When NFL quarterback Dak Prescott doesn’t feel well, the whole world knows about it. The Dallas Cowboys, like all pro football teams, regularly brief the press about injury updates and medical conditions of their players. The team gave regular updates on their star quarterback’s surgery and recovery after a gruesome compound ankle fracture last October. On Tuesday, his coach even announced that Prescott wouldn’t throw during practice because his shoulder hurt. But when asked last week whether he had received the Covid-19 vaccine, Prescott demurred. “I don’t necessarily think that’s exactly important,” he told reporters. “I think that’s HIPAA.”
Prescott isn’t alone in invoking the well-known but little-understood health reform law to pointedly avoid questions about his vaccination status. HIPAA is also routinely cited by opponents of Covid-19 restrictions to justify ignoring or flouting them. One of the most cynical invocations in recent memory came from Georgia Representative Marjorie Taylor Greene, who was asked by a reporter on Capitol Hill if she’d received the Covid-19 vaccine yet amid a surge of cases in her home state. “Well, your first question is a violation of my HIPAA rights,” she replied. “You see, with HIPAA rights, we don’t have to reveal our medical records, and that also includes our vaccine records.”
Greene’s answer is wrong for reasons I’ll explain later. But her ignorance is not surprising. HIPAA has transcended its humble origins into something else entirely in the public imagination. Call it “folk law”: a popular belief in a rule or legal principle that doesn’t quite match legal reality. It’s a strange marker for American faith in the rule of law—and a troubling sign for our ability to end the Covid-19 pandemic.
How did we get here? When Congress passed the Health Insurance Portability and Accountability Act in 1996, medical privacy wasn’t in the forefront of lawmakers’ minds. Its real aim was reflected by its name: The law sought to make it easier for Americans to keep their health insurance when they left or lost their job, by imposing new restrictions on when a new employer’s insurer could deny them coverage. Though modest by today’s standards, the changes were touted as a major step in health care reform by President Bill Clinton, who struggled with the issue throughout his first term.
In a way, it’s a testament to HIPAA’s success that many Americans don’t associate it with its central purpose today. Some of its provisions, most notably those involving preexisting conditions, were also eclipsed by the Affordable Care Act and other later reforms. But others remain intact. As part of its effort to revamp portability, HIPAA also sought to improve how health-related information was shared within the health care industry. One of the new rules required by Congress involved medical privacy.
HIPAA privacy rules can be somewhat complex, but the law and its regulations generally prohibit “covered entities” under the statute—doctors, hospital administrators, insurers, and so on—from obtaining or disclosing a person’s health-related information in most circumstances without that person’s consent. Since most Americans don’t work in the health care industry, they probably aren’t familiar with the bulk of the administrative changes wrought by HIPAA over the past two decades. But anyone who’s had to recite their birth date when calling a doctor’s office or signed privacy waivers while in the emergency room has encountered the law.
In the folk version of HIPAA, however, those rules are actually a general right to medical privacy in all circumstances. Whatever the merits of such a right, HIPAA doesn’t actually protect it beyond covered entities. As a journalist, if I learned that a prominent hypothetical senator had been diagnosed with Alzheimer’s disease, I would not be violating HIPAA if I reported that information in this publication. If I learned of the diagnosis from one of the senator’s family members or from a staffer in their office, that source wouldn’t be violating HIPAA, either. But if the senator’s doctor or nurse or even an administrative aide in their hospital slipped me a copy of the test results without the senator’s permission, they would almost certainly be violating HIPAA.
Some confusion about who counts as a “covered entity” is understandable: It’s a broad, opaque term, and most Americans probably want to believe that it covers as much as possible. Where the folk version of HIPAA really goes awry is when it comes to asking about private health information, as opposed to telling someone about it. There is no legal universe in which it’s a HIPAA violation to ask someone if they’re vaccinated. Most people also probably wouldn’t consider it a HIPAA violation if someone asked, “How do you feel?” Nor is this really how HIPAA works in practice: People typically want a new doctor to be able to get their medical records from a previous doctor, for example, and happily sign a waiver so it can be done.
So why the misconception? For one, it’s understandable that Americans acting in good faith could think that medical questions in general are off-limits. There are circumstances where inquiring about someone’s health conditions could violate anti-discrimination laws. Under the Americans With Disabilities Act, employers generally can’t ask job applicants if they are disabled or for more details about their disability during the hiring process. There are also restrictions on when and how employers can ask about a worker’s disability unless it is relevant to their work performance and, more broadly, whether they can disclose a worker’s medical information to others. That would include the worker’s vaccination record or lack thereof. Beyond those circumstances and a few others, there’s nothing legally wrong with most Americans asking other Americans if they’ve been vaccinated.
Flimsy or bad-faith invocations of HIPAA aren’t limited to high-profile vaccine skeptics. Some school officials, for example, have invoked the law’s restrictions on disclosing medical information to avoid providing up-to-date counts of confirmed infections. Some counties resisted disclosing the number of positive test results in the early stages of the pandemic. And when former President Donald Trump was hospitalized with Covid-19 last October, his doctors provided upbeat reports on his prognosis in national press conferences while simultaneously citing HIPAA to avoid disclosing the state of his lungs or other crucial data about his case. Subsequent reporting revealed that Trump’s condition was initially far more dire than the White House publicly admitted.
The HIPAA defense invoked by Prescott, Greene, and others is far from the only folk-law concept that’s found its way into popular discourse. Some are harmless and fodder for cheap comedy: Undercover police, for the record, do not have to tell you if they’re a cop just because you ask them. There is now a cottage industry among conservatives, for example, that’s devoted to misreading and opposing a federal provision known as Section 230 in an apparent ploy to pressure Silicon Valley into not moderating right-wing content on sites like Facebook and YouTube.
It’s hard to blame HIPAA for others’ misinterpretation of it. It certainly can’t be said that HIPAA is a valid reason for a public figure to avoid answering questions about their vaccination status. At best, the HIPAA defense reflects someone’s understandable misunderstanding of a complex federal law. At worst, it’s a cynical tool to avoid accountability and defy public health measures during a pandemic that’s already killed more than 600,000 Americans.
Perhaps the untold story of HIPAA is that the law may have inadvertently helped worsen the pandemic. The Intercept’s Peter Maass reported last December how the law’s privacy restrictions, which were bolstered by Trump administration guidance in the pandemic’s first few months, make it virtually impossible for journalists to show or broadcast images from inside hospitals and other health care facilities. As a result, there is almost no visual record of overcrowded Covid-19 wards in the hardest-hit cities, ailing patients struggling to breathe on ventilators, or other defining hardships of this era. Small wonder, Maass noted, that so many Americans are willing to believe that all we’ve endured is overblown at best or a hoax at worst.