Some public figures have refused to discuss their COVID-19 vaccine status, stating that the information is protected by the Health Insurance Portability and Accountability Act (HIPAA). People on social media have complained that HIPAA prohibits employers, retailers, and others from requesting information on vaccine status.
HIPAA is designed to protect patients from the unauthorized disclosure of sensitive medical information. However, HIPAA does not prohibit individuals and entities from asking whether someone has received the vaccine.
What Is HIPAA?
HIPAA is a vast law consisting of five titles. Title I provides for health insurance portability, prohibiting insurers from excluding coverage for preexisting conditions for individuals covered by another creditable health plan for at least 12 months, with no gaps greater than 63 days. Title III governs the pre-tax amount individuals may place in health care savings accounts, and Title IV provides greater detail about insurance reform requirements. Title V governs tax deductions employers may take on company-owned insurance plans.
Title II is broken into three primary subsections: Preventing Healthcare Fraud and Abuse, Administrative Simplification, and Medical Liability Reform. The Administrative Simplification section is designed to increase efficiency within the health care system by promoting the widespread use of electronic data interchange (EDI). It requires national identifiers for health plans, health care providers, and employers, and standardized formats for electronic transactions. It also addresses the privacy and security of health data.
To Whom Does HIPAA Apply?
Given its broad scope, HIPAA applies to most health insurance providers, employers who offer health insurance plans, and covered workers. However, the Administrative Simplification section applies specifically to “Covered Entities,” defined as:
- a health insurance plan
- a health care clearinghouse
- a health care provider who transmits protected health information
It may also apply to “Business Associates” of Covered Entities who handle protected health information or provide related services. Although the rules emphasize data that is stored or transmitted electronically, “protected health information” includes personally identifiable information that is maintained or transmitted in any form. Therefore, verbal and paper-based information is protected. Covered Entities and Business Associates may maintain, use, and disclose protected health information only as permitted by the HIPAA Privacy Rule.
What Is the HIPAA Privacy Rule?
The HIPAA Privacy Rule (45 CFR § 160 and 45 CFR § 164 Subpart A and Subpart E) allows for the use and disclosure of protected health information:
- to the individual or that person’s representative,
- for treatment, payment, or other permitted purposes, and
- in ways that are incident to permitted purposes.
Covered Entities must get the individual’s consent for other uses and disclosures, such as to a family member, friend, or other third parties. However, the individual’s consent is not required for public health activities, law enforcement, and other purposes authorized or required by law. In an emergency, Covered Entities must exercise judgment as to whether the use or disclosure is in the individual’s best interest.
In all instances, Covered Entities must remain strictly within the confines of the authorization or consent and ensure that Business Associates comply with all requirements. All contracts between Covered Entities and Business Associates should cover these limitations.
The Covered Entity should provide individuals with notice in clearly written language of how protected health information is used and disclosed. Under most circumstances, individuals have a right to access and obtain a copy of their protected health information. A Covered Entity is not required to agree to further restrictions on the use and disclosure of protected health information, but if it enters into such an agreement, it must comply with the terms.
Why Doesn’t HIPAA Apply to Questions about Vaccine Status?
Despite persistent myths to the contrary, HIPAA does not prohibit questions about an individual’s vaccine status. The HIPAA Privacy Rule covers the use and disclosure of sensitive information by health care providers and other Covered Entities. It does not restrict anyone from asking for information.
The HIPAA Privacy Rule applies only to Covered Entities and, to a certain extent, Business Associates. Therefore, individuals, employers, schools, retailers, and other businesses may ask an individual whether he or she is vaccinated. Individuals may ask doctors, service providers, coworkers, and others whether they are vaccinated. Of course, individuals may always disclose their own health information.
Even Covered Entities and Business Associates may ask employees, patients, visitors, and others whether they have received the vaccine. The HIPAA Privacy Rule generally prohibits Covered Entities from disclosing that information, but there are a number of exceptions. For example, a pharmacy that administers vaccines may disclose that information to health authorities, and a clinician may disclose information about vaccine product defects and adverse events to the Food and Drug Administration.
Employment records are not covered by the HIPAA Privacy Rule. Employers, including Covered Entities and Business Associates, may require employees to disclose their vaccine status and even provide proof. However, employers should not ask why an employee is not vaccinated, as that inquiry might require the employee to disclose disability-related information governed by the Americans with Disabilities Act (ADA). Additionally, the ADA and many state privacy laws require employers to keep employee medical records, including vaccine status, confidential.
State Laws Confuse the Issue
Some states have enacted laws restricting whether a business may ask about vaccine status. Some state bans on vaccine passports or other proof of vaccine status apply only to state agencies, and others include publicly funded organizations and businesses that provide state-contracted services. Florida’s ban includes private businesses, but not in the employment context.
So, while inquiring about vaccine status does not violate federal HIPAA laws, you may need to look at both state and federal rules to determine whether asking about vaccine status is permitted where you live.
Take Health Law Classes Online With Concord Law School
In addition to its licensure-based Juris Doctor program, Concord Law School offers an Executive Juris Doctor (EJD) program, which is designed for those who wish to develop advanced legal knowledge and skills without becoming a lawyer.* The EJD program offers specializations in health law as well as law and technology, and individual online classes are also available. Classes include:
- Cybersecurity Law
- ADR and Technology
- Health Law
- Medical Malpractice/Professional Liability
- Medical Products Liability
- Risk Management in Health Care