What HIPAA does and doesn't protect against when it comes to vaccine questions
"Many people are confused when it comes to the rules surrounding HIPAA. We'll help explain.
With vaccination rates slowing, COVID-19 infections are climbing because of the delta variant. To check the spread of the virus, health care officials and business owners are doing everything from going door to door to talk to people about getting vaccinated to requiring proof of vaccination to enter a business or return to work. One question you may hear increasingly from employers, health care workers -- maybe even family members and friends -- is, "Have you received the COVID-19 vaccine yet?" But can someone legally ask you about your vaccine status? Or is that a violation of your Health Insurance Portability and Accountability Act rights?
Confusion over what HIPAA does and doesn't cover by some public figures has helped shed some light onto the question. When asked about his COVID-19 vaccination status, for instance, Dallas Cowboys' quarterback Dak Prescott said, "I think that's HIPAA." US Representative Marjorie Taylor Greene also responded to questions about whether she's been vaccinated as "a violation of my HIPAA rights." However, both are incorrect.
We'll explain what the HIPAA law is, what it does and doesn't protect, and if someone can ask you about your vaccine status. For more vaccine details, here's what you need to know about COVID-19 breakthrough infections for fully vaccinated people. This information comes from the Centers for Disease Control and Prevention and the US Department of Health and Human Services.
Watch this: What to do if you lose your vaccination card, and how...
What is the HIPAA law?
HIPAA is a federal law that was created to protect sensitive patient health information from being disclosed without the patient's consent or knowledge, according to the Centers for Disease Control and Prevention. It was signed into law in 1996 by former President Bill Clinton as patient details were going electronic.
The law established the HIPAA Privacy Rule, which was issued by the Department of Health and Human Services (HHS) and sets up protections around a person's medical records and sensitive health information. And it gives a patient rights over their health information -- for instance, you have the right to examine and obtain a copy of your own health record.
As defined under the law, health care providers such as doctors and clinics, dentists, health insurance companies, and health care clearinghouses -- what the law calls "covered entities" -- must follow the rules for guarding patient information..
Who isn't required to follow the HIPAA law?
If a business is not categorized as a covered entity as set out in the law, it is not required to follow the HIPAA rules around patient privacy. There are of course other rules that businesses, employers and schools need to follow that protect your privacy. Here's a partial list of which organizations do not fall under HIPAA rules.
- Life insurers
- Worker compensation carriers
- Most schools and school districts
- Many state agencies such as child protective service agencies
- Most law enforcement agencies
- Many municipal offices
Is it a HIPAA violation to ask about your vaccine status?
In most cases, according to experts, not at all. HIPAA does not create a right that you can refuse to disclose health information if requested by an employer or a business -- or in the case of Prescott or Greene, if asked by the media.
According to the HHS, for example, it is not a HIPAA violation for your employer to ask for proof of vaccination. (It would be a violation, however, if your health care provider shared that information with your employer without your consent.) You can of course choose not to provide that information, but there could be consequences if you refuse to disclose your status.
What does HIPAA protect?
This is what the HIPAA law protects, according to the HHS:
- Information your doctors, nurses, and other health care providers put in your medical record.
- Conversations your doctor has about your care or treatment with nurses and others.
- Information about you in your health insurer's computer system.
- Billing information about you at your clinic.
- Most other health information about you being held by those who must follow these laws.
What doesn't HIPAA protect?
Here's what isn't covered under HIPAA, according to the Privacy Rights Clearinghouse organization:
- Your health information in employment records.
- Your health information in education records.
- Health information for someone who's been deceased for more than 50 years.
- Information on you that has been de-identified, where all personally identifiable information has been removed.