Washington — For the American people and members of the press hoping to glean a comprehensive rundown of President Trump's condition following his diagnosis with COVID-19, a five-letter acronym has been invoked by White House physician Dr. Sean Conley as a barrier to offering the full view that many crave.
HIPAA, shorthand for the Health Insurance Portability and Accountability Act, has been mentioned repeatedly by Conley as he fields questions from the press about the president's health status, namely in response to questions about what scans of Mr. Trump's lungs revealed and when he last tested negative for the coronavirus.
"There are HIPAA rules and regulations that restrict me in sharing certain things for his safety and his own health and reasons," Conley told reporters at Walter Reed on Monday when pressed about findings from the president's lung imaging.
Asked about when Mr. Trump last tested negative and whether any of his lab tests were abnormal, Conley again leaned on the law.
"HIPAA kind of precludes me from going into too much depth," he said.
While Conley cited the measure as justification for why he could not disclose information about Mr. Trump's scans or tests, he did discussthe and said Mr. Trump was "doing very well," raising questions as to whether the American people were getting a complete picture of Mr. Trump's condition.
One person in Washington who is intimately familiar with HIPAA and how the law works is Congresswoman Donna Shalala, a Florida Democrat who helped write the law as secretary of the Department of Health and Human Services under President Bill Clinton.
Shalala recently corrected former White House press secretary Sean Spicer's characterization of the law, in a tweet that's been shared more than 90,000 times. CBS News got in touch with her for a rundown about the health care law and how it applies to the president, who continues to recover from COVID-19.
CBS News: When was HIPAA enacted and what is the purpose of the law?
Congresswoman Donna Shalala: HIPAA was enacted in 1996 with its primary goal being to protect people's medical information — sometimes called PHI or protected health information — and allow patient's access to their own health information.
Who does HIPAA apply to? Is a White House physician covered?
Generally, HIPAA only applies to medical systems, so health insurance companies and health care providers like doctors, hospitals, nursing homes and all the people that work in those places.
Yes, a White House physician would be covered. There is a misconception that everyone falls under HIPAA privacy laws. But employers do not, as well as many schools, law enforcement and of course just your average person on the street. If I tell my friend some private health information and then they put that on Facebook, they did not violate HIPAA.
What health information is protected under HIPAA and therefore kept private?
Information your doctors, nurses and other health care providers put in your medical records would be covered, as well as information about you in your health insurer's computer or billing system. Most health information about you held by insurers, providers and pharmacists is prohibited from disclosure.
Does a patient have to provide authorization for a doctor to release their health information?
Yes, most of the time. A doctor could release information to another entity like a health insurance company for billing and health care treatment purposes, as well as to protect public health. However, a person's information can't be used or shared without their written permission unless HIPPA law allows it. For example, your provider generally can't give your information to your employer or use your information for marketing or advertising.
In that case, can a patient be selective in what information is allowed to be released?
Yes, because HIPAA is rooted in protecting patients. A patient may want their doctor to share information about their current condition or diagnosis with their friends — or the American public — but there is other information in their medical record that they might not want to share, like their diagnosis of heart disease or erectile dysfunction.
Can a patient waive HIPAA protections? And if so, would that allow for the blanket disclosure of health information?
Yes, a patient can waive HIPAA, but it would not be a blanket disclosure. You can also ask that your health care provider not share things with certain people, like your health insurance company if you are paying for your own medical care.
Does HIPAA apply differently to the president of the United States and a White House physician?
I don't believe so.
One of the unanswered questions is when President Trump last tested negative for COVID-19. Would HIPAA prevent the White House from disclosing when Trump's last negative test was?
HIPAA rules do not apply to the White House — it is not a health care provider, health insurance company, nursing home or any of the other covered entities.
[White House press secretary] Kayleigh McEnany cannot say, "HIPAA prevents me from sharing that information." However, the president's doctor could say, "HIPAA prevents me from disclosing that information."
Does HIPAA prohibit the White House or the press from revealing the name of a person who has tested positive for COVID-19?
No, that is not how HIPAA works.
What is the punishment for violating HIPAA?
There are fines that can be levied in varying amounts — in some cases they are in the millions — and in some cases possible prison time. Much of the time, the provider enters an agreement with HHS to change a practice or system and becomes HIPAA compliant to make sure they are protecting a patient's private medical information.