Short answer: Yes, but lots of mis-information out here.
First, the main goal of HIPAA is helping people maintain their healthcare insurance coverage if they change or lose their jobs. The Act encouraged the use of electronic records to transfer patient information. Remember, moving data around electronically wasn’t available widely in 1996. Regulations were soon added to respond to concerns about keeping our health information private.
And to be clear, HIPAA defines protected health information as:
- health information that is “individually identifiable” — that is, medical information that includes information that identifies you, such as your name, address, or date of birth
- information about a physical or mental condition you have or had in the past
- a description of healthcare you have received
- details about payments made for healthcare you’ve received.
Here’s what the privacy rule requires. Anyone who has access to your protected health information, such as healthcare providers, health insurers, or medical billing companies, must:
- make sure it’s kept confidential
- defend health information against security threats
- ensure that employees are trained in and diligent regarding the confidentiality of PHI.
There are exceptions to keeping PHI secret. For example, PHI can be disclosed without your permission to allow medical treatment, to submit bills to your health insurance company, or when required by law. It’s not a violation of HIPAA if your doctor provides your PHI to another doctor who is part of your medical treatment team. But it is a violation if your doctor provides your PHI to a family member or friend, or any member of the public who requests it, if you haven’t signed paperwork allowing this.
There are other laws that can also be thrown into the mix that complicate what private and public employers can do, such as Equal Employment Opportunity laws and South Carolina’s Freedom of Information Act.
According to the U.S. EEOC, “federal EEO laws do not prevent an employer from requiring all employees physically entering the workplace to be vaccinated for COVID-19, so long as employers comply with the reasonable accommodation provisions.”
As COVID-19 vaccines become readily available and the populace are partially vaccinated, issues are coming up where people are being asked about vaccination status in order to take part in elective activities. When asked about vaccination status, some are taking offense and stating that their “HIPAA rights were violated.” Businesses are being accused of “HIPAA violations” by members of the public who don’t understand that HIPAA only applies to health care providers.
If you are a healthcare provider you may get questions from patients about being asked about vaccination status is a HIPAA violation.
Here is what you can tell them:
“No, being asked about COVID-19 vaccination status is not a HIPAA violation. It is not a violation for an establishment to require proof of vaccination for inside seating or for a business to require unvaccinated people to wear masks. It is not a violation of HIPAA for an employer to ask you if you have had the COVID-19 vaccine, but, you do not have to reply. A person cannot be compelled to answer that question, but be prepared to possibly be denied entry to a store or event that has a vaccination requirement. None of these situations are a HIPAA violation.