The Body: HIPAA: Why It Matters More Each Day for HIV

Getty Images/damircudic

This article by Ace Robinson in discusses our February 22, 2024 HIPAA explainer webinar with NASTAD and Harvard Law School Center for Health Law and Policy Innovation.

"Control over one’s health information remains front and center in the communities most impacted by HIV in America. Due to HIV criminalization laws, which disproportionately affect Black people, there is a constant fear that one’s serostatus might be used to imprison them or even enhance sentencing."

"What’s the Hoopla about HIPAA? HIPAA 101 for Advocates" webinar featured presentations by attorneys Kae Greenberg (he/him), Staff Attorney, CHLP; Dori Molozanov (she/her), Senior Manager, Health Systems Integration, NASTAD; Rachel Landauer (she/her), Clinical Instructor, Center for Health Law and Policy Innovation (CHLPI), Harvard Law School; and was moderated by Kytara Epps (she/her) MPH, National Community Outreach Coordinator, CHLP.

Watch the replay

Read the article below or at

HIPAA: Why It Matters More Each Day for HIV

Mar 25, 2024
By Ace Robinson, M.P.H., M.H.L.

In the summer of 1996, President Bill Clinton signed the Health Insurance Portability and Accountability Act (HIPAA) to ensure that an individual’s health benefits could potentially remain active if they changed or lost their job. It was also intended to protect workers against discrimination from health insurance plans based on their health status.

There was a good reason for this, especially for people with chronic illnesses. At that point in time, protease inhibitors―which were some of the first drugs to successfully treat HIV―were still a year away from becoming widely available, the AIDS crisis was still raging, and, if they were lucky to have it, people living with HIV were in constant fear of losing their health insurance or having their rates increased beyond their ability to pay. HIPAA offered a measure of protection from what might have been a life-or-death loss. It also regulated how health information could be transmitted between entities, while ensuring higher levels of privacy at a time when disclosure of one’s HIV status could often lead to devastating stigma and discrimination. Though it might seem unimaginable today, even Ryan White―a white child who was not part of a community that was already being discriminated against―faced death threats after it became known that he was living with HIV.

Control over one’s health information remains front and center in the communities most impacted by HIV in America. Due to HIV criminalization laws, which disproportionately affect Black people, there is a constant fear that one’s serostatus might be used to imprison them or even enhance sentencing. Additionally, it cannot be ignored that HIV-related stigma remains pervasive and has caused some to lose employment, miss out on gaining employment, and/or be denied access to a range of public services, including doctor visits or the use of bathrooms.

With this reality in mind, in February, TheBody attended an online panel of legal, policy, and academic experts who helped clarify questions about what HIPAA is and who is required to follow its guidelines. The panel was called, “What’s the Hoopla About HIPAA? HIPAA 101 for Advocates.” It was convened by the Center for HIV Law and Policy (CHLP), NASTAD, and Harvard Law School’s Center for Health Law and Policy Innovation (CHLPI) and included NASTAD’s senior manager of health systems integration, Dori Molozanov, J.D.; clinical instructor at CHLPI Rachel Landauer, J.D.; and staff attorney at CHLP Kae Greenberg, J.D. The panel was moderated by Kytara Epps, M.P.H., of CHLP.

A major highlight of the panel was explaining when protected health information―HIV status, history of sexually transmitted infections, use of mental and behavioral health care―can or must be disclosed. Molozanov laid the groundwork and shared that there are only two instances for mandatory disclosure of one’s protected health information: 1) to the person who has a right to access their own information, and 2) to the Department of Health and Human Services as part of an investigation, review, or enforcement action regarding HIPAA compliance.

But there are numerous instances in which one's private data can be shared beyond these two mandates. For instance, attendees of the panel learned that the only entities that are required to follow HIPAA guidelines are clinical providers, laboratories, health insurance plans, and health care clearinghouses. Contrary to what one might think, Landauer shared that health departments and HIV service organizations that provide services like housing and medical case management but without providing direct clinical care have not been clearly designated as HIPAA entities―and may not be required to follow HIPAA guidelines.

There are additional situations in which sharing an individual’s health information does not require consent. For instance, information about people who test positive for HIV is shared with the state department of health where they were diagnosed. The sharing does not stop there. While parts of this information are made anonymous, any data points related to their HIV phenotype and demographics are then shared with the Centers for Disease Control and Prevention (CDC).

This is known as molecular surveillance. There is no way for entities that receive HIV prevention funding from the CDC to opt out of this data collection and sharing mandate, even if they object to it. This is because eligibility for receiving such funding is currently tied to sharing this information.

In the past decade, there has been a lot of attention focused on this longstanding practice of HIV molecular surveillance. Though this data is meant to help track strains of HIV and potentially interrupt a small or large outbreak, a number of HIV advocates fear that it may be used to further criminalize people living with HIV. What underscores this fear is the increase of society-wide surveillance without eliminating stigmatizing laws, as well as the fact that some states are trying to or have succeeded in gaining access to protected health information such as the menstrual-cycle frequency of patients or who has received gender-affirming care.

Greenberg shared that access to one’s protected health information must be procured through a defined legal process, i.e., a warrant, a subpoena, or a court order. He continued on to highlight that one’s serostatus can remain confidential even in open court. For example, a lawyer can ask for any discussion regarding HIV status to be held in the judge’s chambers or only if the court is cleared of the general public. Interestingly, one’s HIV status can be used for leniency in some circumstances. Greenberg noted that during the height of the COVID-19 pandemic, when it was overrunning prison settings, some people living with HIV had their prison sentence suspended for fear of COVID’s impact on their health.

A review of the Department of Health and Human Services’ summary of the HIPAA Privacy Rule shows there are six instances in which an entity is permitted, though not required, to share an individual’s protected health information. Though some of these circumstances may seem innocuous, it is important to understand that in these instances, covered entities do not have to receive an individual’s authorized consent before sharing their protected health information. They include sharing such information in the following situations:

  1. With the individual who is the subject of the information.
  2. For the covered entity’s own treatment, payment, and health care operations activities.
  3. When an individual is incapacitated, in an emergency situation, or not available.
  4. Incident to an otherwise permitted use and disclosure, meaning, “as result of, or as ‘incident to,’ an otherwise permitted use or disclosure” and as long as reasonable safeguards are in place.
  5. For the public interest and benefit, which applies to 12 national priority purposes: when required by law; for public health or safety reasons; about survivors of abuse, neglect, or domestic violence; to health oversight agencies; for judicial and administrative proceedings (with an order from a court or by subpoena); law enforcement purposes; to funeral directors, coroners, or medical examiners; to facilitate organ donation and transplantation; research purposes; when necessary to prevent or lessen a serious and imminent threat to health or safety; to allow the government to execute essential functions; and in compliance with workers’ compensation laws.
  6. For a limited data set, from which individuals’ identifying information is removed, for the purposes of research, public health, or health care operations.

The HHS also states that organizations “may rely on professional ethics and best judgments in deciding which of these permissive uses and disclosures to make.”

A review of HIPAA’s privacy standards reveals numerous instances in which one’s private health information can be shared. It is likely that most Americans are unaware of these loopholes. This is but one reason why panelists implored people to know their rights and health care protections, with full understanding that these potential breaches of privacy have historically and disproportionately impacted people from marginalized racial and ethnic groups, LGBTQI people, people from other countries of origin, and people experiencing pervasive poverty. As the law is a dynamic (or living) component of our daily life, these updates are always subject to change. However, in recent years, these changes have rarely been progressive.

© 2024 HealthCentral LLC. All rights reserved.

Ace Robinson, M.P.H., M.H.L.:  Ace Robinson, M.P.H., M.H.L., is a leading administrative and policy communicable disease advocate and population health expert.

Related Issues