What Does HIPAA Protect?

January 22, 2021


A number of years ago, a woman called me and said that she recently had a routine blood test for monitoring a chronic condition. She was familiar with the test and what the results would mean; however, her doctor would not give her the results over the phone. Instead, the woman said, she was going to have to take off work, drive to the doctor’s office, pay for parking, pay for a co-pay (and have a doctor’s visit billed to insurance) to get one simple number. Of course, her condition could have gotten worse or needed treatment, but in the meantime, it seemed cruel to require a person to jump through so many hoops to get a single piece of information.


Today, this kind of problem would be unlikely to happen. In 2014, HHS released a final rule requiring labs to give patients access to their results within 30 days. The Department said, in the background to that final rule, that direct access to lab results helped empower patients and further their active involvement in their own care. This follows a trend over the past 100 years in medicine, away from paternalism and towards engaged patients.


The issue of decision making becomes thornier when we consider issues of privacy. HIPAA, the Health Insurance Portability and Accountability Act, may be one of the most erroneously cited provisions for withholding information. HIPAA led to the promulgation of federal privacy and security rules for health information. These rules apply only to “covered entities” -  hospitals, payers and those who submit electronic bills to insurance companies. HIPAA does not apply to an individual seeking “privacy” from declaring why he will not wear a face mask in contravention of local requirements. 


As technology blurs the line between patient and consumer, privacy protections may be all but moot. At home DNA tests and wearables have allowed people more access to their health information than ever. In 2008, the Genetic Information Nondiscrimination Act was enacted, providing that health insurance companies and employers could not use genetic information - which is not the same as a health condition - against people. However, this information is not private, nor is it protected against discrimination by numerous entities, including life insurers and the military. Recently, the US Department of Defense issued a warning to service members asking them not to use DTC genetic tests. [We will discuss wearables in a forthcoming post]


As for the woman who called me - I advised her to request her medical records, which would include the lab results, and find a new doctor.