- By Robert H. Shmerling, MD, Senior Faculty Editor, Harvard Health Publishing
Do you ever wonder what is behind that HIPAA form you get at your doctor's office at every visit? Do you read it each time?
My guess is that after more than two decades, few people actually bother to read the form, and fewer still can claim to understand it. Yet, since 1996, privacy rules described in the Health Insurance Portability and Accountability Act (HIPAA) prevent disclosure of certain health information to unauthorized people without your permission. And it requires that the doctor’s office provide a notice to you about how your information is used and protected.
Does HIPAA protect vaccination status?
For a rule that’s been around so long, it’s remarkable that HIPAA has been so misunderstood and so frequently featured in the news lately. For example:
- Asked if she’d been vaccinated against COVID-19, a member of Congress from Georgia replied, "Your… question is a violation of my HIPAA rights. You see, with HIPAA rights we don't have to reveal our medical records and that also includes our vaccine records." Sorry, wrong.
- An NFL quarterback asked the same question responded in similar style: "I don’t necessarily think that’s exactly important; I think that’s HIPAA." Again, wrong.
- When President Biden proposed having public health workers canvass neighborhoods door-to-door to encourage unvaccinated persons to get a COVID vaccine, the lieutenant governor of North Carolina declared this plan was illegal due to HIPAA rules. Nope, it's not illegal and HIPAA doesn’t cover this.
Coronavirus COVID-19 Resource Center
While the COVID-19 pandemic continues to rage in parts of the world, it is slowly retreating in the U.S. There are now three FDA-authorized vaccines, including one for children as young as 12. The vaccines are proving to be nearly as effective in the real world as they were in clinical trials. The CDC has relaxed some prevention measures, particularly for people who are fully vaccinated, and especially outdoors. Meanwhile, scientists continue to explore treatments and to keep an eye on viral variants.
And it’s not just athletes and lawmakers getting it wrong with HIPAA and vaccination status. Throughout the pandemic, fake mask exemption cards have been available online. These cards are intended to allow the owner to forego wearing a mask for medical reasons. Some fake cards state that because of HIPAA, the card’s owner is not required to answer any questions about their medical condition.
Unfortunately, as with the examples above, this misunderstands what HIPAA covers and what it requires.
What you need to know about HIPAA
First, the main goal of HIPAA is helping people maintain their healthcare insurance coverage if they change or lose their jobs. The Act encouraged the use of electronic records to transfer patient information. Remember, moving data around electronically wasn’t widespread in 1996. Rules were soon added to respond to concerns about keeping our health information private.
However, the HIPAA privacy rules are rather limited: they prohibit the release of protected health information (known as PHI) by others without your consent. They have nothing to do whether you can or should answer questions about your vaccination status, or any other health issue. That’s simply not what HIPAA does.
And to be clear, HIPAA defines protected health information as
- health information that is "individually identifiable" — that is, medical information that includes information that identifies you, such as your name, address, or date of birth
- information about a physical or mental condition you have or had in the past
- a description of healthcare you have received
- details about payments made for healthcare you’ve received.
Here’s what the privacy rule requires. Anyone who has access to your protected health information, such as healthcare providers, health insurers, or medical billing companies, must
- make sure it’s kept confidential
- defend health information against security threats
- ensure that employees are trained in and diligent regarding the confidentiality of PHI.
There are exceptions to keeping PHI secret. For example, PHI can be disclosed without your permission to allow medical treatment, to submit bills to your health insurance company, or when required by law. It’s not a violation of HIPAA if your doctor provides your PHI to another doctor who is also part of your treatment team. But it is a violation if your doctor provides your PHI to a family member or friend, or any member of the public who requests it, if you haven’t signed paperwork allowing this. (By the way, if you do want to ensure that someone can talk to your doctors about your healthcare information, you’ll need to sign waivers provided by the medical practice, or make that person your health care proxy.)
If you’d like to learn more about specific rights under HIPAA, see this Health Information Privacy website.
What about HIPAA and vaccination status?
As noted, HIPAA doesn’t prevent anyone from asking you about your vaccination status. And there’s nothing in it that prohibits businesses, such as restaurants, gyms, or movie theaters, or your employer from asking you for proof of vaccination. Finally, HIPAA privacy rules do not prevent you from answering questions about whether you’ve been vaccinated.
It’s your decision to tell others whether or not you’ve been vaccinated (and regardless of whether you divulge this information, I hope the answer is yes). Of course, if you decide not to disclose that information to your employer, you will likely be considered unvaccinated, and that could lead to changes in how or where you work, or even to loss of your job. But again, that’s unrelated to HIPAA.
The bottom line
If a friend, a relative, or a perfect stranger asks you about your vaccination history, or any other question about your health, you may consider it rude, nosy, or inappropriate. But it’s not illegal. And if you choose not to answer, don’t blame HIPAA.