Is it against HIPAA to ask about COVID vaccinations?

Rules regarding masks and social distancing are slowly becoming less restrictive. Many businesses are following recent CDC guidelines that suggest fully vaccinated people can start removing their masks indoors. These changes are key to businesses regaining some normalcy this summer, but many business owners are hesitant about their employees and customers ditching their masks so soon.

As of May 19, just under 40 percent of people in the United States were fully vaccinated. That leaves more than half of Americans still at great risk of contracting and spreading COVID-19, and business owners are understandably looking into their rights. Many are asking, “Is it against HIPAA to ask about COVID vaccinations?”

The short answer is no, but it’s a question people are hotly debating right now, as many feel it’s a violation of their privacy. So although HIPAA quickly comes to mind when discussing information related to our medical history, it doesn’t quite apply to this situation.

Let’s dive into the details of HIPAA and what personal information it does and doesn’t protect.

What is HIPAA?

HIPAA is the acronym that refers to the Health Insurance Portability and Accountability Act. Congress developed the legislation in 1996 as a way to protect the privacy of all Americans when it comes to certain health information. Under HIPAA, “covered entities” are subject to the Privacy Rule, but only certain types of organizations fall under this rule:

  • Health plans
  • Healthcare providers
  • Healthcare clearinghouses
  • Business associates of a covered entity

In general, any business that provides medical care and services, health insurance, billing and information services in the medical field, and any businesses that work in partnership with these entities are required to protect your privacy. They aren’t allowed to share your medical information without obtaining your consent to do so.

What information is protected under HIPAA?

The HIPAA Privacy Rule applies to health information considered “individually identifiable.” This includes any information — whether it’s written, digital, oral, or in the form of media, including demographic data — that relates to a person’s past, present, or future physical or mental health condition, the treatment a healthcare provider gives to the person, or the payments associated with that care.

In simpler terms, any details your doctor has about your health at any time in your life, any medical advice and treatment they offered, and how much you paid for your medical treatment must remain confidential by law.

There are some instances where medical professionals are permitted to release your information, though. This can include sharing information with designated family members, when it involves certain public interests or victims of abuse, and for certain judicial and law enforcement requirements. However, in most cases, you can usually expect full confidentiality from your healthcare providers and their business associates.

How does HIPAA apply to businesses?

Now that we’re up to speed on what the law entails, we can fully understand why asking about vaccination status is not a violation of HIPAA. General businesses that don’t offer medical services, health insurance, or medical billing services aren’t considered covered entities as outlined in the law.

What’s more, they aren’t actually sharing any private information by simply asking a question about someone’s vaccine status. A business owner — just like any other individual — is free to ask someone whether or not they’re vaccinated. And everyone has the right to withhold that information if someone asks them for it.

When it comes to hiring, there are certain discrimination protections outlined by the Equal Employment Opportunity Commission (EEOC). You can’t turn down someone for a job purely based on their race, color, religion, sex (including pregnancy, gender identity, and sexual orientation), national origin, disability, age (that’s age 40 or older), or genetic information.

Those protections don’t include a person’s vaccination status, and the EEOC has already issued guidance stating that employers have the legal right to require vaccinations for their employees.

And just as business owners in the United States are legally allowed to deny service if you enter their restaurant without a shirt, they can also deny service to someone who’s either not vaccinated or won’t divulge this information. Vaccination status isn’t currently a discriminatory criterion.

How can businesses collect proof of vaccination?

Businesses that want to make sure their employees are vaccinated should collect this information digitally to keep a clear record. An easy way to do this is through an online form like those provided by JotForm. Business owners can create a form from scratch or check out more than 360 pre-made templates related to COVID-19.

Proof of vaccination forms may include the date of vaccination, the brand of vaccine, and an uploaded image of a valid vaccine card. Once you collect this information for all of your employees, you can conveniently save the data in JotForm Tables.If businesses also want to collect this information from customers, they can easily do that by adding a vaccine-related section to a retail appointment form. Before customers enter your store or meet with a salesperson, you can require them to fill out the form and include their vaccination status. This is within your legal rights as a business owner, and it can provide some peace of mind for you and your employees.

AUTHOR
Firm believer in personal data privacy in the age of information. Close follower of the new regulations concerning patient confidentiality & HIPAA. You can reach George through his contact form. The views stated herein are for discussion only, and are not intended to constitute medical advice or any other advice, procedures, or guidelines for diagnosing or treating any medical condition or for any aspect of the practice of medicine.

Send Comment:

JotForm Avatar
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Comment:

Podo CommentBe the first to comment.