Request InfoApply Now
Academic Programs
Online Executive Juris Doctor Degree
Online Juris Doctor Degree
Non-Degree Seeking Single Courses
California Bar Exam
California Law Degree
Admissions
Admissions Requirements
Technical Requirements
Who Should Attend Law School?
B&P 6061.7 Disclosure
Tuition and Fees
EJD and JD Students
Non-Degree Seeking Students
About The Law School
Accreditation
Contact Us
Informational Webinars and Events
Faculty
How Online Law School Works
FAQs About the Law School
Our Law School History
News and Media
Student Life
Academic Support
Career Services
Graduation
Law Library
Tech Support
Student Community
Student Satisfaction
Alumni
Alumni Resources
Alumni Success Stories
Blog
Careers
Constitutional Law
Dean's Column
Law Student Life
News and Commentary
Contact US

877-757-8189

Student Login

Request InfoApply Now
HomeblognewsIs It a HIPAA Violation to Ask About the COVID-19 Vaccine?
Vials of the COVID-19 vaccine.
NEWS AND COMMENTARY

Is It a HIPAA Violation to Ask About the COVID-19 Vaccine?

March 9, 2022 | Purdue Global Law School

Some public figures have refused to discuss their COVID-19 vaccine status, stating that the information is protected by the Health Insurance Portability and Accountability Act (HIPAA). People on social media have complained that HIPAA prohibits employers, retailers, and others from requesting information on vaccine status.

HIPAA is designed to protect patients from the unauthorized disclosure of sensitive medical information. However, HIPAA does not prohibit individuals and entities from asking whether someone has received the vaccine.

What Is HIPAA?

HIPAA is a vast law consisting of five titles. Title I provides for health insurance portability, prohibiting insurers from excluding coverage for preexisting conditions for individuals covered by another creditable health plan for at least 12 months, with no gaps greater than 63 days. Title III governs the pre-tax amount individuals may place in health care savings accounts, and Title IV provides greater detail about insurance reform requirements. Title V governs tax deductions employers may take on company-owned insurance plans.

Title II is broken into three primary subsections: Preventing Healthcare Fraud and Abuse, Administrative Simplification, and Medical Liability Reform. The Administrative Simplification section is designed to increase efficiency within the health care system by promoting the widespread use of electronic data interchange (EDI). It requires national identifiers for health plans, health care providers, and employers, and standardized formats for electronic transactions. It also addresses the privacy and security of health data.

To Whom Does HIPAA Apply?

Given its broad scope, HIPAA applies to most health insurance providers, employers who offer health insurance plans, and covered workers. However, the Administrative Simplification section applies specifically to “Covered Entities,” defined as:

  • a health insurance plan

  • a health care clearinghouse

  • a health care provider who transmits protected health information

It may also apply to “Business Associates” of Covered Entities who handle protected health information or provide related services. Although the rules emphasize data that is stored or transmitted electronically, “protected health information” includes personally identifiable information that is maintained or transmitted in any form. Therefore, verbal and paper-based information is protected. Covered Entities and Business Associates may maintain, use, and disclose protected health information only as permitted by the HIPAA Privacy Rule.

What Is the HIPAA Privacy Rule?

The HIPAA Privacy Rule (45 CFR § 160 and 45 CFR § 164 Subpart A and Subpart E) allows for the use and disclosure of protected health information:

  • to the individual or that person’s representative,

  • for treatment, payment, or other permitted purposes, and

  • in ways that are incident to permitted purposes.

Covered Entities must get the individual’s consent for other uses and disclosures, such as to a family member, friend, or other third parties. However, the individual’s consent is not required for public health activities, law enforcement, and other purposes authorized or required by law. In an emergency, Covered Entities must exercise judgment as to whether the use or disclosure is in the individual’s best interest.

In all instances, Covered Entities must remain strictly within the confines of the authorization or consent and ensure that Business Associates comply with all requirements. All contracts between Covered Entities and Business Associates should cover these limitations.

The Covered Entity should provide individuals with notice in clearly written language of how protected health information is used and disclosed. Under most circumstances, individuals have a right to access and obtain a copy of their protected health information. A Covered Entity is not required to agree to further restrictions on the use and disclosure of protected health information, but if it enters into such an agreement, it must comply with the terms.

Why Doesn’t HIPAA Apply to Questions about Vaccine Status?

Despite persistent myths to the contrary, HIPAA does not prohibit questions about an individual’s vaccine status. The HIPAA Privacy Rule covers the use and disclosure of sensitive information by health care providers and other Covered Entities. It does not restrict anyone from asking for information.

The HIPAA Privacy Rule applies only to Covered Entities and, to a certain extent, Business Associates. Therefore, individuals, employers, schools, retailers, and other businesses may ask an individual whether he or she is vaccinated. Individuals may ask doctors, service providers, coworkers, and others whether they are vaccinated. Of course, individuals may always disclose their own health information.

Even Covered Entities and Business Associates may ask employees, patients, visitors, and others whether they have received the vaccine. The HIPAA Privacy Rule generally prohibits Covered Entities from disclosing that information, but there are a number of exceptions. For example, a pharmacy that administers vaccines may disclose that information to health authorities, and a clinician may disclose information about vaccine product defects and adverse events to the Food and Drug Administration.

Employment records are not covered by the HIPAA Privacy Rule. Employers, including Covered Entities and Business Associates, may require employees to disclose their vaccine status and even provide proof. However, employers should not ask why an employee is not vaccinated, as that inquiry might require the employee to disclose disability-related information governed by the Americans with Disabilities Act (ADA). Additionally, the ADA and many state privacy laws require employers to keep employee medical records, including vaccine status, confidential.

State Laws Confuse the Issue

Some states have enacted laws restricting whether a business may ask about vaccine status. Some state bans on vaccine passports or other proof of vaccine status apply only to state agencies, and others include publicly funded organizations and businesses that provide state-contracted services. Florida’s ban includes private businesses, but not in the employment context.

So, while inquiring about vaccine status does not violate federal HIPAA laws, you may need to look at both state and federal rules to determine whether asking about vaccine status is permitted where you live.

Take Health Law Classes Online With Purdue Global Law School

In addition to its licensure-based Juris Doctor program, Purdue Global Law School offers an Executive Juris Doctor (EJD) program, which is designed for those who wish to develop advanced legal knowledge and skills without becoming a lawyer. The EJD program offers specializations in health law as well as law and technology, and individual online classes are also available. Classes include:

  • Cybersecurity Law

  • ADR and Technology

  • Health Law

  • Medical Malpractice/Professional Liability

  • Medical Products Liability

  • Risk Management in Health Care

See our list of single law courses, and request more information today.

About The Author

Purdue Global Law School

Established in 1998, Purdue Global Law School (formerly Concord Law School) is Purdue University's fully online law school for working adults.

Filed In:
Notes and Conditions - Please read

JD Program: Study at, or graduation from, this law school may not qualify a student to take the bar examination or be admitted to practice law in jurisdictions other than California. A student who intends to seek admission to practice law in a jurisdiction other than California should visit Purdue Global’s State Licensure and Certifications page for state-specific requirements. Students are highly encouraged to confirm state requirements from the appropriate bar admissions office for their state of residence. 

EJD Program: Except as provided in rule 4.30 of the Admissions Rules (Legal education in a foreign state or country), completion of a professional law degree program at this law school other than for the Juris Doctor degree does not qualify a student to take the California Bar Examination or satisfy the requirements for admission to practice law in California. It may not qualify a student to take the bar examination or to satisfy requirements for admission to the practice of law in any other jurisdiction. A student who intends to seek admission to practice law should visit Purdue Global’s State Licensure and Certifications page for state-specific requirements. Students are highly encouraged to confirm state requirements from the appropriate bar admissions office for their state of residence.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

© 2024, Purdue Global, a public, nonprofit institution.