A nurse administers a vaccine. National Cancer Institute.

As individuals decide whether to receive the COVID-19 vaccines, some social media posts claim that HIPAA precludes an employer from asking about an employee’s vaccination status. We answer frequently asked questions about HIPAA and its relationship to vaccine inquiries.

What is HIPAA, and why was it created?

The Health Insurance Portability and Accountability Act, or HIPAA, is a federal law created to streamline the health care industry’s inefficiencies. The law was intended to give patients and providers easier access to health care information.

Congress first passed HIPAA under the Clinton administration during the 1990s, with it going into full effect in 2003. The four stated goals of HIPAA are:

  1.  To provide the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs.
  2. Reduce health care fraud and abuse.
  3. Mandate industrywide standards for health care information on electronic billing and other processes.
  4. Require the protection and confidential handling of protected health information.

Is everyone covered by HIPAA’s security rule?

No, HIPAA only applies to covered entities and not every person who uses or sees health information. HIPAA-covered entities are defined as health plans, health care providers and health care clearinghouses.

Does the HIPAA security law protect individuals from releasing their vaccination status to employers?

Vaccination records fall under personal health information of HIPAA; however, security rules only apply to HIPAA-covered entities, not individuals. 

Employers are not covered entities, so they are allowed to ask their employees for proof of vaccination. It would only be a HIPAA violation if the employer asked the employees’ health care provider to disclose their vaccination records without the consent of the employee.

 Are you protected from a business asking you for proof of vaccination through the HIPAA security rule?

Businesses are allowed to ask customers to provide proof of vaccination; however, it is difficult for businesses to refuse service because of vaccination status due to the Americans with Disabilities Act.

Instead, businesses may require customers who refuse to disclose vaccination information to wear masks or accept outside deliveries. If customers refuse to compromise with businesses, businesses can deny services on health and safety grounds.

Do HIPAA security rules protect you from disclosing vaccine status to health care providers?

Health care providers are allowed to ask for the patient’s vaccination status as well as disclose it to other covered entities for treatment, payment or health care operations. Patient authorization is not needed to share vaccine status information for public health activities, according to the HIPAA Journal

Public health activities include public health surveillance to report and prevent diseases. 

Can my employer ask about my vaccine status? What can happen if I refuse?

Though employees are not forced to provide their vaccination status to their employer, they are not protected from the consequences for not providing the information. The consequences of refusing to get vaccinated are broad and ambiguous, but a recent court decision sheds light on possible consequences.

In Houston, a federal judge sided with a hospital that dismissed employees who refused to get vaccinated. 

Currently, people are only exempt from employee-mandated vaccination requirements for medical and/or religious reasons.

However, as the availability of COVID vaccines increases, many states are considering legislation to prevent employers from mandating vaccinations and protect employees who refuse vaccination.

Is North Carolina creating legislation that prevents employers from asking for vaccination records?

The North Carolina Occupational Safety and Health Act exempts employees from being vaccinated for religious reasons. 

Republican lawmakers proposed a state bill to protect those who chose not to get vaccinated, but it did not survive crossover this session. 

Can HIPAA protect you from having to get a vaccine passport?

Vaccine passports are becoming an increasingly common method for countries to regulate people who are traveling into the country.

However, HIPAA laws affect vaccination passports the same way it affects other proofs of vaccination. HIPAA only protects covered entities who may ask for a vaccine passport and not businesses that are not covered entities.