HIPAA Violation?

Now that there’s an honor system in place re: masks, the natural next question is… can we ask if someone’s vaccinated? There seems to be quite a bit of confusion around HIPAA.

HIPAA is one of the most misunderstood health laws in the country

HIPAA is the acronym for Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191). It’s a federal law that was signed on August 21, 1996, which was originally intended to improve the “portability and accountability of health insurance coverage”. Basically, it was meant to ensure health insurance for employees between jobs.

In 2003, though, the “Privacy Rule” was implemented under HIPAA. This was a way to protect individuals’ medical records and other personal health information (called PHI in the research world). It’s an amendment that ensures two things:

  1. Gives people the right to access their own medical information

  2. Limits “covered entities” to access and/or share people’s medical information without consent. This includes information that relates to your past, present or future physical or mental health or condition. Here is a list of what information is protected.

Who is a “covered entity”?

There are three broad buckets:

  1. Healthcare providers (like physicians, hospitals, clinics, pharmacies)

  2. Healthcare plans (health insurance)

  3. Healthcare clearing houses (like billing companies).

No one else. An airline, business, a restaurant, and your employer are not healthcare providers.

Also, HIPAA does NOT…

  1. Protect medical information that a patient shares about themselves.

  2. Give someone personal protection against ever having to disclose their health information.

  3. Include a comprehensive list of privacy protections for health information in all circumstances.

Kayte Spector-Bagdady, a lawyer and bioethicist who is also Associate Director at the University of Michigan’s Center for Bioethics and Social Sciences in Medicine, said it best:

“People often feel like HIPAA protects them from being asked about their medical information, or prohibits other people from asking about their medical information. Neither is true. HIPAA prohibits health professionals, such as your doctor, from sharing your identified health information without your permission in most circumstances. People can always ask about your health information, and you can almost always decline to answer. But not answering health questions might come at a cost – such as not being able to enter your workplace or board a plane.”

So, yes, the majority of businesses CAN ask about your vaccination status.

I consult for quite a few businesses. And I strongly encourage them to ask about vaccination status if they do not universally enforce masks indoors. At least for now. This helps protect employees. This helps protect the unvaccinated (whether they want it or not). This helps protect our healthcare systems (because, yes, we can have another surge). And this helps protect the vaccinated without full protection (like immunocompromised).

I strongly encourage you to ask businesses to do the same.

Love, YLE