Bogus HIPAA Claims Are Flourishing As Pandemic Worsens

By Jeff Overley
Law360 is providing free access to its coronavirus coverage to make sure all members of the legal community have accurate information in this time of uncertainty and change. Use the form below to sign up for any of our weekly newsletters. Signing up for any of our section newsletters will opt you in to the weekly Coronavirus briefing.

Sign up for our Health newsletter

You must correct or enter the following before you can sign up:

Select more newsletters to receive for free [+] Show less [-]

Thank You!

Law360 (November 30, 2020, 8:35 PM EST) -- The escalating coronavirus pandemic is fueling false assertions about the privacy protections of the Health Insurance Portability and Accountability Act in a wide array of settings, including the storefront windows of retail shops and the social media accounts of former Trump administration officials.

Spurious claims exaggerating HIPAA's reach appear to be originating primarily from individuals who have expressed the belief that the COVID-19 crisis — which has killed almost 270,000 Americans — is overblown. The claims have become more conspicuous in recent months, as virus skeptics wield HIPAA and other legal provisions in an effort to evade face mask mandates and undermine media reports about famous people testing positive.

"This is just such a politically charged — rightfully or wrongfully — scenario that we have right now," Lynn Sessions, BakerHostetler's health privacy leader, told Law360. "We're seeing a lot of different laws and regulations being thrown out there to justify whatever position [someone] is taking."

Efforts to push back against pandemic restrictions and news reporting have also invoked the Americans with Disabilities Act and the privacy provisions of the U.S. Constitution's Fourth Amendment. For example, a U.S. Department of Justice fraud alert in June described cards that cited the ADA and a fictitious government body called the "Freedom to Breathe Agency" in an effort to exempt the cardholders from face mask requirements.

But HIPAA — the nation's biggest and best-known health privacy law — appears to be cited especially often. According to data from Google, search interest in HIPAA spiked to its highest level in the past five years shortly after President Donald Trump delivered an Oval Office address in March about COVID-19. Interest has remained historically high and has surged periodically throughout 2020 after important news events involving the novel coronavirus.

Click to view interactive version

"While health care, health data and privacy are always of great interest to some of us, the pandemic has raised their profile for the population at large," David Harlow, chief compliance and privacy officer at a Massachusetts-based medical device company, told Law360. "This has also increased the number of misunderstandings about HIPAA."

References to HIPAA can be found on paper signs that have been appearing in the windows of small businesses in response to mask mandates that now exist in more than 35 states. The signs purport to exempt customers with medical conditions that preclude mask-wearing, typically declaring in boilerplate script that "due to HIPAA and the Fourth Amendment, we cannot legally ask you what your medical condition is."

Some business owners have uploaded photos of the signs to Facebook, which has flagged some of the images for containing "false information," and the posts often attract outpourings of praise.

For example, after the Doomsday Tactical Supply gun shop in Virginia posted a photo of its sign earlier this year, it earned 1,300 likes and 600 shares. As another example, when Larry Sharpe — the Libertarian Party candidate in New York's 2018 gubernatorial election — posted a picture of one of the signs and solicited feedback, he garnered more than 2,000 likes and 1,600 shares.

This is a very interesting sign. What are your thoughts about it?

Posted by Larry Sharpe, Libertarian on Wednesday, July 15, 2020
It's not known whether business proprietors who are self-described critics of mask mandates are intentionally misconstruing HIPAA. But attorneys told Law360 that while the ADA could require accommodations for genuine medical issues, HIPAA would almost never actually prohibit business owners from asking why patrons were flouting a mask law.

"Those are totally false," Thomas Jeffry Jr., a HIPAA specialist at Arent Fox LLP, said of the signs. "Shop owners typically are not going to be subject to HIPAA."

In fact, relatively few components of the U.S. economy — mainly health care providers, insurers, pharmacies and their business associates — are subject to HIPAA, which Congress passed in the 1990s. Outside those contexts, there's fairly wide latitude to publicly discuss someone's health.

"The biggest misconception tends to be that because HIPAA has become synonymous with medical privacy, that people assume that all medical information is always going to be protected by HIPAA," Adam H. Greene, a Davis Wright Tremaine LLP partner, told Law360.

That incorrect assumption has also proliferated widely on Twitter. In recent weeks, waves of tweets mentioning HIPAA — or its common misspelling, HIPPA — have made the health privacy law a trending topic, leaving experts amused but also rolling their eyes.

"We kind of chuckle [when] HIPAA is trending on Twitter, because it's trending for the wrong reasons," Sessions said. "It's really not trending because it's truly in play."

HIPAA and HIPPA each began trending on Nov. 20, which was the same day media outlets disclosed the positive coronavirus test of Donald Trump Jr., who has eschewed face masks and cast doubt on their effectiveness.

News of the president's son's positive test attracted numerous tweets incorrectly alleging that the disclosure — attributed to a spokesperson for Trump Jr. — ran afoul of HIPAA. Perhaps most prominently, the president's former acting Director of National Intelligence Richard Grenell, who has nearly 700,000 Twitter followers, denounced the story as "a violation of HIPAA rules" and then faced a swift backlash.

"You stumbling turnip that's not what HIPAA does," the popular Twitter account Popehat, which is run by Brown White & Osborn LLP lawyer Ken White, tweeted to Grenell.

Another response to Grenell came from an account called Bad HIPPA Takes, which debuted in May and spotlights inaccurate HIPAA posts. In response to questions from Law360, the account's operator wrote, "I'm just an internet rando who got fed up with the HIPAA misinformation being spread near the beginning of the pandemic."

The account operator added that they are based in Denver, formerly worked as a medical practitioner covered by HIPAA and intentionally adopted the "HIPPA" acronym as "a nod to the nitwits who constantly misspell it online."

Another high-profile HIPAA dust-up happened on Oct. 5, a few days after the president tested positive for the coronavirus. In response to a news report about a White House staffer also testing positive, former White House Press Secretary Sean Spicer tweeted to his roughly 463,000 Twitter followers that the report "seems like a violation of HIPPA."

Rep. Donna Shalala, D-Fla., a former U.S. Department of Health and Human Services secretary who helped author HIPAA's privacy provisions, then responded by telling Spicer, "That's not how HIPAA works."

It's hard to know whether the HIPAA distortions have significant practical effects. Do they fuel new infections by emboldening large numbers of people to defy mask mandates? Do they erode trust in media reports about the COVID-19 emergency? Maybe.

What is safe to say is that misunderstandings about the complicated health privacy law are understandable for everyday Americans, who may not grasp the intricacies of a complex statute that many lawyers specialize in almost exclusively. But when people who've served at the executive branch's highest levels broadcast incorrect HIPAA claims during a pandemic, the lapses seem more serious.

"All of these health-related things get used and twisted, and they get twisted sometimes innocently, because people just don't know what they are," Rivkin Radler LLP partner Eric D. Fader said. "And other times, it's people who should know better."

--Editing by Nicole Bleier and Breda Lund.

For a reprint of this article, please contact reprints@law360.com.

Hello! I'm Law360's automated support bot.

How can I help you today?

For example, you can type:
  • I forgot my password
  • I took a free trial but didn't get a verification email
  • How do I sign up for a newsletter?
Ask a question!