Is It a HIPAA Violation to Ask Someone's COVID-19 Vaccination Status?

Refusal of vaccination against coronavirus signs a person

Pridannikov / Getty Images

Key Takeaways

  • Asking someone about their COVID-19 vaccination status does not violate HIPAA.
  • There would only be a HIPAA violation if covered entities—who are required to comply with its privacy standards and rules—disclose vaccination status without authorization.
  • It’s still up to you whether you want to share your COVID-19 vaccination status or not.

Now that fully vaccinated people no longer need to wear face masks or practice physical distancing in most settings, many businesses ask customers about their COVID-19 vaccination status before allowing them entry or permitting them to be maskless. However, some people claim that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) prohibits businesses from doing this, which is completely false.

This misconception is dangerous as it could potentially mislead individuals who do not fully grasp what HIPAA actually entails. To understand why asking about someone’s vaccination status isn’t a privacy violation, it’s crucial to know what sort of information is protected under HIPAA, which entities are required to abide by its rules, and the kind of circumstances where this protection applies. 

What Is HIPAA?

The HIPAA is a federal law that aims to protect your privacy by restricting how sensitive information about your health can be used or disclosed. It also gives you the right to examine and obtain a copy of your medical records.

“When people refer to HIPAA, they typically mean the Privacy Rule produced by HHS pursuant to Congressional authorization via the Act itself,” James G. Hodge, Jr., JD, LLM, director of the Center for Public Health Law and Policy at Arizona State University, tells Verywell. “To this end, the HIPAA Privacy Rule provides extensive privacy norms and protections for identifiable health information held by covered entities.”

Contrary to popular belief, HIPAA does not provide protection for all sorts of information in every kind of situation. In addition, not all individuals and organizations are required to comply with it.

Covered Entities

Only certain individuals and organizations with access to your medical information are subject to the HIPAA Privacy Rule, such as:

  • Healthcare providers, like primary care providers, specialty doctors, or psychologists
  • Health plans, such as health insurance companies or health maintenance organizations (HMOs)
  • Healthcare clearinghouses, which includes public or private entities that process nonstandard health information
  • Business associates of covered entities that help them in carrying out their health care activities and functions, like medical transcriptionists or consultants

The responsibility to safeguard protected health information falls on those entities alone, Michael S. Sinha, MD, JD, MPH, adjunct faculty at the Northeastern University School of Law and visiting scholar at the NUSL Center for Health Policy and Law, tells Verywell. If an entity is not covered by HIPAA, they don’t have to abide by its privacy standards.

Protected Health Information (PHI)

Covered entities routinely collect and use health information to provide health care. Such records are protected under HIPAA, which includes:

  • Personal information, like your name, address, Social Security number, health plan beneficiary number, telephone numbers, or photographic images
  • Medical records, clinical case notes, test results, diagnoses, or prescription
  • Insurance information
  • Medical management record systems maintained by or for a health plan
  • Billing and payment records

“HIPAA only protects certain types of information in certain health care settings, not all information in all settings,” Sinha says. Vaccination information and immunization cards can be classified as PHI, but asking about someone’s status does not automatically result in a HIPAA violation.

Is It a HIPAA Violation to Ask About Someone’s Vaccination Status?

“Asking for the [vaccination] status is not in itself a HIPAA violation since no PHI has been disclosed,” Jonathan Ishee, JD, MPH, MS, LLM, assistant professor of biomedical informatics at the University of Texas, tells Verywell. A violation would only occur if a covered entity discloses PHI to an unauthorized person without your consent.

Anyone can ask your healthcare provider about your vaccination status, but it would only be a violation if they disclose it without permission. When non-covered entities such as family or friends ask you directly about your status, that’s not a violation. You are also allowed to disclose that information yourself.

“Americans often think the HIPAA Privacy Rule protects the privacy of their health data in many settings in which it does not apply,” Hodge says. “If you tell your neighbor about your COVID-19 vaccination status, the Rule does not apply. If you tell your employer about it, again the Rule does not apply directly.”

Michael S. Sinha, MD, JD, MPH

HIPAA is not something an individual can attempt to invoke as a shield if employers or schools ask about vaccination status. It’s a convenient—and often misspelled—buzzword, but it has no relevance in this context.

— Michael S. Sinha, MD, JD, MPH

Another point to remember is that the HIPAA doesn’t prevent businesses, companies, schools, or airlines from asking whether or not you have been vaccinated. If they ask for your vaccination status before allowing you to enter a facility, attend classes or come to work in person, or even book a flight, that’s not a violation. It’s still up to you whether you want to share that information.

“Employers are within their rights to ask employees about vaccination status or to require proof of vaccination as a condition of continued employment,” Sinha says. “Similarly, colleges and universities can require proof of vaccination for faculty, staff, and students. That means an individual may lose their job or forfeit their college admission if they refuse to disclose their vaccination status. HIPAA has no role in that exchange of information.”

What This Means For You

If someone asks you about your COVID-19 vaccination status, that is not a HIPAA violation. HIPAA only protects the use or disclosure of certain health information by covered entities. Companies, schools, airlines, or other institutions are well within their rights to ask you whether you’ve been vaccinated or not, and it’s still up to you whether you will disclose it.

Under What Circumstances Will There Be a HIPAA Violation?

There would only be a HIPAA violation if a covered entity discloses an individual’s vaccination status to a non-covered entity without their authorization. For instance, a healthcare provider is not allowed to reveal someone’s vaccination status to their employer without their consent.

“If a doctor tells the media about her celebrity patient’s COVID vaccination status, without the patient’s written authorization, a violation has likely occurred,” Hodge says. “If a media website provides the same information about a celebrity, no HIPAA Privacy Rule violation has arisen because the media website is not a ‘covered entity’ under the Rule. The site may have violated other privacy norms, whether statutory, regulatory, or judicially-imposed, but not the Privacy Rule itself.”

In some situations that benefit the public good, such as judicial and administrative proceedings, essential government functions, or public health activities, covered entities can use or disclose PHI to a non-covered entity without authorization. If they share someone’s vaccination status with an unauthorized person—a friend, neighbor, or colleague—outside of these allowable disclosures, that is likely a HIPAA violation.

“While the HIPAA Privacy Rule provides a solid floor of privacy protections in health care settings, it does not provide fail-safe privacy protections outside these specific settings,” Hodge says.

During this COVID-19 pandemic, it's understandable to feel the need to protect your privacy and health information. However, keep in mind that the HIPAA does not prevent anyone from asking about your vaccination status as it does not violate medical privacy or individual rights. You can still refuse to disclose your vaccination status.

“HIPAA is not something an individual can attempt to invoke as a shield if employers or schools ask about vaccination status,” Sinha says. “It’s a convenient—and often misspelled—buzzword, but it has no relevance in this context.”

The information in this article is current as of the date listed, which means newer information may be available when you read this. For the most recent updates on COVID-19, visit our coronavirus news page.

4 Sources
Verywell Health uses only high-quality sources, including peer-reviewed studies, to support the facts within our articles. Read our editorial process to learn more about how we fact-check and keep our content accurate, reliable, and trustworthy.
  1. Centers for Disease Control and Prevention. Interim public health recommendations for fully vaccinated people.

  2. Centers for Medicare & Medicaid Services. Are you a covered entity?

  3. U.S. Department of Health & Human Services. Summary of the HIPAA Privacy Rule.

  4. Centers for Disease Control and Prevention. Health Insurance Portability and Accountability Act of 1996 (HIPAA).

By Carla Delgado
Carla M. Delgado is a health and culture writer based in the Philippines.