Is It a HIPAA Violation to Ask Someone's COVID-19 Vaccination Status?

Now that fully vaccinated people no longer need to wear face masks or practice physical distancing in most settings, many businesses ask customers about their COVID-19 vaccination status before allowing them entry or permitting them to be maskless. However, some people claim that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) prohibits businesses from doing this, which is completely false.

This misconception is dangerous as it could potentially mislead individuals who do not fully grasp what HIPAA actually entails. To understand why asking about someone’s vaccination status isn’t a privacy violation, it’s crucial to know what sort of information is protected under HIPAA, which entities are required to abide by its rules, and the kind of circumstances where this protection applies. 

What Is HIPAA?

The HIPAA is a federal law that aims to protect your privacy by restricting how sensitive information about your health can be used or disclosed. It also gives you the right to examine and obtain a copy of your medical records.

“When people refer to HIPAA, they typically mean the Privacy Rule produced by HHS pursuant to Congressional authorization via the Act itself,” James G. Hodge, Jr., JD, LLM, director of the Center for Public Health Law and Policy at Arizona State University, tells Verywell. “To this end, the HIPAA Privacy Rule provides extensive privacy norms and protections for identifiable health information held by covered entities.”

Contrary to popular belief, HIPAA does not provide protection for all sorts of information in every kind of situation. In addition, not all individuals and organizations are required to comply with it.

Covered Entities

Only certain individuals and organizations with access to your medical information are subject to the HIPAA Privacy Rule, such as:

• Healthcare providers, like primary care providers, specialty doctors, or psychologists
• Health plans, such as health insurance companies or health maintenance organizations (HMOs)
• Healthcare clearinghouses, which includes public or private entities that process nonstandard health information
• Business associates of covered entities that help them in carrying out their health care activities and functions, like medical transcriptionists or consultants

The responsibility to safeguard protected health information falls on those entities alone, Michael S. Sinha, MD, JD, MPH, adjunct faculty at the Northeastern University School of Law and visiting scholar at the NUSL Center for Health Policy and Law, tells Verywell. If an entity is not covered by HIPAA, they don’t have to abide by its privacy standards.

Protected Health Information (PHI)

Covered entities routinely collect and use health information to provide health care. Such records are protected under HIPAA, which includes:

• Personal information, like your name, address, Social Security number, health plan beneficiary number, telephone numbers, or photographic images
• Medical records, clinical case notes, test results, diagnoses, or prescription
• Insurance information
• Medical management record systems maintained by or for a health plan
• Billing and payment records

“HIPAA only protects certain types of information in certain health care settings, not all information in all settings,” Sinha says. Vaccination information and immunization cards can be classified as PHI, but asking about someone’s status does not automatically result in a HIPAA violation.

Is It a HIPAA Violation to Ask About Someone’s Vaccination Status?

“Asking for the [vaccination] status is not in itself a HIPAA violation since no PHI has been disclosed,” Jonathan Ishee, JD, MPH, MS, LLM, assistant professor of biomedical informatics at the University of Texas, tells Verywell. A violation would only occur if a covered entity discloses PHI to an unauthorized person without your consent.

Anyone can ask your healthcare provider about your vaccination status, but it would only be a violation if they disclose it without permission. When non-covered entities such as family or friends ask you directly about your status, that’s not a violation. You are also allowed to disclose that information yourself.

“Americans often think the HIPAA Privacy Rule protects the privacy of their health data in many settings in which it does not apply,” Hodge says. “If you tell your neighbor about your COVID-19 vaccination status, the Rule does not apply. If you tell your employer about it, again the Rule does not apply directly.”

Another point to remember is that the HIPAA doesn’t prevent businesses, companies, schools, or airlines from asking whether or not you have been vaccinated. If they ask for your vaccination status before allowing you to enter a facility, attend classes or come to work in person, or even book a flight, that’s not a violation. It’s still up to you whether you want to share that information.

“Employers are within their rights to ask employees about vaccination status or to require proof of vaccination as a condition of continued employment,” Sinha says. “Similarly, colleges and universities can require proof of vaccination for faculty, staff, and students. That means an individual may lose their job or forfeit their college admission if they refuse to disclose their vaccination status. HIPAA has no role in that exchange of information.”

Under What Circumstances Will There Be a HIPAA Violation?

There would only be a HIPAA violation if a covered entity discloses an individual’s vaccination status to a non-covered entity without their authorization. For instance, a healthcare provider is not allowed to reveal someone’s vaccination status to their employer without their consent.

“If a doctor tells the media about her celebrity patient’s COVID vaccination status, without the patient’s written authorization, a violation has likely occurred,” Hodge says. “If a media website provides the same information about a celebrity, no HIPAA Privacy Rule violation has arisen because the media website is not a ‘covered entity’ under the Rule. The site may have violated other privacy norms, whether statutory, regulatory, or judicially-imposed, but not the Privacy Rule itself.”

In some situations that benefit the public good, such as judicial and administrative proceedings, essential government functions, or public health activities, covered entities can use or disclose PHI to a non-covered entity without authorization. If they share someone’s vaccination status with an unauthorized person—a friend, neighbor, or colleague—outside of these allowable disclosures, that is likely a HIPAA violation.

“While the HIPAA Privacy Rule provides a solid floor of privacy protections in health care settings, it does not provide fail-safe privacy protections outside these specific settings,” Hodge says.

During this COVID-19 pandemic, it's understandable to feel the need to protect your privacy and health information. However, keep in mind that the HIPAA does not prevent anyone from asking about your vaccination status as it does not violate medical privacy or individual rights. You can still refuse to disclose your vaccination status.

“HIPAA is not something an individual can attempt to invoke as a shield if employers or schools ask about vaccination status,” Sinha says. “It’s a convenient—and often misspelled—buzzword, but it has no relevance in this context.”

The information in this article is current as of the date listed, which means newer information may be available when you read this. For the most recent updates on COVID-19, visit our coronavirus news page.