As more and more people have gotten vaccinated across the U.S. against COVID-19, mask-wearing and social-distancing guidelines have grown more relaxed. In mid-May 2021, the Centers for Disease Control and Prevention (CDC) announced that fully vaccinated people can go mask-less in most spaces, along with a number of caveats that resulted in confusion from health experts.
Questions grew about whether businesses could ask customers if they had been vaccinated against COVID-19, particularly if it violated privacy laws surrounding the disclosure of one's health information.
Many online posted claims and questions about the role that the Health Insurance Portability and Accountability Act (HIPAA) would play in sharing information surrounding a customer's vaccination status. Lawmakers like Republican Rep. Marjorie Taylor Greene even said that asking people for their vaccination status violated HIPAA’s privacy rule.
We learned that this is not the case. Businesses do not violate HIPAA regulations by asking customers if they are vaccinated or not.
According to the CDC, HIPAA’s privacy rule “established a set of national standards to address the use and disclosure of individuals’ health information—called 'protected health information' – by organizations subject to the Privacy Rule—called 'covered entities' – as well as standards for individuals’ privacy rights to understand and control how their health information is used.” Basically, HIPAA’s laws govern how certain entities handle patients’ private healthcare information.
What entities fall under HIPAA’s privacy rules? According to the Department for Health and Human Services (HHS), they are:
- Health care providers (including doctors, clinics, psychologists, dentists, chiropractors, nursing homes, or pharmacies)
- Health plans (including health insurance companies, HMOs, company health plans, and government programs that pay for healthcare, such as Medicare, Medicaid, and the military and veterans health care programs)
- Healthcare clearinghouses (including entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.)
Private businesses like restaurants or grocery stores are not subject to HIPAA’s rules, so they can ask customers entering about their vaccination status.
Health experts at the University of Michigan Medical School explained the misinformation surrounding HIPAA. Kayte Spector-Bagdady, a health law researcher, said, “Very few people actually understand what it means. They think it provides comprehensive privacy protections for health information in all circumstances, which it simply does not. HIPAA only governs certain kinds of entities – your clinician, hospital, or others in the healthcare sphere. It does not apply to the average person or to a business outside healthcare. It doesn’t give someone personal protection against ever having to disclose their health information.”
Spector-Bagdady added that this could affect how individuals receive services, saying, “Institutions rarely have the right to require that you actually get vaccinated, but if you want to work somewhere in particular, or want others to provide you services (such as schools, or businesses, or travel), they might have the right to ask you to provide proof of vaccination first [...] Not only might they have the legal right, but they might also have the legal obligation to protect others.”
Individuals may choose not to disclose their vaccination information, which may result in their being prevented from entering a venue. Medical historian Howard Markel also told the University of Michigan healthcare blog, “You are free to make choices about vaccination, but all of our choices have consequences. It simply means you won’t be able to go places or do things that will require you to show you’ve been vaccinated. If you think that’s freedom, have at it."
So, can a business pass on the information about your vaccination?
Not if they are part of a healthcare "covered entity" under HIPAA. The University of Michigan healthcare blog summed it up:
[...] if your friend shares on social media that she just got vaccinated against COVID-19, and you tell someone else that you had seen that post, you are not in violation of HIPAA because you’re not covered by it in the first place. Your friend might like you less, but you’re not breaking the law.
But if the nurse who gave your friend her shot took a picture of her and posted it on his own social media account without getting your friend’s signed consent, that would be a HIPAA violation. However, nurses are trained in how to abide by the law, and they and their employers are subject to fines and public reporting if they violate HIPAA.
Businesses can also enforce their own restrictions. CDC guidelines also state that fully vaccinated people should still defer to local businesses: “Fully vaccinated people can resume activities without wearing a mask or physically distancing, except where required by federal, state, local, tribal, or territorial laws, rules, and regulations, including local business and workplace guidance.” So how a business will respond to your vaccination status, or your willingness or unwillingness to disclose it, depends entirely on the business.
Given that businesses can ask people about their vaccination status, and will not face any legal repercussions for doing so, we rate this claim as “True.”