As businesses reevaluate their public health requirements, such as lifting face mask mandates for customers who are vaccinated against COVID-19, questions about medical privacy are back in the spotlight.
The question of whether it is legal to ask a maskless people if they have been vaccinated has come into focus. Vaccine opponents, including members of the U.S. Congress, are once again claiming that the HIPAA federal privacy law protects individuals from being asked about their vaccination status.
“Business asking for proof of COVID-19 vaccination is a HIPAA violation.” – Marjorie Taylor Greene, May 18, 2021
This claim is absolutely false.
HIPPA does not apply at all in the case of employers, businesses, or other institutions from asking about COVID vaccination status. The confusion was created by rightwing interests that have a complete misunderstanding of what HIPPA covers, and used it to defend their agenda.
Health Insurance Portability and Accountability Act (HIPAA) applies only to healthcare related businesses – including insurance and medical providers. According to the privacy section of the U.S. Department of Health & Human Services website, the entities and the contractors associated with them required to follow the HIPAA rules are health insurance companies, most health care providers, and health care clearinghouses.
“The interpretation of the HIPAA requirements are a good indication of how few people actually understand the specifics of the law, even congressional members. The HIPAA law prevents a third party, must be a health care entity such as a health provider or insurer, from giving out your private health information without your permission. The law establishes the intended covered entities as well as protected health information. HIPAA does not apply to individuals or non-health care related businesses and therefore has no application to businesses who ask patrons if they have been vaccinated. People looking for rights to not be asked about vaccinations will need to seek relief elsewhere.” – Richard Tarpey, Middle Tennessee State University
Many organizations that have personal health information do not have to follow these laws. They include life insurers, business owners, most schools and school districts, many state agencies, most law enforcement agencies, and many municipal offices.