NPR's Kelsey Snell speaks with Deven McGraw, cofounder of consumer health data firm Ciitizen, to clear up misconceptions about HIPAA rules and protections.
Sponsor MessageKELSEY SNELL, HOST:
Another misconception that crops up a lot in conversations about vaccination status and a person's right to privacy about that status is actually an acronym, HIPAA. Recently, Georgia Congresswoman Marjorie Taylor Greene and Dallas Cowboys quarterback Dak Prescott declined to answer questions about their vaccination status, citing HIPAA, the 1996 federal law that created standards to protect sensitive patient information. They are part of a growing number of people who bring it up in a variety of situations where it may or may not apply.
We wanted to know more about the HIPAA law and what it actually does and doesn't do, so we called Deven McGraw. She is co-founder of the consumer health technology company Ciitizen. She's also the former deputy director for health information privacy at the Office for Civil Rights at the U.S. Department of Health. Deven McGraw, welcome. Thanks for joining us.
DEVEN MCGRAW: Thank you for having me.
SNELL: So let's dive right into - one of the biggest misconceptions about HIPAA is that the P stands for privacy. In fact, privacy is not part of the acronym. So what does HIPAA actually stand for? And what's its main purpose?
MCGRAW: So HIPAA stands for the Health Insurance Portability and Accountability Act. It was passed back in 1996 primarily to allow people to change health insurance when they change jobs. And then there was another part of HIPAA that was kind of less widely known at the time, which was the ability to digitize health plan claims. So when doctors would try to get paid from a health insurer, they would use common standards to send information electronically. And this was supposed to get some of the administrative overhead costs out of the health care system.
And at the time, Congress said, well, we're going to be digitizing all this health information. We better have HHS develop regulations to protect the privacy of that information. So hence, the HIPAA privacy rules were born. But they have very limited application because they were really about the submission of health care claims by health care providers.
SNELL: So portability and the privacy in moving your records, and not your privacy in talking to somebody else about, you know, your health information. What are some other misconceptions about HIPAA?
MCGRAW: I mean, you hit on the biggest one, which is that people just generally think that HIPAA protects all health information at any time for any purpose whatsoever, no matter who is involved. And that's absolutely not true. It does not cover restaurants. It does not cover stores. It does not cover your employer. And it doesn't cover you personally.
So, you know, you can be asked your vaccine status if it's relevant to, you know, going into a store or going into a restaurant, and that's not a HIPAA violation. And similarly, if you are a public figure, like a member of Congress or an NFL quarterback, and someone asks you your vaccine status, you can't sort of say that HIPAA prevents you from disclosing it or that HIPAA protects you from even being asked that information. So it's very limited coverage that HIPAA has.
SNELL: It strikes me that even if people misunderstand it, it really is unusual for a federal health law to be so widely known and discussed. Why do you think HIPAA has caught on in this way?
MCGRAW: Well, I think it's caught on in part because of the divisions that we have in the country around COVID-19, around the measures to be taken to protect against COVID-19, which do require people to sacrifice some of what otherwise would be their personal liberties. I mean, I don't think any of us love wearing a mask, right? But we're asked to do so and in some cases required to do so in order to protect other people. That is really sort of sticking right into the heart of sort of what it means for some people to feel the sense of freedom. And for many people, it gets to the core of, you know, America. We get to do what we want. We have these freedoms. But the pandemic really challenges that, and HIPAA has kind of become the lightning rod in all of this. People are grabbing on to it because they think it protects more than it does. There are just deeper issues involved in all of this, as I think everyone recognizes.
SNELL: Deven McGraw is a co-founder of the consumer health technology company Ciitizen. And she's the former deputy director for health information privacy at the Office for Civil Rights of the U.S. Department of Health. Thanks for speaking with me.
MCGRAW: Thank you for having me.
(SOUNDBITE OF MUSIC)
Copyright © 2021 NPR. All rights reserved. Visit our website terms of use and permissions pages at www.npr.org for further information.
NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.