Is it a HIPAA violation to ask someone for COVID-19 vaccination status?
Key points to remember
- Asking someone for their COVID-19 vaccination status does not violate HIPAA law.
- There would only be a violation of HIPAA if the covered entities, who are required to adhere to its privacy standards and guidelines, disclosed vaccination status without authorization.
- Whether you want to share your COVID-19 vaccination status or not is always up to you.
Now that fully vaccinated people no longer need to wear face masks or practice physical distancing in most settings, many companies are asking customers about their COVID-19 vaccination status before allowing entry or to allow them not to wear a mask. However, some people claim that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) prohibits companies from doing this, which is totally false.
This misconception is dangerous because it could potentially mislead people who do not fully understand what HIPAA really entails. To understand why asking someone for immunization status isn’t a violation of privacy, it’s crucial to know what kind of information is protected by HIPAA, which entities are required to follow its rules, and what kind of circumstances. in which this protection applies.
What is HIPAA?
HIPAA is federal law that aims to protect your privacy by restricting how sensitive information about your health can be used or disclosed. It also gives you the right to examine and obtain a copy of your medical record.
“When people refer to HIPAA, they are generally referring to the privacy rule produced by the HHS pursuant to authorization from Congress through the law itself,” James G. Hodge, Jr., JD, LLM, director of the Center for Public Health Law and Policy at Arizona State University, says Verywell. âTo this end, the HIPAA privacy rule provides extensive privacy standards and protections for identifiable health information held by covered entities.â
Contrary to popular belief, HIPAA does not protect all kinds of information in all situations. In addition, not all people and organizations are required to comply.
Only certain people and organizations with access to your health information are subject to the HIPAA privacy rule, such as:
- Health care providers, such as primary care providers, specialist doctors or psychologists
- Health plans, such as health insurance companies or health maintenance organizations (HMOs)
- Health care information clearinghouses, which include public or private entities that process non-standard health information
- Business associates of covered entities who assist them in performing their healthcare business and functions, such as medical transcriptionists or consultants
The responsibility for protecting protected health information rests with these entities alone, Michael S. Sinha, MD, JD, MPH, an adjunct professor at the North East University School of Law and a visiting scholar at the NUSL Center for Health Policy and Law, Verywell said. If an entity is not covered by HIPAA, it does not have to comply with its privacy standards.
Protected health information (PHI)
Covered entities regularly collect and use health information to provide health care. These recordings are protected by HIPAA law, which includes:
- Personal information, such as your name, address, social security number, beneficiary member of the health plan, telephone numbers or photographic images
- Medical records, clinical case notes, test results, diagnoses or prescriptions
- Insurance Information
- Medical management record systems maintained by or for a health plan
- Billing and payment records
âHIPAA only protects certain types of information in some health care facilities, not all information in all facilities,â says Sinha. Vaccination information and vaccination cards may be classified as PHI, but asking for someone’s status does not automatically result in a violation of HIPAA law.
Is it a violation of HIPAA law to ask for someone’s immunization status?
“Ask for the [vaccination] the status is not in itself a violation of HIPAA since no PHI has been disclosed â, Jonathan Ishee, JD, MPH, MS, LLM, assistant professor of biomedical informatics at the University of Texas, tells VeryWell. A breach would only occur if a Covered Entity disclosed PHI to an unauthorized person without your consent.
Anyone can ask your health care provider for your immunization status, but it would only be a violation if they disclosed it without permission. When uncovered entities such as family or friends ask you directly for your status, it is not a violation. You are also authorized to disclose this information yourself.
âAmericans often think that the HIPAA privacy rule protects the privacy of their health data in many contexts in which it does not apply,â Hodge said. âIf you tell your neighbor about your COVID-19 vaccine status, the rule does not apply. If you talk to your employer about it, again, the Rule does not apply directly.
Michael S. Sinha, MD, JD, MPH
HIPAA is not something that an individual can attempt to use as a shield if employers or schools ask about vaccination status. It’s a handy and often misspelled buzzword, but it has no relevance in this context.
– Michael S. Sinha, MD, JD, MPH
Another point to remember is that HIPAA doesn’t stop businesses, businesses, schools, or airlines from asking if you’ve been vaccinated or not. If they ask you for your immunization status before allowing you to enter a facility, attend classes or come to work in person, or even book a flight, that’s not a violation. Whether you want to share this information is always up to you.
âEmployers have the right to ask employees for their immunization status or to require proof of vaccination as a condition of continued employment,â said Sinha. âLikewise, colleges and universities may require proof of vaccination for faculty, staff and students. This means that a person can lose their job or their admission to college if they refuse to disclose their immunization status. HIPAA has no role in this information exchange.
What it means for you
If someone asks you about your COVID-19 vaccine status, it is not a violation of HIPAA law. HIPAA only protects the use or disclosure of certain health information by Covered Entities. Businesses, schools, airlines or other institutions have every right to ask you if you have been vaccinated or not, and it is always up to you to disclose it.
Under what circumstances will there be a violation of HIPAA law?
There would only be a violation of HIPAA if a covered entity disclosed an individual’s immunization status to an uncovered entity without their authorization. For example, a health care provider is not allowed to disclose a person’s immunization status to their employer without their consent.
âIf a doctor informs the media about his famous patient’s COVID vaccine status, without the patient’s written permission, a violation has likely occurred,â Hodge said. âIf a media website provides the same information about a celebrity, no violation of the HIPAA privacy rule has arisen because the media website is not a ‘covered entity’ under the rule. The site may have violated other privacy standards, whether statutory, regulatory or judicial, but not the privacy rule itself.
In certain situations that benefit the public good, such as legal and administrative proceedings, essential government functions, or public health activities, covered entities may use or disclose PHI to an uncovered entity without authorization. If they share someone’s immunization status with an unauthorized person (a friend, neighbor, or coworker) outside of these permitted disclosures, it is likely a violation of HIPAA law.
âWhile the HIPAA privacy rule provides a solid foundation for privacy protections in healthcare settings, it does not provide fail-safe privacy protections outside of these specific settings,â Hodge said.
During this COVID-19 pandemic, it’s understandable to feel the need to protect your privacy and health information. However, keep in mind that the HIPAA law does not prevent anyone from educating you about your immunization status, as it does not violate medical confidentiality or individual rights. You can always refuse to disclose your immunization status.
âHIPAA is not something that an individual can attempt to use as a shield if employers or schools ask about vaccination status,â Sinha said. “It’s a practical and often misspelled buzzword, but it has no relevance in this context.”
The information in this article is current as of the date shown, which means more recent information may be available as you read this. For the most recent updates on COVID-19, visit our coronavirus news page.