No, Asking For Proof Of Vaccination Is Not A HIPAA Violation

No, Asking For Proof Of Vaccination Is Not A HIPAA Violation

Oregon VA Hospital Administers COVID-19 Vaccine To Staff
Scary Mommy and Nathan Howard/Getty

On May 13, the CDC (somewhat abruptly) issued new guidance for vaccinated folks. They wrote that vaccinated individuals no longer need to wear a mask in outdoor or indoor settings, except in hospitals, on public transit and unless required by state, local, or private mandates.

The new guidance came as a surprise for most of us, who assumed masks would be the last of the pandemic public health mandates to be lifted. The new guidance was met with an equal amount of hope (because it signals that the pandemic is nearing an end) and confusion. Confusion because the guidance doesn’t recommend how to determine whether someone’s been vaccinated.

Businesses that don’t want to rely on the honor system may begin to consider asking employees and customers for proof. Enter discussions about HIPAA. Folks who don’t want to disclose their vaccination status are quick to point to HIPAA. They’re wrong. Asking for proof of COVID vaccination is not a HIPAA violation.

What Is HIPAA?

HIPAA stands for Health Insurance Portability and Accountability Act. It’s a federal law that was signed in 1996. Arguably, it’s one of the most misunderstood health laws in our country.

Originally, its purpose was to secure health insurance for employees when they were between jobs. In 2003, the Privacy Rule was put into effect. This rule does two things. One, it gives people the right to access their own medical information. And, two, it limits covered entities’ ability to access and share other people’s medical information without consent.

HIPAA Applies To Covered Entities Only

HIPAA prevents a covered entity from accessing or sharing your medical information without consent. Covered entities include health care providers, healthcare plans, and healthcare clearing houses (like billing companies), according to Katelyn Jetelina, who holds a Masters in Public Health and a PhD in Epidemiology and Biostatistics.

HIPAA is not a comprehensive privacy law. It applies to a very specifically defined subset of healthcare providers and folks who work in the healthcare space. Airplanes, grocery stores, your favorite restaurants are not covered entities and therefore not subject to HIPAA laws.

Kayte Spector-Bagdady, a medical ethics researcher at the University of Michigan confirmed as much. She wrote, HIPAA “does not apply to the average person or to a business outside health care. It doesn’t give someone personal protection against ever having to disclose their health information.”

Proof Of Vaccination Is Not A New Concept

MediaNews Group/Reading Eagle/Getty

HIPAA does not protect someone from ever having to disclose their personal medical information. That includes disclosing whether they’ve been vaccinated. Institutions can and often do require proof of vaccination before allowing admission.

Spector-Bagdady notes that, “Institutions rarely have the right to require that you actually get vaccinated, but if you want to work somewhere in particular, or want others to provide you services (such as schools, or businesses, or travel), they might have the right to ask you to provide proof of vaccination first.”

That’s why schools can require kindergarteners to show proof of vaccination before beginning school, why international travelers are required to show proof of vaccination to board plans to exotic locations, and why college students are required to show proof to live in a dorm.

A Legal Obligation To Protect Others

More than simply being permitted to ask for vaccination status, Spector-Bagdady writes that some institutions may even have a “legal obligation to protect others.”

Jetelina, who writes as Your Local Epidemiologist, even encourages businesses to ask for proof of vaccination. She notes that doing so protects employees, the unvaccinated, and the immunocompromised, as well as the healthcare system itself from another surge.

Other Privacy Laws

Asking for proof of vaccination does not violate HIPAA, nor does it violate the Fourth Amendment or the 1964 Civil Rights Act. The Fourth Amendment, which protects folks from unreasonable search and seizure, applies only to the federal government. It does not apply to private businesses.

Likewise, neither the Americans With Disabilities Act nor the 1964 Civil Rights Act would prevent a business from asking a customer or employee about their vaccination status.  The U.S. Equal Employment Opportunity Commission has confirmed that. In their guidance, the EEOC wrote, “Simply requesting proof of receipt of a COVID-19 vaccination is not likely to elicit information about a disability and, therefore, is not a disability-related inquiry.”

Businesses that ask for proof may be subject to other federal privacy laws, according to Carmen Roe, a legal analyst for KHOU. These laws have not yet been tested in courts in the way vaccination status would test them, and the result is unclear.

When businesses require proof of vaccination they are not requiring you to vaccinate. The choice to vaccinate or not is still yours. They are simply putting limits on what you can do in their space. Howard Markel, M.D., Ph.D., Director of the Center for the History of Medicine at the University of Michigan, explains it like this: “You are free to make choices about vaccination, but all of our choices have consequences. It simply means you won’t be able to go places or do things that will require you to show you’ve been vaccinated.”

The COVID-19 vaccines are our path out of this pandemic. But they only work if they’re used–shots in arms. With mask mandates disappearing, it’s even more important that the unmasked person beside you in line is vaccinated, too. Businesses want to protect their employees and customers. In terms of requiring proof of vaccination as a way to provide that protection, HIPAA won’t stand in their way.