Is that HIPAA? No, that’s not HIPAA.
This week, a reporter asked Georgia Rep. Marjorie Taylor Greene a simple question about Covid-19: “Have you yourself gotten vaccinated?” Greene responded, “Your first question is a violation of my HIPAA rights. You see with HIPAA rights we don’t have to reveal our medical records and that also includes our vaccine records.”
Similarly, Dallas Cowboys QB Dak Prescott (who I like A LOT) was asked at a press conference if he has received a vaccine. Dak responded, “I don’t necessarily think that’s exactly important…I think that’s HIPAA.”
Now, far be it from me to criticize anyone’s COVID-19 vaccination status (after all, I believe that no one, including the government, should tell you what to do with your body), but I do take issue with people getting the law wrong. So . . .
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (b.k.a. “HIPAA”) is a federal law that protects a patient’s health information from being disclosed without the patient’s consent.
HIPAA has two As, not two Ps. If you use two Ps, you’re probably thinking of HIPPOs, like Fiona.
What information is protected?
- Info your doctors, nurses, and other health care providers put in your medical record
- Conversations your doctors and nurses have about your care
- Info about you in your health insurer’s computer system
- Billing info about you at your clinic
Who does HIPAA apply to?
HIPAA prohibits “covered entities” from disclosing patient information without the patient’s consent. All of these are covered entities:
- Health plans like health insurance companies, HMOs, company health plans, and certain government programs that pay for health care (such as Medicare and Medicaid)
- Most health care providers (think doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists)
- Health Care Clearinghouses
Wait. Does HIPAA apply to my employer?
Nope. If you give health information to your employer, that information is not covered by HIPAA. These organizations do not have to follow HIPAA’s privacy and security rules:
- Life insurers
- Employers
- Most schools and school districts
- Many state agencies and municipal offices (e.g. child protective service agencies)
- Most law enforcement agencies
However, the Americans with Disabilities Act of 1990 (“ADA”) does require employers to maintain the confidentiality of all employee medical information, even if that info is not about a disability. So, this includes documentation or other confirmation of COVID-19 vaccination. Under the ADA, HR professionals at your company should be the only people with access to this info, but the HR team can communicate with managers and supervisors as necessary.
Of course, if you (as an employee) openly talk about your vaccine status or test results, that info is not protected. You can ask fellow employees about their vaccination status, but be careful when asking the folks you supervise.
If my employer asks me if I have been diagnosed with COVID-19 or if I have received the vax, is that a HIPAA violation?
Nope.
Got it. So my job can ask me about my Covid-19 test results and my vax status. On a related note, can my employer require me to get the COVID-19 vaccination?
Yep. Sure can. But if you are exempt from mandatory immunization based on the ADA, Title VII of the Civil Rights Act, or other federal laws, your company cannot force you to get the vaccine.
Does HIPAA apply to journalists?
Nope. Marjorie Taylor Greene and Dak Prescott are wrong. It’s not a HIPAA violation for a journalist to ask about your vaccination status. Similarly, it’s not a violation if your church, athletic club, or friends ask either.
