What HIPAA does and doesn't protect against when it comes to COVID vaccine questions

Many people are confused when it comes to the rules surrounding HIPAA. We'll explain.

Katie Teague Writer II
Katie is a writer covering all things how-to at CNET, with a focus on Social Security and notable events. When she's not writing, she enjoys playing in golf scrambles, practicing yoga and spending time on the lake.
Expertise Personal Finance: Social Security and taxes
Katie Teague
3 min read

Does it violate your HIPAA rights if someone asks about your vaccination status?

Sarah Tew/CNET

With vaccination rates slowing, COVID-19 infections are climbing because of the delta variant. To check the spread of the virus, health care officials and business owners are doing everything from going door to door to talk to people about getting vaccinated to requiring proof of vaccination to enter a business or return to work. One question you may hear increasingly from employers, health care workers -- maybe even family members and friends -- is, "Have you received the COVID-19 vaccine yet?" But can someone legally ask you about your vaccine status? Or is that a violation of your Health Insurance Portability and Accountability Act rights?

Confusion over what HIPAA does and doesn't cover may have been contributed to by some public figures. When asked about his COVID-19 vaccination status, for instance, Dallas Cowboys' quarterback Dak Prescott said, "I think that's HIPAA." US Representative Marjorie Taylor Greene also responded to questions about whether she's been vaccinated as "a violation of my HIPAA rights." However, both are incorrect.

We'll explain what the HIPAA law is, what it does and doesn't protect, and if someone can ask you about your vaccine status. For more vaccine details, here's what you need to know about COVID-19 breakthrough infections for fully vaccinated people. This information comes from the Centers for Disease Control and Prevention and the US Department of Health and Human Services.

Watch this: What to do if you lose your vaccination card, and how to never lose it again

What is the HIPAA law?

HIPAA is a federal law that was created to protect sensitive patient health information from being disclosed without the patient's consent or knowledge, according to the CDC. It was signed into law in 1996 by former President Bill Clinton as patient details were going electronic.

The law established the HIPAA Privacy Rule, which was issued by HHS and sets up protections around a person's medical records and sensitive health information. And it gives a patient rights over their health information -- for instance, you have the right to examine and obtain a copy of your own health record.

As defined under the law, health care providers such as doctors and clinics, dentists, health insurance companies and health care clearinghouses -- what the law calls covered entities -- must follow the rules about guarding patient information.

Who isn't required to follow the HIPAA law?

If a business is not categorized as a covered entity as set out in the law, it's not required to follow the HIPAA rules about patient privacy. There are of course other rules that businesses, employers and schools do need to follow that protect your privacy. Here's a partial list of which organizations do not fall under HIPAA rules:

  • Life insurers
  • Employers
  • Worker compensation carriers
  • Most schools and school districts
  • Many state agencies such as child protective service agencies
  • Most law enforcement agencies
  • Many municipal offices
  • Airlines

Businesses could ask for proof that you've been vaccinated.

Sarah Tew/CNET

Is it a HIPAA violation to ask about your vaccine status?

In most cases, according to experts, no, not at all. HIPAA does not create a right to refuse to disclose health information if requested by an employer or a business -- or in the case of Prescott or Greene, if asked by the media.

According to HHS, for example, it is not a HIPAA violation for your employer to ask for proof of vaccination. (It would be a violation, however, if your health care provider shared that information with your employer without your consent.) You can choose not to provide that information, but there could be consequences if you refuse to disclose your status. 

What does HIPAA protect?

This is what the HIPAA law protects, according to HHS guidance:

  • Information your doctors, nurses and other health care providers put in your medical record.
  • Conversations your doctor has about your care or treatment with nurses and others.
  • Information about you in your health insurer's computer system.
  • Billing information about you at your clinic.
  • Most other health information about you being held by those who must follow these laws.

What doesn't HIPAA protect?

Here's what isn't covered under HIPAA, according to the Privacy Rights Clearinghouse organization:

  • Your health information in employment records.
  • Your health information in education records.
  • Health information for someone who's been deceased for more than 50 years.
  • Information on you that has been deidentified, meaning all personally identifiable information has been removed.

For more details, here's what the World Health Organization and CDC are saying about where to wear a mask today. Also, here's what you need to know about COVID-19 booster shots.

Watch this: Vaccine passports for COVID-19: How they'll be a part of global travel
The information contained in this article is for educational and informational purposes only and is not intended as health or medical advice. Always consult a physician or other qualified health provider regarding any questions you may have about a medical condition or health objectives.