Ever since the CDC amended its COVID-19 guidance to say that the fully vaccinated no longer need to wear masks indoors, I've read myriad variations of this tweet:
Friendly reminder that under HIPPA, your vaccination status is private.
Or this tweet:
The rule is simple, HIPAA protects EVERY American from disclosing ANY of their health records to ANYONE.Their point? That medical privacy laws protect their vaccination status, and it's illegal for any business to ask as a condition of anything.
They are very, very wrong. So, I thought today I'd clear up some common misconceptions about HIPAA specifically and medical privacy more generally.
1/ HIPAA stands for the Health Insurance Portability and Accountability Act. It's HIPAA. Not HIPPA, HIPPO, or anything else.
2/ Broadly speaking, HIPAA does protect the privacy of individuals' medical information. But not all medical information and only in certain circumstances.
HIPAA applies only to "covered entities," defined as: (1) health plans; (2) healthcare clearinghouses; (3) healthcare providers that electronically transmit certain health information; and certain "business associates" of covered entities. If an employer does not fall into one of those categories, HIPAA does not apply to it at all. Thus, HIPAA does not apply to employee health information collected or maintained by an employer in its role as an employee's employer.
HIPAA applies only to "covered entities," defined as: (1) health plans; (2) healthcare clearinghouses; (3) healthcare providers that electronically transmit certain health information; and certain "business associates" of covered entities. If an employer does not fall into one of those categories, HIPAA does not apply to it at all. Thus, HIPAA does not apply to employee health information collected or maintained by an employer in its role as an employee's employer.
For employees, HIPAA does not:
- Prohibit an employer from asking for a doctor's note related to an absence (or, in the case of Covid, an employee's vaccination status).
- Impact the ability to request information necessary to administer programs, such as healthcare benefits, workers' comp, or sick leave.
- Protect all health data maintained in employment records, only those employees' medical and health plan records that relat to their participation as a member of the employer's healthcare plan.
For businesses dealing with the public (such as a retail store or restaurant, for example), HIPAA simply does not apply at all. HIPAA does not prohibit a business from asking a customer about his or her vaccination status as a condition to entry or donning a mask upon entry. Period. Hard stop.
3/ An employer that merely asks its employees for proof of vaccination status does not violate other laws, such as the Americans with Disabilities Act. The ADA does place limits on an employer's disability-related inquiries of its employees. But, as the EEOC has clearly and succinctly stated, "requesting proof of receipt of a COVID-19 vaccination is not likely to elicit information about a disability and, therefore, is not a disability-related inquiry."