Key TakeawaysAsking someone about their COVID-19 vaccination status does not violate HIPAA.There would only be a HIPAA violation if covered entities—who are required to comply with its privacy standards and rules—disclose vaccination status without authorization.It’s still up to you whether you want to share your COVID-19 vaccination status or not.
Key Takeaways
Asking someone about their COVID-19 vaccination status does not violate HIPAA.There would only be a HIPAA violation if covered entities—who are required to comply with its privacy standards and rules—disclose vaccination status without authorization.It’s still up to you whether you want to share your COVID-19 vaccination status or not.
Now that fully vaccinated people no longer need to wear face masks or practice physical distancing in most settings, many businesses ask customers about their COVID-19 vaccination status before allowing them entry or permitting them to be maskless.However, some people claim that theHealth Insurance Portability and Accountability Act of 1996 (HIPAA)prohibits businesses from doing this, which is completely false.
What to Do If You Are Denied Access to Your Medical Records
What Is HIPAA?
Contrary to popular belief, HIPAA does not provide protection for all sorts of information in every kind of situation. In addition, not all individuals and organizations are required to comply with it.
Covered Entities
Only certain individuals and organizations with access to your medical information are subject to the HIPAA Privacy Rule, such as:
Protected Health Information (PHI)
Covered entities routinely collect and use health information to provide health care. Such records are protected under HIPAA, which includes:
“HIPAA only protects certain types of information in certain health care settings, not all information in all settings,” Sinha says. Vaccination information and immunization cards can be classified as PHI, but asking about someone’s status does not automatically result in a HIPAA violation.
How COVID-19 Vaccination Cards Work
Is It a HIPAA Violation to Ask About Someone’s Vaccination Status?
“Asking for the [vaccination] status is not in itself a HIPAA violation since no PHI has been disclosed,”Jonathan Ishee, JD, MPH, MS, LLM, assistant professor of biomedical informatics at the University of Texas, tells Verywell. A violation would only occur if a covered entity discloses PHI to an unauthorized person without your consent.
Anyone can ask your healthcare provider about your vaccination status, but it would only be a violation if they disclose it without permission. When non-covered entities such as family or friends ask you directly about your status, that’s not a violation. You are also allowed to disclose that information yourself.
“Americans often think the HIPAA Privacy Rule protects the privacy of their health data in many settings in which it does not apply,” Hodge says. “If you tell your neighbor about your COVID-19 vaccination status, the Rule does not apply. If you tell your employer about it, again the Rule does not apply directly.”
Michael S. Sinha, MD, JD, MPHHIPAA is not something an individual can attempt to invoke as a shield if employers or schools ask about vaccination status. It’s a convenient—and often misspelled—buzzword, but it has no relevance in this context.
Michael S. Sinha, MD, JD, MPH
HIPAA is not something an individual can attempt to invoke as a shield if employers or schools ask about vaccination status. It’s a convenient—and often misspelled—buzzword, but it has no relevance in this context.
Another point to remember is that the HIPAA doesn’t prevent businesses, companies, schools, or airlines from asking whether or not you have been vaccinated. If they ask for your vaccination status before allowing you to enter a facility, attend classes or come to work in person, or even book a flight, that’s not a violation. It’s still up to you whether you want to share that information.
“Employers are within their rights to ask employees about vaccination status or to require proof of vaccination as a condition of continued employment,” Sinha says. “Similarly, colleges and universities can require proof of vaccination for faculty, staff, and students. That means an individual may lose their job or forfeit their college admission if they refuse to disclose their vaccination status. HIPAA has no role in that exchange of information.”
A Growing Number of Colleges Will Require COVID-19 Vaccination for Fall
What This Means For You
Under What Circumstances Will There Be a HIPAA Violation?
There would only be a HIPAA violation if a covered entity discloses an individual’s vaccination status to a non-covered entity without their authorization. For instance, a healthcare provider is not allowed to reveal someone’s vaccination status to their employer without their consent.
“If a doctor tells the media about her celebrity patient’s COVID vaccination status, without the patient’s written authorization, a violation has likely occurred,” Hodge says. “If a media website provides the same information about a celebrity, no HIPAA Privacy Rule violation has arisen because the media website is not a ‘covered entity’ under the Rule. The site may have violated other privacy norms, whether statutory, regulatory, or judicially-imposed, but not the Privacy Rule itself.”
In some situations that benefit the public good, such as judicial and administrative proceedings, essential government functions, or public health activities, covered entities can use or disclose PHI to a non-covered entity without authorization.If they share someone’s vaccination status with an unauthorized person—a friend, neighbor, or colleague—outside of these allowable disclosures, that is likely a HIPAA violation.
“While the HIPAA Privacy Rule provides a solid floor of privacy protections in health care settings, it does not provide fail-safe privacy protections outside these specific settings,” Hodge says.
During this COVID-19 pandemic, it’s understandable to feel the need to protect your privacy and health information. However, keep in mind that the HIPAA does not prevent anyone from asking about your vaccination status as it does not violate medical privacy or individual rights. You can still refuse to disclose your vaccination status.
“HIPAA is not something an individual can attempt to invoke as a shield if employers or schools ask about vaccination status,” Sinha says. “It’s a convenient—and often misspelled—buzzword, but it has no relevance in this context.”
The information in this article is current as of the date listed, which means newer information may be available when you read this. For the most recent updates on COVID-19, visit ourcoronavirus news page.
4 SourcesVerywell Health uses only high-quality sources, including peer-reviewed studies, to support the facts within our articles. Read oureditorial processto learn more about how we fact-check and keep our content accurate, reliable, and trustworthy.Centers for Disease Control and Prevention.Interim public health recommendations for fully vaccinated people.Centers for Medicare & Medicaid Services.Are you a covered entity?U.S. Department of Health & Human Services.Summary of the HIPAA Privacy Rule.Centers for Disease Control and Prevention.Health Insurance Portability and Accountability Act of 1996 (HIPAA).
4 Sources
Verywell Health uses only high-quality sources, including peer-reviewed studies, to support the facts within our articles. Read oureditorial processto learn more about how we fact-check and keep our content accurate, reliable, and trustworthy.Centers for Disease Control and Prevention.Interim public health recommendations for fully vaccinated people.Centers for Medicare & Medicaid Services.Are you a covered entity?U.S. Department of Health & Human Services.Summary of the HIPAA Privacy Rule.Centers for Disease Control and Prevention.Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Verywell Health uses only high-quality sources, including peer-reviewed studies, to support the facts within our articles. Read oureditorial processto learn more about how we fact-check and keep our content accurate, reliable, and trustworthy.
Centers for Disease Control and Prevention.Interim public health recommendations for fully vaccinated people.Centers for Medicare & Medicaid Services.Are you a covered entity?U.S. Department of Health & Human Services.Summary of the HIPAA Privacy Rule.Centers for Disease Control and Prevention.Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Centers for Disease Control and Prevention.Interim public health recommendations for fully vaccinated people.
Centers for Medicare & Medicaid Services.Are you a covered entity?
U.S. Department of Health & Human Services.Summary of the HIPAA Privacy Rule.
Centers for Disease Control and Prevention.Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Meet Our Medical Expert Board
Share Feedback
Was this page helpful?Thanks for your feedback!What is your feedback?OtherHelpfulReport an ErrorSubmit
Was this page helpful?
Thanks for your feedback!
What is your feedback?OtherHelpfulReport an ErrorSubmit
What is your feedback?
