COVID-19 has exposed how many people, including some lawyers, misunderstand the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Armchair lawyers who do not know what a covered entity is repeatedly and erroneously have argued that HIPAA governs private businesses’ mask and vaccine requirements.
Even without COVID-19, lawyers can come across HIPAA questions in numerous situations, including issuing subpoenas, deposing medical experts, and estate planning and administration. HIPAA’s details can be complicated, but there are HIPAA basics that are helpful for lawyers to understand:
- It’s not spelled HIPPA, and the “P” in HIPAA does not mean “privacy.” Congress did not create HIPAA to protect health care information. Its purpose was to create standards for digital medical records and sharing health care information. The privacy protections most people know as HIPAA are necessary byproducts of the law’s original purpose.
- HIPAA requires covered entities (health care providers, health plans, health care clearinghouses) and their business associates to safeguard protected health information (PHI). Generally, few other people or businesses have duties under HIPAA to protect other people’s health information.
- In general, PHI is individually identifiable health information that is created, received, maintained, or transmitted by covered entities or their business associates.
- As a lawyer, you will be a business associate if you represent a covered entity and will access PHI. In that case, you must have a business associate agreement, which essentially states that you will protect PHI to the same extent as a covered entity.
For more information, the U.S. Department of Health & Human Services website has
guidance about HIPAA, and
45 CFR 160.103 contains definitions for most HIPAA terms.