What you should know about HIPAA in the age of COVID and beyond

It’s HIPAA. Not HIPPA. And definitely not HIPPO.

Regardless of the abbreviation, the Health Insurance Portability and Accountability Act, signed into law in 1996, is a chronically misunderstood statute—perhaps now more than ever in the era of COVID-19.

As a Texas medical malpractice law firm, we regularly receive questions from potential clients about HIPAA violations. This article will answer some of the most common ones.

You can’t sue for a HIPAA violation

The HIPAA statute doesn’t allow an individual cause of action for a violation of the statute. That  means you can’t sue a hospital, physician, or health care provider for violating your HIPAA rights.

The only remedy available to a patient under the federal law is to submit a complaint to the U.S. Department of Health and Human Services Office for Civil Rights. 

HIPAA doesn’t apply to everyone

The privacy section of HIPAA is designed to protect the confidentiality of personally-identifiable protected health information (PHI) held by covered entities. Covered entities under the statute include hospitals, doctors, chiropractors, psychologists, pharmacists, nursing homes, and other healthcare providers. Insurance companies, health maintenance organizations (HMOs), and health care clearinghouses are also covered entities under HIPAA.

In addition, business associates of covered entities also must comply with HIPAA privacy protections. Business associates are basically people or companies who do businesses with covered entities and handle PHI. This can include claims adjusters, lawyers, accountants, and a host of other people.

Anyone who’s not a covered entity or business associate isn’t required to comply with HIPAA privacy protections.

There’s also portability

Depending on one’s perspective, one of the great or terrifying ways that the federal government obtains compliance with policies is through financial incentives. But, as the sayings go…there’s no such thing as a free lunch…and there are always strings attached.

HIPAA is a great example. In exchange for providing government funding for hospitals, doctors’ offices, and other health care providers to implement electronic medical record systems, health care professionals are required to comply with federal guidelines on making electronic medical records quickly and inexpensively available to patients.

I wrote an e-book about how you can take advantage of HIPAA and subsequent legislation to get your medical records for as low as $6.50. You can download it here.

What about HIPAA & death panels?

In my experience, both as a lawyer and former hospital administrator, hospitals typically take their HIPAA obligations seriously. I have often found them to be more lax, though, when it comes to medical futility or ethics committee proceedings aimed at ending curative care for a patient. These are sometimes called death panels.

The term “death panel” gets bandied about from time to time. In my view, though, Texas has had already had them for decades (since 1999). I wrote an op ed piece about this topic back in 2009, in The Washington Times. You can read it here.

Hospital misconduct is so predictable that Painter Law Firm created a companion website, Surviving Hospitals, to educate the public about what to expect when a hospital had a death panel on the mind. One of common tactics that hospital use during medical futility proceedings is to locate long lost relatives and bring them in to try to drum up support for ending care of the patient. In the process, they disclose protected health information (PHI).

I can’t tell you how many times I’ve used the threat of filing a federal complaint for a HIPAA violation to stop a death panel cold in its tracks.

What about COVID testing and vaccines?

To clear up some of the confusion surrounding HIPAA, I recently spoke to the Houston Bar Association about HIPAA and issues related to the pandemic. You can watch the video of my one-hour presentation here.

Here are some quick points to keep in mind:

• A restaurant or other non-health care business doesn’t violate HIPAA by asking about a customer’s COVID vaccine status.

• A restaurant or other non-health care business doesn’t violate HIPAA by asking about whether a customer has tested positive for COVID.

• An employer can require an employee to take a COVID test and report the results without violating HIPAA.

• It’s not a HIPAA violation to ask an employee about his or her COVID vaccine status.

Many more questions and topics are addressed in the video.

We are here to help

As a Texas medical malpractice law firm, we are familiar with HIPAA rights and requirements and all types of medical negligence claims. Feel free to contact us for a complimentary consultation.

Robert Painter
Article by

Robert Painter

Robert Painter is an award-winning medical malpractice attorney at Painter Law Firm Medical Malpractice Attorneys in Houston, Texas. He is a former hospital administrator who represents patients and family members in medical negligence and wrongful death lawsuits all over Texas. Contact him for a free consultation and strategy session by calling 281-580-8800 or emailing him right now.