RALEIGH, N.C. – Privacy experts say when health officials claim they’re not allowed to release certain information about the COVID-19 pandemic, they’re usually right.

Medical privacy laws are in the spotlight as COVID-19 continues to ravage the country. In some cases, people have taken to social media to make claims about HIPAA, such as forbidding transportation network companies from requiring face masks in cars. Those claims are false.

HIPAA is the Health Insurance Portability and Accountability Act. First passed in the 1990s, the law governs what health-related information about a person is releasable.

Elizabeth Johnson, an attorney who specializes in privacy issues, said HIPAA deals with information that is sent to a healthcare provider on a claims basis. If you pay your doctor or dentist through insurance, either private or a government-run program such as Medicare or Medicaid, your data is protected. If you pay cash, HIPAA doesn’t apply.

Richard Saver, a UNC-Chapel Hill law professor who specializes in health law, said many people believe HIPAA only protects a patient’s name from disclosure. In fact, any sort of identifiable information is protected, including demographic information and details about where the person lives.

In a public health emergency, HIPAA gives officials broad discretion as to what kind of information they release. But it’s not the only law at work.

States, including North Carolina, have their own communicable disease laws. These laws regulate the reporting of cases of COVID-19 as well as more familiar diseases such as measles or flu. Johnson said that law, rather than HIPAA, generally governs what health officials can release about a disease in your community.

“If it’s identifiable to a person, it’s not a public record. So they can’t be obligated to disclose it to the media or anyone else,” she said. “They are allowed to disclose it in certain cases, but they’re all going to fit into that general pattern where they need to be acting to protect the public before they make a disclosure like that.”

When Spectrum News staff have contacted county health departments for information regarding COVID-19 cases traceable to a particular location, some have provided numbers but others have refused to disclose them. Saver said those decisions always are governed by conditions on the ground and even what individual officials feel comfortable releasing given the regulations that are in place.

Saver said HIPAA can limit what employers disclose as well, if indirectly.

“The place of business may not be a healthcare provider, but once that information gets ultimately reported up to a public health agency, they are covered by HIPAA. And what they do with the information has to comply with HIPAA as well,” he said.

Saver and Johnson said although the public’s hunger for information is understandable in a pandemic, privacy laws can actually be a good thing. The knowledge that identifiable information will be protected can make someone more willing to tell a doctor they have a communicable disease, such as COVID-19.

Whatever your feelings about privacy laws, Johnson said do your research using reputable sources and don’t believe everything you see people post about them on social media.

“There’s a lot on social media lately of people declaring, HIPAA doesn’t allow this, HIPAA doesn’t allow that,” she said. “I’d say 90 percent of it’s wrong at this point.”


This post, What Medical Privacy Laws Do And Don’t Cover, first appeared on https://spectrumlocalnews.com.


Comments are closed.