Thanks to ongoing conversations around vaccine requirements—and angry social media commenters—you may have found yourself wondering, “What actually is HIPAA?” With the news that an increasing number of businesses and local governments are requiring vaccination for staff and New York City announcing it would require proof of vaccination for entry to restaurants, concert venues, and gyms, you’ve probably also seen commenters protest that such requirements are a “HIPAA violation.”
Although there are valid medical privacy concerns about disclosing your vaccination status and important confidentiality conversations to have, those issues actually have pretty much nothing to do with regulations in HIPAA (Health Insurance Portability and Accountability Act). And while it may make you uncomfortable to be asked for proof of vaccination, it is very unlikely to be an actual violation of HIPAA. It’s not often that a relatively obscure health care regulation makes its way into the public eye, so here’s what you need to know about HIPAA.
Here’s what HIPAA—and a HIPAA violation—actually is.
“There is a lot of confusion about what HIPAA actually does,” Clarence Lam, M.D., M.P.H., a Maryland State Senator and interim director of occupational health services and the department of health, safety, and environment at Johns Hopkins Medicine & University, tells SELF. “It’s a federal law that regulates the extent to which health care providers or insurance companies can provide medical personal health information to other entities.”
Privacy regulations were adopted as part of HIPAA in an effort to get providers to adopt the use of electronic storage for medical records, Wendy K. Mariner, J.D., L.L.M., M.P.H., Edward R. Utley Professor of health law, bioethics, and human rights at Boston University School of Public Health, tells SELF. The regulations in HIPAA apply to places such as hospitals, health care facilities, medical offices, health insurance companies, and some employers that keep medical records for their employees, she explains.
Essentially, HIPAA requires people working within those health care and insurance worlds to get a patient’s permission before sharing that person’s identifiable medical information. With that, you might already see why these regulations don’t apply to complaints about vaccination requirements: “HIPAA does not govern people. It does not grant any rights to individuals,” Mariner explains. “It limits what organizations can do with personally identifiable medical information.”
If, say, your employer asked your insurance company if you were vaccinated, “HIPAA would tell the insurance company it could not provide that information without the patient’s permission,” Mariner says. But HIPAA does not prohibit an employer from directly asking their employees if they’re vaccinated.
There are other medical privacy regulations that may apply in non-health-care settings.
Just because HIPAA doesn’t prevent your employer from asking you if you’ve gotten the COVID-19 vaccine doesn’t mean employers have free rein to ask any kind of question about employees’ medical histories. In fact, there is a slew of other intertwined regulations and state laws that limit what employers are allowed to require as a condition of employment and what medical questions those employers can ask.
As Mariner puts it: “HIPAA is not the only game in town—and usually it’s the least relevant.”
One thing to keep in mind is the Occupational Safety and Health Act (OSHA), which “imposes on employers a duty of care to maintain a safe workplace,” Mariner says. And that could certainly mean protecting employees from contracting a contagious disease like COVID-19. So, considering OSHA recommendations, an employer may decide to make masks, testing, or vaccination a condition of employment (a so-called “vaccine mandate”) in order to protect workers or customers from the coronavirus.
That’s where the Americans with Disabilities Act (ADA) comes in, which is intended to protect people with disabilities from discrimination in the workplace and other areas of life. For something like a COVID-19 vaccination to be a condition of employment, under ADA requirements, it must be job-related and consistent with business necessities, Mariner explains. In many situations “there’s no question” that a vaccine requirement would meet those guidelines, such as in a hospital setting or at universities where people typically interact with each other in close contact. Even large private companies have started to require that people get vaccinated to return to the office.
In order to implement a vaccine requirement, employers inherently need to be able to ask employees about their vaccination status. In fact, the Equal Employment Opportunity Commission (EEOC) recently released guidelines clarifying that it is not a violation of the ADA to ask employees about COVID-19 vaccinations—as long as a few other requirements are met. For one thing, in accordance with the ADA, the employer must not “single anyone out,” Dr. Lam says. They can’t just ask one person because they’re curious; there needs to be a specific job-related reason for them to know and they have to ask everyone to whom that applies.
Additionally, employers can’t require people to get the vaccine if it’s contraindicated for them (due to an allergy, for instance), Mariner says. And if someone isn’t vaccinated, the employer can’t ask why not because that may be unintentionally asking someone to disclose disability-related information, which is generally prohibited under the ADA. So the employee may need to be up-front and ask for an exemption to the vaccine rule. (However, at that point, the employer is entitled to ask on what grounds the employee is asking for an exemption, Mariner says.)
The EEOC also requires employers to provide reasonable alternatives to vaccination, such as frequent COVID-19 testing and mask use, for those who can’t or don’t want to get vaccinated because of a “sincerely held religious belief, practice, or observance” unless doing so would present an “undue hardship” on the business’s operations.
But ultimately, there’s no regulation that prohibits employers from asking employees if they’re vaccinated or asking them to provide proof of that—especially if the employer has good reason to make vaccination a condition of employment.
When it comes to local governments, like NYC, requiring vaccinations to enter businesses, that’s all down to “the state’s power to regulate businesses and their own population, which they can do,” Mariner says. “They have the power to protect public health, safety, and welfare as long as the regulations are reasonable and related, and [a vaccine requirement] certainly is.” In fact, the 10th Amendment protects a state’s “police powers,” which grant the state authority to enact measures of self-preservation, including those related to public health.
Basic practices in epidemiology, including collecting questionnaires related to an outbreak, instituting a recall of an affected product, and even quarantining people exposed to a pathogen are generally protected during an outbreak under police powers, the Centers for Disease Control and Prevention explains (CDC). And when it comes specifically to vaccine mandates there is legal precedent: In the 1905 Supreme Court case Jacobson vs. Massachusetts, the court upheld the local health department’s decision to institute a smallpox vaccine requirement. More recently, a local judge upheld New York City’s pediatric MMR vaccine requirement amid a measles outbreak in 2019.
“Even without a state law, private businesses could [require vaccines for customers] themselves,” Mariner says. Businesses have quite a bit of room to refuse service to people, as long as they aren’t discriminating against people based on things like race, sex, or religion (which is prohibited by the Civil Rights Act). But according to the recent ruling in the Supreme Court case Masterpiece Cakeshop vs. Colorado, which upheld a cakeshop owner’s refusal to make a wedding cake for a gay couple, a business owner’s personal beliefs can carry quite a bit of weight.
Your medical information is, ultimately, still yours. And you have control over who gets it.
All of that said, it is completely understandable to be uneasy about providing medical information like this in everyday life. If that’s the case, take some comfort in knowing there are many regulations out there designed to keep your information safe. For instance, the ADA requires that medical information (like vaccination status) be stored separately from the rest of an employee’s personnel file to help keep that information confidential.
Ultimately, your information is still yours, and “the patient is still completely in the driver’s seat,” Dr. Lam says. If you’re asked to provide proof of vaccination, you can decide not to share it, but know that employers and businesses are allowed to ask. And if you don’t want to share it, you may have to face some consequences, like not being allowed to eat at a certain restaurant.
There are some things that businesses, employers, and local governments can do to make the public feel more comfortable sharing this information. For one thing, they can clearly explain how they protect this information and keep it confidential—and then make sure to actually do that, Mariner says. It’s also crucial for employers to give employees an idea of why this type of requirement is a necessary policy at their business, Dr. Lam adds.
They can also remind people that “it’s not a new concept for people to get vaccinated,” Dr. Lam says. In a health care setting, it’s routine for an annual flu vaccine to be a condition of employment, he says. And “every state has mandated vaccines for pediatric diseases,” Mariner says, such as the MMR vaccine. These public health measures are already widely accepted parts of our lives and a COVID-19 vaccine requirement really shouldn’t feel like much of a leap.
Employers should emphasize that it’s in employees’ interest and in the interest of the greater good to share this information when appropriate. “It’s helpful for the employer to say, ‘It’s not to punish you, but to help everybody else—and it does help you, too,’” Mariner says. “We all want to protect everybody—our coworkers, our customers, our patients, our students—from exposure to a very dangerous virus. You can play your part by telling us whether or not you’re vaccinated.”