Skip to main content
You have permission to edit this article.
What HIPAA is and is not: A primer on the health care privacy law
editor's pick

What HIPAA is and is not: A primer on the health care privacy law

  • Updated
  • 0

If you're being interviewed and a journalist asks you if you're vaccinated, is that a violation of HIPAA?


What if your employer is asking you to prove you've been vaccinated — is that a HIPAA issue?


What if you go to a bar or restaurant or store and a person at the front door says you need to show proof of vaccination to enter? Are they violating your HIPAA rights?

Still no.

HIPAA — short for the Health Insurance Portability and Accountability Act of 1996 — only covers what information specific health care-related entities can share about you without your consent. A journalist doing a televised interview or a postgame news conference is not one of them. Neither is your employer or your school. Neither is the bouncer at a bar requiring proof of vaccination to enter.

"I think that the major thing for people to understand with regard to HIPAA is that it's very specific," said Ankit Shah, a pediatrician with a law degree who teaches health law as a lecturer at the University of Southern California. "Health care entities have your information and are prohibited from sharing it without your consent. That's it. That's HIPAA."

The nations top health agency is expected to backpedal Tuesday on its masking guidelines and recommend that even vaccinated people wear masks indoors in parts of the U.S. where the coronavirus is surging, according to a federal official.The official spoke on condition of anonymity because the person was not authorized to release the data.For much of the pandemic, the CDC advised Americans to wear masks outdoors if they were within 6 feet of one another.Then in April, as vaccination rates rose sharply, the agency eased its guidelines on the wearing of masks outdoors, saying that fully vaccinated Americans no longer needed to cover their faces unless they were in a big crowd of strangers. In May, the guidance was eased further for fully vaccinated people, allowing them to stop wearing masks outdoors in crowds and in most indoor settings.The guidance still called for wearing masks in crowded indoor settings, like buses, planes, hospitals, prisons and homeless shelters, but it cleared the way for reopening workplaces and other venues.Subsequent CDC guidance said fully vaccinated people no longer needed to wear masks at summer camps or at schools, either.SEE MORE: Vaccinated Teachers And Students Don't Need Masks, CDC SaysFor months COVID cases, deaths and hospitalizations were falling steadily, but those trends began to change at the beginning of the summer as a mutated and more transmissible version of the coronavirus, the delta variant, began to spread widely, especially in areas with lower vaccination rates.In recent weeks, a growing number of cities and towns have restored indoor masking rules. St. Louis, Savannah, Georgia, and Provincetown, Massachusetts, are among the places that reimposed mask mandates this month.Additional reporting by the Associated Press.

HIPAA has been in headlines a lot lately. U.S. Rep. Marjorie Taylor Greene of Georgia, fresh off a 12-hour Twitter suspension for vaccine misinformation, told a reporter that asking if she was vaccinated "is a violation of my HIPAA rights." In a similar incident days later, Dallas Cowboys quarterback Dak Prescott told a reporter who asked the same question, "I think that's HIPAA."

Neither of those incidents is a HIPAA violation, Shah said, because journalists are not included in HIPAA. Similarly, despite what North Carolina's lieutenant governor recently suggested, people doing door-to-door outreach asking whether people are vaccinated also would not violate HIPAA.

"People always apply (HIPAA) to everybody. It's not applicable to everybody. Only health care providers, health plans, and their business associates," Shah said — collectively known as "covered entities" under the legislation.

So what would be a HIPAA violation? Hypothetically speaking, something like if your doctor's office published a list on its website of every patient and which vaccines they'd received. Or if your employer called your doctor and asked whether you were vaccinated and the doctor's office told them without your consent. It would have to be a scenario in which a specific health care provider or related business or entity was sharing your private medical information without you consenting to it being shared. It is not a legal shield that prevents anyone from asking you if you've been vaccinated against COVID-19.

"The general perception of HIPAA is that it's this overarching privacy umbrella that covers everybody on Earth, but no, it's very specific," Shah said.

If someone asks whether you're vaccinated and you don't want to tell them, you don't have to. But their asking does not violate your rights under HIPAA. And in response, that person can choose not to employ you or let you come in and grab a drink. Americans enjoy many rights, but entry to happy hour is not one of them.


Concerned about COVID-19?

* I understand and agree that registration on or use of this site constitutes agreement to its user agreement and privacy policy.

Related to this story

Most Popular

Get up-to-the-minute news sent straight to your device.


Breaking News

News Alert