate under a way in which they’re following the principles and guidelines of the federal law, which I think ultimately is a good thing. But it’s a misnomer to say that it’s HIPAA compliant or HIPAA certified when it’s not an actual covered entity.
And the other thing I want to relate to that is another acronym within the law that’s called PHI. And that stands for Protected Health Information. So in addition to the law only applying to these very specific covered entities, the protected health information has to come out of these covered entities. It’s not just from you or me uploading our data onto an Apple or Garmin wearable. It’s actually coming out of this clinical health care setting framework.
MADDIE SOFIA: So HIPAA does allow the sharing of anonymized health data outside of the doctor or hospital. Can you tell me a little bit more about that– what HIPAA requires in that circumstance?
TARA SKLAR: Sure. So basically, what HIPAA’s trying to prevent is identifiable information getting back to parties that aren’t part of this clinical health care framework. So that means if you can make this data anonymous, they’ve specifically stated these 18 identifiers.
So those would be things that could associate your health information with you– your name, your age, your birthdate, where you live, your email address, and now– and it has advanced here– your IP address, your biometric identifier, your voice or fingerprint, any characteristic that could be linked back to you. If those are all removed, if you remove all of those 18 identifiers, then it can be shared. HIPAA will no longer apply because it can’t reasonably be traced back to you is the thinking.
MADDIE SOFIA: When you say, “is that the thinking,” is that the reality in function?
TARA SKLAR: Well, the broader discussion about these issues is how– HIPAA was passed in 1996, right? So how much law is lagging behind technology here? So there are very sophisticated reidentification algorithms that can be used. So you have to wonder, will this be able to keep up? These identifiers, is it enough where you can’t be, again, reasonably identified based off what’s being provided?
MADDIE SOFIA: In talking to you, the law does feel pretty straightforward in what it covers and does not cover. So Tara, why do you think it’s so often misunderstood? I mean, like you, I’ve heard people just randomly yelling HIPAA throughout the pandemic. Why is it so difficult to wrap our heads around?
TARA SKLAR: That’s true. They randomly yell it. And then they misquote the basic acronym.
MADDIE SOFIA: Right. It doesn’t bother you at all, I’m sure.
TARA SKLAR: Yeah. I think it gets to another point you raised earlier on, where we have a false belief that our health information is protected. I think there is this desire, that we want personal, sensitive information about our health to not be disclosed and in a way that might stigmatize us, potentially discriminate against us in employment or for insurance purposes.
Or it could be used for something we object to. So it’s important that we feel like this information is protected. But in reality, it increasingly is not.
So to get to your question, though, is why is it so commonly misunderstood? So yeah, I think it does reflect this preference that we don’t want this information widely shared in a way that could harm us.
It’s also so familiar now. It’s almost like a snowballing effect where we’re very, very familiar with going to the doctor, signing the HIPAA release. It’s something that we’ve done. It’s just part of our culture now. And so it’s a very accessible law. It’s probably one of the most familiar.
In fact, I’m a health law professor. And the first question I get asked about my field is usually about HIPAA because it’s in the public mindset. And I think people think it does more than it actually does. And that also shows just this absence that we have now of an active federal consumer privacy law that we can rely on.
MADDIE SOFIA: Right. Yeah. We’ve discussed HIPAA does not cover all forms of health data. What needs to better happen in your eyes to secure our health data? Do we need a new law that does more closely match this misconception of what HIPAA does? What needs to happen?
TARA SKLAR: This recognition is certainly happening. And there are some states that have acted where there hasn’t been very strong action at the federal level yet. So California had enacted the California Consumer Privacy Act. That went into effect in 2020. And now, two additional states have enacted their own state privacy laws, that being Virginia, the Virginia Consumer Data Protection Act, and also the Colorado.
So I think the more and more states begin to do this, it’s going to push us towards some kind of federal action because the last thing that everybody wants is a patchwork of state laws requiring different things. So I think in the meantime, given everything that’s happening in our nation and around the world, what we can do as informed public consumers is also critical to consider right now.
So now that we are getting a better understanding of what HIPAA does cover and what it doesn’t and how much health information is out there about us, what can we do to help protect ourselves and those around us? And so some basic things to consider, especially in light of what’s happening with reproductive rights in America, is if you do want to purchase a pregnancy test at a store, over the counter, to do so with cash.
If you are on a mobile app that’s a mental health app or something that you think could be potentially stigmatizing, just be aware of that information could be used and reused. And as we’re in this gap in terms of what’s happening at the state level, at the federal level with health information, just to be an informed public about what we’re uploading about ourselves and what could be used or reused in a way that we might find objectionable or want to minimize.
So that’s something that I think could push us toward a federal law, which I do think is the ultimate desirable effect in this area– an update. It wouldn’t be HIPAA. It would probably need to be a new act altogether, given how the wide range in which we are inputting our own data and our expectations over how that personal, not protected, personal health information can be used or reused.
And to also, on the other side of the coin, to begin to have a higher level of holding these different companies accountable that are collecting this data. And that’s something that these different state privacy laws are doing and should also be part of any new legislation.
MADDIE SOFIA: All right, that’s all the time we have. Thank you so much, Professor Sklar, for coming on the show.
TARA SKLAR: Oh, thank you. Pleasure to be with you.
MADDIE SOFIA: Tara Sklar is a professor of health law and director of the Health Law and Policy Program at the University of Arizona, based in Tucson, Arizona.
Shoshannah Buxbaum is a producer for Science Friday. She’s particularly drawn to stories about health, psychology, and the environment. She’s a proud New Jersey native and will happily share her opinions on why the state is deserving of a little more love.
Maddie Sofia is a scientist and journalist. They previously hosted NPR’s daily science podcast Short Wave and the video series Maddie About Science.