Asking someone about their COVID-19 vaccination status can be a touchy subject. While some are happy to chat about being vaccinated, others want to keep that information private.
Some, including Georgia congresswoman Marjorie Taylor Greene, have claimed that being asked about their vaccination status is a HIPAA violation. But others have said that’s not actually true.
So what’s really going on here? Read on for what you need to know.
What is HIPAA, again?
You’re probably at least familiar with HIPAA on some level, or at least have had to sign a form about HIPAA compliance when you’ve gone to your doctor’s office. But most people are fuzzy on the specifics of the law.
HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. It’s a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge, the Centers for Disease Control and Prevention (CDC) explains. There are some other elements to it, including the HIPAA Privacy Rule, which implements the requirements of HIPAA, and the HIPAA Security Rule, which protects a subset of information covered by the Privacy Rule.
The Privacy Rule standards are what most people are concerned with. This addresses the use and disclosure of your health information—aka your “protected health information”—by entities that are subject to the Privacy Rule. These people or organizations are called “covered entities,” and they include health plans, health care clearing houses, and health care providers, according to the U.S. Department of Health and Human Services.
The Privacy Rule also has standards for a person’s right to understand and control how your health information is used. Basically, the goal is to help make sure that your health information is properly protected, while allowing for the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well-being. So, your doctor talking to your local pharmacist about a medication prescribed for you is not a HIPAA violation when you sign forms allowing for it, but your doctor disclosing details about your health condition to their friends at happy hour—and using your name—is.
The Security Rule essentially means that covered entities need to work hard to protect your private health care data.
What does HIPAA do?
As a whole, HIPAA helps protect your personal health care information under certain circumstances and situations. (Note the italics: That’s going to come up later.)
“HIPAA is important because it protects all of us from someone knowing personal medical information that we might want to keep private,” Gloria Bachmann, MD, associate dean of women’s health and director of the Women’s Health Institute at the Rutgers Robert Wood Johnson Medical School, tells Health. It keeps your doctor from calling up your work and telling your boss that you’re pregnant, you have diabetes, or that you’re being treated for diabetes. (Not that your doctor would do that anyway, but you get the point.)
So, is it a HIPAA violation to be asked if you’ve been vaccinated?
Nope. “It is not a violation of federal law for an employer to ask an employee about their vaccination status,” Larry Stuart, an employment lawyer in the Houston-based law firm Stuart PC and an adjunct professor at the Jones Graduate School of Business at Rice University, tells Health. The same goes for businesses and their patrons.
“[HIPAA] in no way prohibits business owners and other individuals from asking people if they have been vaccinated,” Alan Meisel, a professor of law and bioethics at the University of Pittsburgh, told USA Today via email. “In fact, it doesn’t even prohibit health care entities mentioned above from asking people if they have been vaccinated.”
The US Equal Employment Opportunity Commission (EEOC), too, which administers and enforces laws against workplace discrimination, “has taken the position that an employer can ask that question lawfully, and require an answer to it,” Stuart says.
Things get a little trickier when it comes to a business or employer asking why someone is not vaccinated. “If someone has a medical disability that would prevent them from getting vaccinated, they may need to be accommodate by the American Disabilities Act,” Stuart says. And, if a person has a religious exemption, that may also need to be accommodated.
All of that said, none of this is even covered under HIPAA. “That only applies if a doctor has personal health information and discloses it,” Stuart says. “It’s not covered by HIPAA if an employer asks for your vaccination status.” If your employer asked your doctor for the information, though, it would be information protected by HIPAA.
That said, just because someone asks about your vaccination status, it doesn’t mean you have to disclose it to them. But in that situation—say, if a business asks if you’re vaccinated because they require it for entry—that business is well within its rights to deny you entry, should you refuse to disclose your vaccination status.
Basically, the bottom line here: It’s not a violation of HIPAA for any employer or business to ask if you’ve been vaccinated—and while you don’t have to divulge that information, be prepared to be denied entry to a store or workplace, if you choose not to.
The information in this story is accurate as of press time. However, as the situation surrounding COVID-19 continues to evolve, it’s possible that some data have changed since publication. While Health is trying to keep our stories as up-to-date as possible, we also encourage readers to stay informed on news and recommendations for their own communities by using the CDC, WHO, and their local public health department as resources.
This post, Is It a HIPAA Violation to Ask About a COVID Vaccine? Here’s What Experts Say, was first shared on on May 27, 2021.