No, Your HIPAA Rights Aren’t Violated If Someone Asks Your Vaccine Status

Reporter Debunks Myths About What Is Covered — And What Isn't — Under Federal Health Privacy Law

A nurse administers the first dose of the COVID-19 vaccine
Mary Altaffer/AP Photo

In this era of COVID-19, misinformation and misunderstanding abounds. A recent example: People citing HIPAA as an excuse for not sharing their vaccination status.

HIPAA — the Health Insurance Portability and Accountability Act — is a federal regulation that protects patients’ information from being shared without their consent by health care providers and those with whom they do business.

“Nobody else is really covered,” explained Julie Rovner, chief Washington correspondent for Kaiser Health News and the host of the “What the Health” podcast.

Stay informed on the latest news

Sign up for WPR’s email newsletter.

This field is for validation purposes and should be left unchanged.

She spoke about HIPAA and how parts of it have always been misunderstood in an interview on WPR’s “Central Time” with Rob Ferrett.

This interview has been edited for brevity and clarity.

Rob Ferrett: Can you give us the basics of what HIPAA is and why it exists?

Julie Rovner: HIPAA is actually 25 years old this month. It was signed in August of 1996. What HIPAA really did is made it possible for you to leave one job with insurance and get another job with insurance and not have a year-long waiting period. So it started out really just being about portability.

It was a bipartisan bill, but Republicans decided that they wanted to have a little more, so they put in a big chunk of administrative simplification trying to streamline the way medical records were digitized. They were just starting out with electronic medical records in the 1990s.

This went on for like a year. At the very end, Congress said if we’re going to have all of this electronic medical information racing around, we should make sure that it’s protected, that people’s health information isn’t accidentally released. And that’s where we got the privacy part of HIPAA.

It actually wasn’t in the law. What the law said is that Congress should pass another law to ensure the privacy of this medical information by 1999. And if not, then the administration will do it. And of course, Congress missed the deadline.

The Clinton administration put out the privacy rules, the incoming George W. Bush administration tinkered with them a little bit, and that’s the HIPAA that we have today. It actually took effect in 2003.

RF: What kind of things have you seen out there where people are talking about and misinterpreting what HIPAA does?

JR: We’ve seen athletes (and politicians) respond to someone asking if they’re vaccinated say, “You can’t ask that because of HIPAA.” Well, I’m a reporter. Reporters aren’t covered by HIPAA. We can ask anything we want. Patients have a right to not answer. There’s nothing that requires you to answer that question.

But there’s nothing in HIPAA that prevents anybody from asking it, including employers.

Employers have to be careful because there are other laws that employers could accidentally violate, like the Americans with Disabilities Act. But employers are certainly allowed to ask employees about their vaccine status if it has a business reason. And obviously today, with a contagious disease running around, that would be a business reason.

RF: How limited are the privacy protections actually existing in HIPAA?

JR: Basically, what HIPAA’s trying to do is say that people who have what’s called protected health care information, your personal medical information, can’t release it except to other people who are authorized to have it and to anybody that you give permission.

HIPAA also has a piece where you can actually get access to your own medical records, which was not a legal right prior to HIPAA.

But it is limited to people who collect your medical information and who have reason to share it with others.

RF: Would HIPAA cover a city releasing statistics about COVID-19, say by a zip code or municipal block?

JR: No, it doesn’t. And HIPAA doesn’t cover most schools and school districts.

This would not be a HIPAA violation, but it could be a privacy violation. There are some states that do have stricter laws than HIPAA.

Over the years and as a reporter, I’ve seen this many times — people refusing to answer questions, citing HIPAA when HIPAA has nothing to do with the reason they don’t want to answer the questions.

I’ve seen veterinarians citing HIPAA when talking about animal health. HIPAA does not cover animals; it only covers people.

And it doesn’t cover de-identified information, which is information that is not connected to an individual person, for example, the number of COVID-19 cases in a given community.

RF: One thing that’s not covered under HIPAA is information we put out in the world ourselves. For example, searching health conditions on the internet. That information is fair game for the Googles and others of the world to aggregate and do with what they want, right?

JR: Yes, it is. Google is not a health care provider and neither are you.