January 07, 2022
With the increasing prevalence of COVID-19 vaccine mandates and the need to show proof of vaccination to enter certain locations, you may hear people state that these requests are a “HIPAA violation.” But what does this acronym actually mean? And is there some kind of right to privacy being violated by having to show your vaccine card?
The quick answer is no. HIPAA — the Health Insurance Portability and Access Act of 1996 — has no bearing on a business asking to see proof of vaccination. But it does provide important protections to all Americans to ensure that private health care information remains private.
HIPAA is a law passed by Congress “that required the creation of national standards to protect sensitive patient health information.” HIPAA is meant to ensure that people understand how their health data is being used, and can have control over that. The act became important as increasing amounts of information were being retained and shared in health care, and was meant to ensure that health care information was not only accessible but also private.
HIPAA is fairly narrow in what it considers “covered entities:”
• Health care providers
• Health (insurance) plans
• Health care clearinghouses
• Associated businesses (such as claims processors or billing firms)
These entities may use and disclose a person’s health information without their authorization for a limited set of permitted reasons. Permitted uses include disclosure to the individual, treatment and payment for care, or in incidents related to a permitted use. There are also 12 specific public interest and benefit activities, such as law enforcement or government functions, where personal health information may be shared.
HIPAA has two primary rules: the Privacy Rule and the Security Rule. The Privacy Rule is meant to govern how individual health information is used by covered entities. Under the Privacy Rule, individuals have the right to see their health records, have corrections made, be notified when their health information will be used, and have transparency on the use of their health information. If you believe your rights have been violated in these regards, the U.S. Government’s Department of Health and Human Services will respond to any complaint filed.
Under HIPAA, parents can generally access their children’s records. The Security Rule provides additional protections to information covered by the Privacy Rule, and ensures that covered entities keep health information confidential, protect against threats to confidentiality, and keep their workforce compliant.
Despite the powerful protections offered by HIPAA, there are plenty of entities that are not covered, such as employers, schools, or other organizations that may have access to your health data. While state laws or other federal laws (such as the Americans with Disabilities Act) may provide some protections, it’s best to assume that unless an organization is one of those specifically subject to HIPAA, they may not comply. Which means it is perfectly legal for a private business to ask for your vaccine card before they serve you.