Under HIPAA rules, can businesses ask you if you’ve been vaccinated against COVID-19?
As more people get vaccinated in the United States against COVID-19, mask-wearing and social distancing guidelines have become more relaxed. In mid-May 2021, the Centers for Disease Control and Prevention (CDC) announced that fully vaccinated people can be maskless in most spaces, along with a number of warnings that have confused the public. health experts.
Questions have arisen over whether companies can ask customers if they’ve been vaccinated against COVID-19, particularly if it violates privacy laws surrounding the disclosure of its information. health.
Numerous complaints and questions have been posted online about the role the Health Insurance Portability and Accountability Act (HIPAA) would play in sharing information about a client’s immunization status. Lawmakers like Republican Marjorie Taylor Greene have even said asking people for their vaccination status violates HIPAA’s privacy rule.
Serious question: Is HIPAA not a thing anymore?
– Patty Girl ð ð (@PerspicaciousXY) May 13, 2021
We have learned that this is not the case. Businesses don’t violate HIPAA regulations by asking customers if they are vaccinated or not.
According to the CDC, the HIPAA Privacy Rule “established a set of national standards to address the use and disclosure of individual health information – called ‘protected health information’ – by organizations. subject to the rule of confidentiality – also known as “ covered entities’ ‘as standards for individuals’ right to privacy to understand and control how their health information is used. Basically, HIPAA laws govern how some entities handle private patient health information.
Which entities are subject to HIPAA privacy rules? According to the Department of Health and Human Services (HHS), they are:
- Health care providers (including doctors, clinics, psychologists, dentists, chiropractors, nursing homes or pharmacies)
- Health plans (including health insurance companies, HMOs, corporate health plans, and government programs that pay for health care, such as Medicare, Medicaid, and military and military health care programs. Veterans)
- Health Care Information Clearing-House (including entities that process non-standard health information they receive from another entity into a standard (i.e. a standard electronic format or data content), or vice versa.)
Private businesses like restaurants or grocery stores are not subject to HIPAA rules, so they can ask customers who enter their vaccination status.
Health experts at the University of Michigan School of Medicine have explained the misinformation surrounding HIPAA. Health law researcher Kayte Spector-Bagdady said: âVery few people really understand what this means. They think it provides full privacy protections for health information at all times, which it just doesn’t. HIPAA only governs certain types of entities – your clinician, hospital, or others in the healthcare field. It does not apply to the average person or a business outside of healthcare. This does not offer any personal protection to a person against having to disclose their medical information. “
Spector-Baghdady added that this could affect the way individuals receive services, saying: âInstitutions rarely have the right to require that you actually be vaccinated, but if you want to work somewhere in particular, or if you want others to provide you with services (such as schools, or businesses, or travel), they may have the right to ask you to provide proof of vaccination first [â¦] Not only do they have the legal right, but they may also have the legal obligation to protect others. “
Individuals can choose not to disclose their immunization information, which may prevent them from entering a site. Medical historian Howard Markel also told the University of Michigan Health Blog, âYou are free to make choices about vaccination, but all of our choices have consequences. It just means that you won’t be able to go places or do things that will require you to show that you have been vaccinated. If you think it’s freedom, go for it.
So, can a company pass on the information about your vaccination?
Not if they are part of a health care “covered entity” under HIPAA. The University of Michigan Health Blog summed it up:
[â¦] if your friend shares on social media that she just got her COVID-19 vaccine and you tell someone else that you saw this post, you are not in violation of HIPAA because that you are not covered by it in the first place. Your friend may like you less, but you are not breaking the law.
But if the nurse who gave her picture to your friend took a picture of it and posted it on her own social media account without getting your friend’s signed consent, it would be a violation of HIPAA. However, nurses are trained in how to comply with the law, and they and their employers are subject to fines and public reporting if they violate HIPAA.
Companies can also apply their own restrictions. CDC guidelines also state that fully vaccinated people should always defer to local businesses: âFully vaccinated people can resume their activities without wearing a mask or taking a physical distance, except where necessary by federal, state, local, tribal or territorial laws, rules and regulations, including local businesses and advice in the workplace. So how a business responds to your immunization status, or your willingness or unwillingness to disclose it, is entirely up to the business.
Since companies can ask people about their immunization status and will not have any legal implications, we rate this statement as “True”.