What to Know About HIPAA in Regards to Disclosing Vaccination Status

At the height of the COVID pandemic, people were anxious to know if they had rights that protected disclosure of their vaccination status. Some believed that HIPAA’s Privacy Rule gave them “a right to privacy” and thought they could refuse to share their status if asked by employers or businesses.

COVID-19 vaccines may not be as talked about now, but they sparked questions about refusing vaccines, sharing vaccination status, and employee rights. In this article, we’ll cover the extent of HIPAA rules on vaccination status and how it affects your rights as an employee or customer.

What Does HIPAA Mean?

HIPAA stands for the Health Insurance Portability and Accountability Act. It was created in 1996 to help individuals maintain the continuity of their medical information. For example, if a person lost his job or switched health insurance providers, HIPAA helped facilitate a safe transfer of medical records. Today, HIPAA protects the privacy, integrity, and security of medical data/protected health information.

What Is Protected Health Information (PHI)?

Protected Health Information (PHI) includes all individually identifiable information. For example, information that identifies an individual’s demographics, as well as past diagnoses, previous medical treatment, and so on.

HIPAA lists 18 examples of PHI. They include: name, date of birth, email address, social security numbers, medical record numbers, health plan beneficiary numbers, account numbers, license/certificate numbers, IP addresses, biometric identifiers, all geographical subdivisions, fax numbers, and phone numbers.

Under Federal law, PHI can only be divulged with the patient’s explicit permission. HIPAA has different rules and regulations on how PHI is used, processed, and transferred. For example, the Privacy Rule describes how PHI should be used in all forms of media i.e., oral, paper, or electronic. The Security Rule describes how PHI is used and transmitted in its electronic form. Not everyone is obligated to follow HIPAA’s rules.

Obligated parties are called covered agents. They include healthcare providers, health plans, healthcare clearing houses, and their business associates. Business associates provide services on behalf of a covered entity. Examples of services they provide include consulting, accounting, medical transcription, legal, utilization reviews, and claims processing.

Is Vaccination Information Protected Health Information?

Yes, depending on the context. If the information on vaccination is associated with other identifiers like the individual’s medical condition, it is PHI. If it is not, then it isn't PHI.

Is Vaccination Information Protected by HIPAA?

No, it is not. At the height of the COVID pandemic, a lot of people were eager to know if vaccination records were confidential. In response to this need, the HHS published a blog called HIPAA, COVID Vaccination and the Workplace. The piece addressed not only the queries concerning COVID-19 vaccinations but also all vaccinations in general.

The summary of that piece is this:

The HIPAA Privacy Rule only applies to covered agents and their business associates. This means that employers are not under HIPAA rules and are free to request the vaccination status of their employees. The same also goes for business owners asking for the vaccination status of their customers. Such requests do not violate HIPAA because business owners, in this case, are not under HIPAA law.

Customers can choose to disclose or not disclose their vaccination status, and business owners can choose to provide or deny service. The Privacy Rule also does not apply when:

  • Schools request the vaccination status of their students,
  • An individual asks for the vaccination status of another individual, a service provider, or a healthcare provider.
  • An individual asks for the vaccination status of a company’s workforce.

Can My Doctor Share My Vaccination Status?

Healthcare providers are under HIPAA law. In this case, when an employer, school, or any other organization requests a person’s vaccination record from their healthcare provider, the healthcare provider must obtain explicit consent from the person concerned.

How Does HIPAA Protect Vaccination Records?

While HIPAA does not regulate the request for vaccination records from noncovered agents, it regulates requests from covered agents. It can also, to an extent, regulate how these records are handled by noncovered agents.

For example, HIPAA may regulate how a school handles vaccination records if the requested information does not meet the definition of “education records” as stipulated by the Family Educational Rights and Privacy Act (FERPA).

Can Employers Fire You for Failing To Disclose Vaccination Status?

Employers are not bound by HIPAA law and are, therefore, well within their rights to fire workers who fail to disclose vaccination status.  One may argue that HIPAA is not the only law at play, and that is correct.

Different laws can apply in different contexts. For example, in 2021, a federal judge dismissed a lawsuit filed by employees who were fired by the Houston Methodist Hospital for refusing the COVID-19 vaccines. The judge dismissed the case based on the federal and state laws in play at the time.

Can Business Owners Ask You To Leave a Business for Failing To Disclose Vaccination Status?

Business owners are not regulated by HIPAA and are, therefore, at liberty to deny services to customers who refuse to disclose their vaccination status. Discrimination laws also do not apply. However, other state laws may apply.

For example, during the COVID pandemic, Florida law prohibited businesses from inquiring about vaccination status. Meanwhile, in New York City, state law required people to show proof of taking at least one dose of the vaccine before entering a restaurant.

In conclusion, are vaccination records confidential? No, they are not.

HIPAA does not prevent employers, business owners, and other individuals from requesting your vaccination status.

HIPAA, however, prevents your healthcare provider from doing so without your explicit consent.

However, your willingness to disclose your vaccination status can affect your employment. Business owners are at liberty to fire unvaccinated employees or deny unvaccinated customers service at their discretion.

Do you find the various HIPAA rules tricky to grasp? We have a range of HIPAA courses for various medical staff, dental offices, and work environments. The IACET accredits our courses to provide continuing education units.  Click here to browse through our course catalog.