Does the Health Insurance Portability and Accountability Act, more commonly known by its acronym HIPAA, protect people from having to reveal their COVID-19 vaccination status at a restaurant, bar or similar business or organization? No, that's not true: HIPAA only applies to "covered entities," not to businesses, organizations or employers who may ask for an individual's vaccination status.
The claim has appeared in numerous contexts on social media since the early days of the implementation of COVID-19 prevention measures, such as mask wearing. Some posts, like the one linked above and this one (archived here) from Facebook, not only misinterpret HIPAA guidelines but also get the acronym wrong ("HIPPA," which does not exist, versus the correct acronym "HIPAA"). This copy-and-paste post, published on May 18, 2021, reads:
I am putting everyone on notice, if I walk into a restaurant, bar, etc, and you ask me for proof of vac, I will immediately file suit against you. I will file both a personal and business lawsuit for violation of Hippa Laws.
You have no legal right under any circumstances to see my private medical records. If you deny my entrance, I will consider it as a form of discrimination and a violation of civil rights.I will use every law that is broken to file against you.
I will not and do not authorize any release of medical records to any business without my consent. And I do not give my consent just to participate as a member of society.
I have put up with the temperature checks, which are being performed by someone who is not a member of the medical profession.
Even that action is an invasion of your medical privacy. Since when does someone working at a restaurant, bar, etc have the legal right to make a decision about your medical well-being based upon taking your temperature.
These actions of show me your papers, stops now!
*Copied & pasted**
This is what the post looked like on Facebook on August 20, 2021:
(Source: Facebook screenshot taken on Fri Aug 20 19:26:10 2021 UTC)
HIPAA was signed into law in 1996 primarily to protect health coverage if an individual changes or loses their job. However, it also consists of several regulations regarding privacy and security, including the Standards for Privacy of Individually Identifiable Health Information, also known as the HIPAA Privacy Rule. According to the Department of Health & Human Services (HHS), the Privacy Rule:
... establishes national standards to protect individuals' medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.
One of the key misunderstandings of the Privacy Rule is that it applies to every organization in the U.S. It does not. Organizations that must comply with HIPAA regulations are referred to as "covered entities." The Centers for Medicare & Medicaid Services (CMS) says that covered entities include health plans, health care clearinghouses, health providers and business associates of these covered entities. Organizations can use this tool from CMS to determine whether they are a covered entity.
(Source: HHS screenshot taken on Fri Aug 20 17:51:19 2021 UTC)
Lead Stories spoke over the phone with Ken Walters, a market educator at Compliancy Group, a HIPAA compliance tracking software company, on August 20, 2021. Walters clarified that businesses and organizations that do not fall under the "covered entities" category of the Privacy Rule are not subject to its regulations. He also referred us to articles from the Compliancy Group about the HIPAA vaccination law and vaccine passports' relationship to HIPAA. The latter article explains why providing proof of COVID-19 vaccination at a non-covered entity is not a HIPAA violation:
This is because of two reasons; HIPAA only applies to healthcare organizations and patients would be self-disclosing their status.
On top of the covered entities stipulation, the Privacy Rule also specifies that only concerns about the release of protected health information (PHI) is covered by the law. According to HHS, PHI is "'individually identifiable health information' held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral":
'Individually identifiable health information' is information, including demographic data, that relates to:
- the individual's past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual,
- and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
The Facebook post used in this fact check does not correctly explain patients' rights under the Privacy Rule. Patients are allowed to see or receive a copy of their medical record, check their medical record for accuracy and ask to change or add information to their file and find out who has seen their medical information. Further explanation of health information privacy rights under the Privacy Rule can be found here (archived here).
(Source: HHS screenshot taken on Fri Aug 20 19:32:36 2021 UTC)