Since its dramatic entrance on the national scene in early 2020, COVID-19 has precipitated some monumental societal changes. COVID vaccinations in particular have raised some important questions relating to healthcare privacy. Can an employer compel an employee to divulge his or her vaccination status? Or to get the vaccine? Can governments force citizens to receive vaccines and penalize those who refuse? Can media outlets publicize information about individual healthcare decisions? What about HIPAA and doesn’t this federal law prohibit the disclosure of one’s medical status? Or, should it? Suffice to say, these are complex questions, and in some cases, the answers are unclear, yet-to-be-determined, or depend on which state you live in. All of the above questions frame the focus of this article looking at HIPAA and medical privacy in Covid-19 era.
Individual Rights vs. Public Health
The legal development of medical privacy rights has been gradual, often requiring a difficult balancing between individual rights and societal public health interests. As the debate slowly evolved into the 21st Century, privacy rights appeared destined to win out. But COVID has undoubtedly altered the discussion—raising new legal issues and changing the way some old issues are viewed. As a new chapter unfolds in the history of healthcare privacy, it’s worth taking a look at how the story began.
Origins of Medical Privacy Rights in the United States
To provide some background concerning HIPAA and medical privacy in the Covid-19 era, a little bit of history is helpful. In the pre-HIPAA era, medical privacy was not regulated at the federal level. No national law stopped healthcare providers or anyone else with access to a person’s medical information from disclosing it however they saw fit. The U.S. Supreme Court recognized (and still recognizes) a constitutional right to privacy, but constitutional protections generally only limit the conduct of a government entity. A private healthcare provider, insurance company, or employer doesn’t have to respect your constitutional right to privacy any more than Facebook, YouTube, or Twitter have to respect your First Amendment right to freedom of speech. Nothwithstanding, there are some rumblings about the aforementioned companies being commandeered as political actor, thereby classifying them as government actors. But that’s another article.
That’s not to say medical privacy didn’t exist prior to 1996. Doctors taking the Hippocratic Oath have been swearing not to divulge confidential patient information since ancient times. Winston Churchill’s personal physician refused to disclose anything about Churchill’s significant health problems—which could have potentially affected his official duties—until after the former prime minister’s death. Even then, disclosure was rationalized as an effort to promote Churchill’s posthumous reputation. Regardless, the disclosure drew heavy criticism from other prominent physicians.
Common Law Approaches to Medical Privacy
The critics of Churchill’s doctor argued that he had breached physician-patient confidentiality, an ethical duty of doctors. A similar concept has been long recognized under common law in the form of the doctor-patient privilege. Designed to encourage open discussion between patient and physician, doctor-patient privilege prevents doctors from being forced to testify or provide evidence against their patients. The privilege is limited, though, with multiple exceptions, and doesn’t prevent disclosure of confidential health information by someone else.
The tort of invasion of privacy offers another potential common-law tool for protecting confidential medical information. The civil tort includes a cause of action arising from unreasonable publication of another person’s private affairs, which can include health matters. If you have a condition you’d like to keep private—and a newspaper runs an article about it to try to embarrass you—you might sue the paper for common law invasion of privacy.
While invasion of privacy is sometimes useful for keeping healthcare matters private, it is limited in that an actionable disclosure must be “highly offensive” and must not serve a legitimate public interest. In other words, if a defendant reasonably believes that divulging a plaintiff’s private medical details promotes public health, the defendant stands a good chance of defeating a common-law invasion of privacy claim.
Balancing Personal Privacy and Public Health
Historically, the conflict between individual privacy rights and perceived public health interests has frequently involved identification of individuals exposed (or possibly exposed) to communicable diseases. Thus, this question concerning HIPAA and medical privacy in the Covid-19 era bears out a somewhat unique circumstance due to unanswered questions about the relatively lower risk posed by Covid-19 for the majority of the population, when contrasted with other historic pandemics.
Local sanitary authorities, for example, kept close tabs on tuberculosis cases—sometimes publicizing patients’ names and addresses in local newspapers. The idea was to mitigate spread and provide notice to people who might have been exposed already. Liberal-minded commenters raised objections on privacy grounds, but privacy rights were less robust at the time. So objections were usually brushed aside in favor of protecting the public from dangerous contagions like TB, smallpox, and polio.
As medical practice, ethics, and modern conceptions of privacy evolved throughout the 20th century, privacy-rights advocates made progress in the debate and even started to win on occasion. By the latter half of the century, public health officials and medical researchers still compiled disease and birth-defect registries—but with considerably greater respect for patient confidentiality.
Medical Privacy Gains the Advantage
HIPAA and medical privacy concerns changed dramatically during the 1980s and 1990s, when two issues made healthcare privacy a major issue at the national level—child immunization databases and HIV registries. In the former case, proposed legislation that would have created a national immunization database for children was vanquished by the combined efforts of parents’ groups and privacy rights advocates. Instead, immunization has been largely handled by state and local governments—with a greater sensitivity to privacy than the national registry had envisioned.
Around the same time, to study and reduce the spread of HIV, the CDC planned to create a national registry with the names and health information of all HIV-positive patients. Advocacy groups and civil libertarians rigorously opposed and ultimately defeated the effort, arguing that disclosure could lead to all sorts of negative consequences for patients. In the end, the CDC was still able to track national cases—but only using encrypted data with individually identifiable information removed. It turned out that the opposing objectives of promoting public health and protecting medical confidentiality were not mutually exclusive. But, had the objectors not made their case for privacy, the latter goal would have been discounted.
HIPAA: A Milestone in Medical Privacy
One of the most significant milestones in the history of healthcare privacy in the U.S. came with the 1996 passage of HIPAA (the “Health Insurance Portability & Accountability Act”). HIPAA was enacted for a variety of purposes. At the time, the “portability” aspect of the legislation garnered much of the attention. Congress wanted to make it easier for workers to retain health insurance coverage when changing jobs. HIPAA also expanded access to health savings accounts and streamlined administration within the healthcare industry by promoting the use of electronic records.
The HIPAA legislation did a lot of things. But what HIPAA is most well-known for today is the “Privacy Rule” adopted by the Department of Health and Human Services (“HHS”) in 2003, within the scope of its rule-making authority. The Privacy Rule, in a nutshell, prohibits unauthorized disclosure of “protected health information” that can be linked to a specific individual. In 2008, “genetic information” came under the protection of the Privacy Rule—incorporated within the definition of “protected health information” by the Genetic Information Nondiscrimination Act.
For privacy advocates, HIPAA’s Privacy Rule represented a major breakthrough, as it acknowledges and protects the right to avoid disclosure of health status and treatment information without consent. Nonetheless, privacy advocates maintain that it does not go far enough because the rule is subject to some noteworthy limitations.
First, patient consent is not required if disclosure of health information is necessary in relation to medical treatment, payment for healthcare, or the individual patient’s healthcare options. Thus, your doctor’s office can disclose treatment information to another provider involved in your treatment or to your health insurer to facilitate payment of the bill. That’s not so bad.
Another, perhaps more consequential limitation is that HIPAA’s Privacy Rule only applies to “covered entities.” Healthcare providers are covered entities—as are health insurers, HMOs, “healthcare clearinghouses,” and government agencies that transmit healthcare information. And the Privacy Rule applies vicariously to business associates of covered entities and subcontractors who work for them. But individuals or entities that don’t qualify as a “covered entity” are not regulated by the Privacy Rule.
That means if you’re providing confidential medical info to a health-tracker ap on your phone (among any number of other examples), there’s a good chance HIPAA doesn’t prohibit disclosure—though non-HIPAA privacy rules may come into play.
Another HIPAA limitation is that covered entities can disclose protected information to public health authorities to help control or prevent disease or to law enforcement authorities under certain circumstances. Or, when otherwise authorized by law, a covered entity can make disclosures to individuals who may have been exposed to a communicable disease—or to a patient’s employer at the employer’s request if disclosure is necessary for OSHA compliance.
Notably, these disclosures are permitted (not required) by HIPAA—the statute does not override common law confidentiality privileges. In other words, a doctor can still refuse to divulge a patient’s confidential medical information on grounds of privilege—even if the disclosure would fall under one of the exceptions to the Privacy Rule. There might be other legal grounds for compelled disclosure, but not HIPAA.
A major weakness of HIPAA is that it does not authorize private enforcement. That is—an individual whose privacy rights have been violated due to a HIPAA violation cannot file a civil lawsuit requesting damages. Instead, HIPAA’s remedy is for aggrieved individuals to file a complaint with HHS or the relevant state’s attorney general. HHS (acting through its Office of Civil Rights) has the power to impose sometimes stiff fines (and even criminal charges in the worst cases) for HIPAA violations. In practice, enforcement is largely discretionary, and HHS usually focuses more on corrective action than penalties.
Although a civil suit under HIPAA is not an option, some states have their own healthcare privacy laws which do allow private causes of action. The general rule is that a state can enact laws providing greater, but not lesser, privacy protections than HIPAA—and some states have opted to do so. Depending on the circumstances, common law claims for negligence, intentional infliction of emotional distress, or the privacy claims mentioned above may also be available based on conduct that violates HIPAA.
Medical Privacy in the COVID-19 Era
Though privacy rights aren’t absolute, as it concerns HIPAA and medical privacy in the Covid-19 era, the personal-medical-privacy side of the debate seemed to have most of the momentum heading into the 21st Century. However, many are alarmed that COVID-19 may be changing the playing field, even going as far to sound the alarm about “medical tyranny”—due to the media’s attention to the “peril of a pandemic”, as well as the partisan expansion of governmental power spurred by crisis and widespread fear, and, finally, the unfortunate politicization of public health reshape perceptions and priorities.
Advocates for compulsory inoculation note that there is U.S. Supreme Court precedent for government-mandated vaccines. The 1905 case of Jacobsen v. Massachusetts upheld the Commonwealth of Massachusetts’ power to require smallpox vaccinations, with fines for noncompliance. Jacobsen served as precedent for high-court sanctioning of mandatory school vaccinations in 1922—and involuntary sterilization in 1927.
But constitutional law generally—and privacy rights in particular—have evolved substantially over the past century. While Jacobsen is technically still good law, governmental power to mandate particular healthcare procedures is by no means a settled question under modern jurisprudence. A 2005 article leary of complusory vaccinations in the American Journal of Public Health (now featured on the National Institute of Health’s website) asked whether mandatory vaccines could still pass 21st Century constitutional muster. The authors viewed the issues from a variety of relevant angles, ultimately concluding:
A law that authorizes mandatory vaccination during an epidemic of a lethal disease, with refusal punishable by a monetary penalty…would undoubtedly be found constitutional…However, the vaccine would have to be approved by the FDA as safe and effective…On the other hand, if a vaccine were investigational, compulsory vaccination would not be constitutional, and people would be less likely to accept it voluntarily….[A] state statute that actually forced people to be vaccinated over their refusal  would probably be an unconstitutional violation of the right to refuse treatment…Even the state’s legitimate interest in protecting life cannot outweigh a competent adult’s decision to refuse medical treatment…
The 2005 article offers a fairly detailed analysis and is worth a read if you’re interested in the topic. A somewhat ominous warning from the authors (at least for supporters of privacy rights) is worth another quotation: “As a practical matter, major new epidemics or terrorist attacks are likely to be considered national emergencies. In such circumstances, overreactions are likely and constitutional rights may be trampled, regardless of established law…”
Private Employers and Medical Privacy Rights
When it comes to HIPAA and medical privacy in the Covid-19 era, private actors, which are most employers, are generally not restrained by constitutional privacy protections. And, unfortunately for individual rights advocates, HIPAA is of little help. While the law prohibits healthcare providers’ unauthorized disclosure of patients’ vaccination status, it does not prevent employers from asking employees whether they’ve had the vaccine—or even compelling vaccination as a condition of employment.
With that said, employment law is largely governed at the state level, and individual states vary in the relative strengths and weaknesses of protections afforded to workers. The issue is certain to result in significant litigation in the days ahead, resulting in new precedent in the privacy-rights-versus-public-health debate. It will be interesting to see how the lower courts come down and whether the U.S. Supreme Court decides to weigh in on medical privacy in the COVID-19 era.
Steve Gibbs, Esq.