Many people are confused when it comes to the rules surrounding HIPAA. We'll explain.
With vaccination rates slowing, COVID-19 infections are climbing because of the delta variant. To check the spread of the virus, health care officials and business owners are doing everything from going door to door to talk to people about getting vaccinated to requiring proof of vaccination to enter a business or return to work. One question you may hear increasingly from employers, health care workers -- maybe even family members and friends -- is, "Have you received the COVID-19 vaccine yet?" But can someone legally ask you about your vaccine status? Or is that a violation of your Health Insurance Portability and Accountability Act rights?
Confusion over what HIPAA does and doesn't cover may have been contributed to by some public figures. When asked about his COVID-19 vaccination status, for instance, Dallas Cowboys' quarterback Dak Prescott said, "I think that's HIPAA." US Representative Marjorie Taylor Greene also responded to questions about whether she's been vaccinated as "a violation of my HIPAA rights." However, both are incorrect.
We'll explain what the HIPAA law is, what it does and doesn't protect, and if someone can ask you about your vaccine status. For more vaccine details, here's what you need to know about COVID-19 breakthrough infections for fully vaccinated people. This information comes from the Centers for Disease Control and Prevention and the US Department of Health and Human Services.
Who isn't required to follow the HIPAA law?
If a business is not categorized as a covered entity as set out in the law, it's not required to follow the HIPAA rules about patient privacy. There are of course other rules that businesses, employers and schools do need to follow that protect your privacy. Here's a partial list of which organizations do not fall under HIPAA rules:
· Life insurers
· Worker compensation carriers
· Most schools and school districts
· Many state agencies such as child protective service agencies
· Most law enforcement agencies
· Many municipal offices
Is it a HIPAA violation to ask about your vaccine status?
In most cases, according to experts, no, not at all. HIPAA does not create a right to refuse to disclose health information if requested by an employer or a business -- or in the case of Prescott or Greene, if asked by the media.
According to HHS, for example, it is not a HIPAA violation for your employer to ask for proof of vaccination. (It would be a violation, however, if your health care provider shared that information with your employer without your consent.) You can choose not to provide that information, but there could be consequences if you refuse to disclose your status.
What does HIPAA protect?
This is what the HIPAA law protects, according to HHS guidance:
· Information your doctors, nurses and other health care providers put in your medical record.
· Conversations your doctor has about your care or treatment with nurses and others.
· Information about you in your health insurer's computer system.
· Billing information about you at your clinic.
· Most other health information about you being held by those who must follow these laws.
What doesn't HIPAA protect?
Here's what isn't covered under HIPAA, according to the Privacy Rights Clearinghouse organization:
· Your health information in employment records.
· Your health information in education records.
· Health information for someone who's been deceased for more than 50 years.
· Information on you that has been deidentifies, meaning all personally identifiable information has been removed.