HHS clarifies role of HIPAA in vaccine mandate debate
In a recently issued FAQ, the Department of Health and Human Services (HHS) clarified if and when the Health Insurance Portability and Accountability Act's (HIPAA) Privacy Rule has a role in requesting or disclosing information about one's vaccination status.
Various politicians and other public figures have referenced and relied on HIPAA as the reason they cannot or need not disclose whether they are vaccinated. This stance has been adopted by others, including reluctant or resistant employees. HHS makes clear HIPAA does not provide any such protection.
An edited and condensed version of the FAQ follows. For additional information on the Privacy Rule and its application, visit https://www.hhs.gov/hipaa/for-individuals/index.html .
Questions and answers
1. Does the HIPAA Privacy Rule prohibit businesses or individuals from asking whether their customers or clients have received a COVID-19 vaccine?
No. The Privacy Rule (45 CFR part 160 and subparts A and E of part 164) does not prohibit any person (e.g., an individual or an entity such as a business), including HIPAA-covered entities and business associates, from asking whether an individual has received a particular vaccine, including COVID-19 vaccines.
First, the Privacy Rule applies only to covered entities, such as health plans, healthcare clearinghouses, and healthcare providers that conduct standard electronic transactions and, to some extent, their business associates.