Do Vaccination Status Questions Violate Hipaa
Especially in light of the potential and emerging COVID-19 vaccination mandates, there has been a lot of chatter about HIPAA and what constitutes a violation of it. Although HIPAA was signed into law in 1996 and everyone has had to sign forms about it at the doctorâs office, there is still a great deal of confusion and uncertainty about what exactly the law covers and what actions are considered violations of it.
Letâs answer some of the common questions down below:
Experts Say Hipaa Does Not Cover Vaccination Questions
USA TODAY debunked a similar version of this claim last summer, when mask opponents encouraged others to claim HIPAA allowed them to avoid mask mandates.
Alan Meisel, a professor of law and bioethics at the University of Pittsburgh, told USA TODAY at the time that HIPAAs rules apply only to sharing information between “covered entities.” The U.S. Department of Health and Human Services describes covered entities as health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.
Meisel said the claim that HIPAA protected people from being asked about their vaccine status is utter nonsense.
Fact check:COVID-19 vaccines won’t make the common cold or flu ‘extremely lethal’
It in no way prohibits business owners and other individuals from asking people if they have been vaccinated, he wrote in an email to USA TODAY. In fact, it doesnt even prohibit healthcare entities mentioned above from asking people if they have been vaccinated.
Georgetown University law professor Lawrence Gostin agreed, saying, “Non-health care businesses are not subject to HIPAA.”
While businesses and individuals maintain the right to ask others for vaccination status, that does not mean anyone has to provide that information.
In short, HIPAA doesn’t have any effect outside a health care setting.
Hipaa And Business Service Refusal
As businesses resume normal operations, some specify that unvaccinated individuals must continue to wear masks or use alternate methods to receive service. Some may require proof of vaccination to attend special events on their premises.
But the question on the minds of many Americans is, Can a business really refuse me service if I dont provide proof of a COVID-19 vaccine?
HIPAA does not apply to most businesses, therefore they may ask about your vaccination status. They may also require you to provide proof that you received your COVID-19 vaccine.
Due to other laws, such as the Americans with Disabilities Act , businesses cannot outright refuse to serve you. If you cannot provide proof of a COVID-19 vaccine, the business must provide some accommodations.
Since the beginning of mask mandates and social distancing requirements in 2020, businesses have created ways to safely serve individuals while minimizing contact. The positive reception to these actions has prompted many businesses to keep these options available, even as restrictions ease.
A grocery store may offer curbside pickup, or a restaurant may offer delivery. Retail stores request that you continue to wear a mask. These are all reasonable accommodations for people who cannot provide proof of a COVID-19 vaccination.
Read Also: Cvs Tdap
If Someone Asks To See Proof You’ve Been Vaccinated Against Covid Is It A Hipaa Violation
HIPAA only applies to entities within the healthcare field and it does not prohibit asking questions about someone’s health.
“People just generally think that HIPAA protects all health information at any time for any purpose whatsoever, no matter who is involved. And that’s absolutely not true,” Deven McGraw, cofounder of consumer health technology company Ciitizen, recently told NPR.
“It does not cover restaurants. It does not cover stores. It does not cover your employer,” she said. “And it doesn’t cover you personally.”
Read more: Pfizer doubles down on the case for COVID-19 vaccine booster shots
What This Means For You

If someone asks you about your COVID-19 vaccination status, that is not a HIPAA violation. HIPAA only protects the use or disclosure of certain health information by covered entities. Companies, schools, airlines, or other institutions are well within their rights to ask you whether youve been vaccinated or not, and its still up to you whether you will disclose it.
Recommended Reading: Tdap Cvs
What Parents Should Know About Covid
People may worry about whether its rude or even legal to ask, and how to pose the question politely. Heres what the experts said:
You have the legal right to do that, yes. You can ask, said Stacie Kershner, associate director of the Center for Law, Health & Society at Georgia State University in Atlanta.
Its not a HIPAA violation to ask someone that doesn’t mean they’re required to answer.
The privacy rule of HIPAA which stands for the Health Insurance Portability and Accountability Act is really misunderstood, Kershner noted. Its scope is incredibly narrow and applies only to health care providers, health insurance plans and health clearinghouses, she added.
A HIPAA violation would be if your doctor told other people about your vaccination status without your permission, Chandler said, but it’s not a HIPAA violation for you to ask someone directly or to voluntarily disclose that information about yourself.
Disclosure Of An Individuals Vaccine Status By A Healthcare Provider
Healthcare providers can ask if a patient has been vaccinated as asking the question in no way violates HIPAA. It would be permitted for the healthcare provider to share vaccine status information with another covered entity or business associate, provided the disclosure was permitted under the HIPAA Privacy Rule for treatment, payment, or healthcare operations or if authorized to do so by a patient.
Recommended Reading: Does Cvs Do Tdap Shots
Why Are Some States Introducing Their Own Laws About Proof Of Vaccination
Some states have taken the view that, because COVID vaccines do not guarantee 100% protection against the virus, proof of vaccination only demonstrates an individual is less likely to contract and transmit the virus. It is also the case nobody knows for sure how long vaccine-induced immunity lasts. Therefore, it is possible an individual with a vaccine passport can still present a risk of infection.
Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.
Is Asking For Proof Of Vaccination A Hipaa Violation
After a long year of postponing and cancellations due to COVID-19, restrictions have relaxed and youre finally able to take that vacation to Hawaii. But in order to get on the plane, the airline requires that you provide proof of your vaccination.
Hey wait a minute, isnt that a HIPAA violation?
If youre confused about what the Health Insurance Portability and Accountability Act actually entails, youre not alone. From government leaders to average citizens, many people argue that HIPAA protects you from being asked about your COVID-19 vaccination status.
However, thats not quite true. Lets take a look COVID-19 vaccination requirements and how they relate to HIPAA rules.
Read Also: Can You Get Tdap At Cvs
Can Employers Ask For Proof Of Covid
Doesnt that violate HIPAA? This is a question we hear regularly from employers, businesses and individuals who are concerned that asking someone for their COVID-19 vaccination status could raise issues under the Health Insurance Portability and Accountability Act Privacy Rule. The answer is no it is not a problem to ask and it is not a problem to require disclosure of COVID-19 vaccinated status. This is fairly clear on the face of the regulations themselves. While vaccination information is classified as health information that is generally covered by the HIPAA Privacy Rule, HIPAA generally only provides protections with respect to disclosures by covered entities and their business associates. HIPAA therefore does not apply to most employers, and does not apply when an individual employee discloses to their employer information about the employees own health status, including COVID-19 vaccination status.
The Department of Health and Human Services has recently provided further reassurance regarding the inapplicability of HIPAA with respect to certain information about vaccination status in the form of lengthy FAQs posted to their website on September 30, 2021.
Closing The Health Privacy Law Gap
So HIPAA isnt the all-inclusive health privacy law so many people assume it is, but that mass assumption suggests that such a law is both wanted and needed. HIPAA has a lot of gaps that a privacy law can and should fill. The pandemic has only made this more apparent.
People are fairly protective of their health information, Caitriona Fitzgerald, deputy director of the Electronic Privacy Information Center , told Recode. They just assume it would be covered because its absurd that its not.
Experts believe this coverage must come from comprehensive federal privacy laws that include provisions for sensitive information, like health data, or for what could be considered sensitive uses of data.
What we need is for Congress to pass a comprehensive privacy law that sets limits on what the companies can use this data for, how long they can keep it, who they can disclose it to, and doesnt put the burden of dealing with that on the individual, Fitzgerald said. The burden needs to be on the company thats collecting the data to protect it and to minimize its use.
Savage said people who are concerned with health privacy laws might find a more productive use of their time in contacting their legislators to advocate for the health privacy laws they believe they are entitled to.
In the meantime, well, at least we have the Federal Trade Commission , which can and has gone after apps and websites that violated their own privacy policies, including a period tracker app.
Don’t Miss: Does Cvs Do Tetanus Shots
Impermissible Disclosures Of Patient Health Records
The HIPAA Privacy Rule permits patients to obtain a copy of their health records on request or have their records provided to a nominated third party such as a personal representative or other individual. If not collected in person by the patient, the third party must have been given authorization by the patient on a HIPAA authorization form to receive the records before they can be released.
Prior to providing copies of patient health records, healthcare employees must verify the identity of the patient or the person collecting the records and must ensure records are only released to an individual authorized to receive them. Care must also be taken to ensure that the correct patients records are released.
What Hipaa Doesnt Do

Its important to note that medical privacy didnt begin with HIPAA, and its not the only health privacy law out there. There are other laws that protect certain types of health information: Some states have their own stricter medical privacy laws, or things like the Americans With Disabilities Act, which mandates that employers must keep disability-related medical information about their employees confidential. And the concept of doctor-patient confidentiality has existed for a long time its part of the Hippocratic Oath and that trust is a necessary part of good medical care.
If Im the doctor and youre the patient, you come to me, you might tell me some really secret things, Savage said. And I need to know that to give you the right care and diagnose you properly.
At the same time, many of us freely give away our health information to all kinds of places and people who have no real legal obligation to keep that information private or secure. With the internet, there are more ways to do that than ever.
I think generally, when youre talking about interactions with the health care system, the likelihood that theyre protected by HIPAA is very strong, McGraw said. Now, where those things break down: Obviously, if youre recording your steps on a Fitbit or youre using a nutrition app, thats not going to be covered by HIPAA.
The protections dont cling to the data and protect it all the way downstream, McGraw said.
Read Also: Tdap Shot Cvs
Why Hipaa Is So Misunderstood
Both the misspelling and the widespread belief that HIPAA confers a strict set of privacy protections to any and all health data and that everyone is subject to those laws are common and understandable mistakes: HIPAA is pronounced like hippo but with an a, and most patients only come across it when signing the notice of privacy practices that the law mandates their health care providers have them sign. Plus, most people consider their health information to be very sensitive and assume their lawmakers have put the appropriate guardrails in place to keep it as private as possible. But HIPAAs privacy rules are more limited than they may realize.
HIPAA has great branding because everyone knows it, even if they spell it wrong, Lucia Savage, chief privacy and regulatory officer at Omada Health and former chief privacy officer at HHSs Office of the National Coordinator for Health IT, told Recode. What is not well understood is its limits. Its very specifically a law that regulates information that is collected because a person is seeking health care.
It sure seems to have gotten worse in the Covid era, because the misinformation thats being promulgated through social media channels is wildly off-base and yet asserted with such a high level of confidence that people believe it, McGraw said.
The perception that HIPAA is solely a health privacy law that everyone is subject to has become so common that theres now a Twitter account to document it.
Know What And How To Ask
Its best to contact medical offices and service providers before any appointments to express your concerns, Gatter said. Its fine to say, for example, that you are vaccinated and wouldnt feel comfortable coming into close contact with anyone who is unvaccinated or unmasked. Then, he said, you can ask about the safety policies in place, such as vaccination and masking requirements, and how they are being enforced. Gatter also encouraged employers to inform employees about how they plan to address these questions, and ideally obtain consent from workers to publicly disclose general information about vaccination rates among staff or to make assurances that patrons wont have contact with unvaccinated individuals.
As noted earlier, you can always directly ask individuals about their vaccination status, Gatter said. Be prepared to receive versions of the following answers, he said: yes, no or I dont want to tell you.
It may be helpful, Faden said, to share your vaccination status first. When people disclose information about themselves, others will often respond in kind, she said. If someone doesnt reciprocate unprompted, I still think it is perfectly appropriate to say, Would you be all right telling me if youve been vaccinated or not?
Recommended Reading: How Much Does A Tdap Shot Cost At Cvs
Can Employers Require Employees To Be Vaccinated
No individual is required to have a vaccine, as they have the choice whether or not to be vaccinated, but there can be consequences for employees who refuse a vaccine on non-medical or non-religious grounds depending on state regulations. However, just as an employer can require all employees to wear a uniform in the workplace, an employer can have a policy that requires employees to wear a facemask during a pandemic. They are also within their rights to refuse entry to the workplace if a mask is not worn contrary to a workplace policy in order to protect other members of the workforce or customers.
The Civil Rights Act of 1964 requires employers to provide reasonable accommodations for employees who have strongly held religious beliefs, and the ADA requires employers to provide reasonable accommodations for employees who have an underlying disability under the Civil Rights Act of 1964. Accommodations therefore need to be made for individuals who have refused a vaccine on these grounds.
How To Ask Politely:
Gottsman recommended the following language:
For a doctors or dentists office: I’m assuming that you’re vaccinated and everybody in your office is vaccinated. Phrase it as an assumption that allows the person to answer, though it would be hard to believe at this stage that a medical professional would not be vaccinated, Gottsman said.
For a hair or nail salon: I’m assuming since you’re working with so many people, you’re protecting yourself and you’ve been vaccinated or I want to make sure we’re on the same page. I’m being very conscientious about vaccinations for myself and my family. Have you gotten the vaccination? or Before I see you next Thursday, I just want to make sure you’re vaccinated. This is really important to me.
Don’t Miss: Tdap Vaccine Cvs
Does Hipaa Protect Vaccination Status
For a rule thats been around so long, its remarkable that HIPAA has been so misunderstood and so frequently featured in the news lately. For example:
- Asked if shed been vaccinated against COVID-19, a member of Congress from Georgia replied, “Your question is a violation of my HIPAA rights. You see, with HIPAA rights we don’t have to reveal our medical records and that also includes our vaccine records.” Sorry, wrong.
- An NFL quarterback asked the same question responded in similar style: “I dont necessarily think thats exactly important I think thats HIPAA.” Again, wrong.
- When President Biden proposed having public health workers canvass neighborhoods door-to-door to encourage unvaccinated persons to get a COVID vaccine, the lieutenant governor of North Carolina declared this plan was illegal due to HIPAA rules. Nope, it’s not illegal and HIPAA doesnt cover this.
And its not just athletes and lawmakers getting it wrong with HIPAA and vaccination status. Throughout the pandemic, fake mask exemption cards have been available online. These cards are intended to allow the owner to forego wearing a mask for medical reasons. Some fake cards state that because of HIPAA, the cards owner is not required to answer any questions about their medical condition.
Unfortunately, as with the examples above, this misunderstands what HIPAA covers and what it requires.