The Centers for Disease Control and Prevention (CDC) on May 13 updated its guidance regarding mask-wearing for people who are fully vaccinated against COVID-19. Under the guidance, people who are fully vaccinated, meaning they are two weeks removed from receiving their second dose of the Pfizer or Moderna COVID-19 vaccines or two weeks removed from their first shot of the Johnson & Johnson vaccine, don’t need to wear a mask or physically distance in any setting, unless it’s required by a federal, state or local law. People who aren’t fully vaccinated should still wear a mask and physically distance, according to CDC guidance.
As people learned about the CDC’s new advisory, some people wondered if businesses could begin asking customers if they’re vaccinated. Some people claimed that would be a violation of the Health Insurance Portability and Accountability Act of 1996, more commonly known as HIPAA.
Is a business asking a customer about their vaccination status a violation of HIPAA?
- U.S. Department of Health and Human Services (HHS)
- Centers for Disease Control and Prevention (CDC)
- Glenn Cohen, professor at Harvard Law School.
- Kayte Spector-Bagdady, lawyer, bioethicist and associate director at University of Michigan’s Center for Bioethics and Social Sciences in Medicine.
No, most businesses would not violate HIPAA by asking about a customer’s vaccination status.
WHAT WE FOUND
The CDC says HIPAA is a federal law “that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.”
One of the rules created to protect people’s health information is the privacy rule, which sets standards for the use and disclosure of people's protected health information. The privacy rule applies to what are called “covered entities.”
There are three different categories of covered entities, according to the U.S. Department of Health and Human Services (HHS). One group is health care providers, including doctors, clinics and pharmacies, that electronically transmit health information in connection with certain transactions, such as claims or benefit eligibility inquiries. The second category is health plans, which include health insurance companies and government programs that pay for health care, such as Medicare and Medicaid. The third is health care clearinghouses, which HHS says includes billing services and repricing companies.
The HIPAA privacy rule also applies to business associates, which HHS defines as “a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information.”
HHS says protected health information under HIPAA includes information that relates to a person’s past, present or future physical or mental health or condition. HHS has a list of what information is protected on its website.
While HIPAA rules apply to covered entities and specific business associates, the rules don’t extend to most businesses, according to Glenn Cohen, a professor at Harvard Law School.
“Because the average business is not a covered entity or a business associate of a covered entity within the meaning of HIPAA, the statute does not prohibit them asking them about vaccination status,” Cohen said in an email to the VERIFY team.
Kayte Spector-Bagdady, a lawyer and bioethicist who is also the associate director at the University of Michigan’s Center for Bioethics and Social Sciences in Medicine, said there is sometimes a misunderstanding of what HIPAA does.
“People often feel like HIPAA protects them from being asked about their medical information, or prohibits other people from asking about their medical information,” Spector-Bagdady said. “Neither is true. HIPAA prohibits health professionals, such as your doctor, from sharing your identified health information without your permission in most circumstances. People can always ask about your health information, and you can almost always decline to answer. But not answering health questions might come at a cost – such as not being able to enter your workplace or board a plane.”
More from VERIFY: Yes, COVID-19 vaccination cards can be faked