It’s easy to assume that the more sensitive information is, the more it should be protected. We know that the Health Insurance Portability and Accountability Act (known as HIPAA) protects health information. But does HIPAA provide special protections for highly sensitive health data, such as an HIV diagnosis or treatment?
In short, no. The federal HIPAA law governs all protected health information (PHI) but doesn’t afford special protections for PHI related to an HIV diagnosis or treatment. This data should be treated with the same privacy and security safeguards as any other health data. You need written consent to disclose this information, just like you do for any other type of PHI, unless the disclosure is for TPO or required by law.
Your practice must report an HIV diagnosis to your state health department for public health purposes. In many states, you can also disclose HIV services that a minor receives to their parents, if you believe it’s in the child’s best interests. However, you must not disclose this status to a patient’s employer.
At your practice, you may choose to provide extra protection, such as keeping HIV-related information in a separate area of the electronic health record. Additionally, state law may have requirements in addition to the HIPAA Privacy Rule. For example, some states or cities require you the health care provider or the patient to notify their partners of their HIV status or go through a partner notification program, such as in Texas. If your state has additional protections, you must comply with them.
In summary, HIPAA doesn’t provide special protections for HIV diagnosis or status. Nevertheless, you must still follow your current privacy policies and procedures to protect all patient data.