Practice Management Alert

Policy Pinpoint:

Don’t Blame HIPAA When It Comes to Vaccination Status and Personal Rights

Use this policy primer when explaining privacy rights surrounding vaccination to patients or employees.

Since vaccines became available, a contingent of people has always fought back against the life-saving technology. The COVID-19 vaccines are no exception, and people in the United States who don’t want to get vaccinated have been claiming that HIPAA, the Health Insurance Portability and Accountability Act, protects their right to privacy.

This is incorrect, says Terry Fletcher, BS, CPC, CCC, CEMC, SCP-CA, ACS-CA, CCS-P, CCS, CMSCS, CMCS, CMC, QMGC, QMCRC, owner of Terry Fletcher Consulting Inc. and consultant, auditor, educator, author, and podcaster at Code Cast, in Laguna Niguel, California.

Explain HIPAA Like This

HIPAA has two components: the Security Rule and the Privacy Rule. Folks have been referencing the latter when they try to edge away from sharing their vaccination status.

However, HIPAA applies only to covered entities, aka health care providers, health insurance carriers, healthcare clearinghouses, and their business associates who may have intentional or physical access to health records. The law, which was passed in 1996, was designed to create federal standards for digitizing medial claims data and records and to ensure that employees could take still hold health insurance coverage even if they changed jobs, Fletcher says. When the law was written, computers and the internet were not so integrated into life and society, but Congress laid the groundwork for privacy protections anyway.

Covered entities need to remain compliant with the law, so they conduct communication through secure channels or seek verification of identifying information before sharing patient health information. In fact, most HIPAA-related complaints are about a lack of access to medical records, Fletcher notes. But if patients ask or if you encounter misinformation, the easiest explanation is that HIPAA is designed to regulate how healthcare entities handle health information.

If patients are concerned about their personal privacy surrounding vaccination, you can educate them about other laws or mores that better apply — and everyday situations where health information is distributed freely and without any protections. For example, if a patient tracks their steps or their period, or has a medical emergency and hails a ride via an app — or those ubiquitous vaccine selfies — their medical or health information is collected or even shared without much in the way of protections.

Fletcher gives an example: If you go to a private company’s place of business, like a fast-food restaurant, and they have a mask mandate, they may refuse to serve you if you don’t comply and be within their rights. It wouldn’t be a breach of HIPAA. But if your doctor enters the same restaurant and shares information about your health with other people, without your express permission, that doctor would be violating HIPAA. But if another customer in line, who was not a covered entity or business associate, happened to be recording the doctor and then shared the disclosed information to social media, that individual wouldn’t be violating HIPAA — even though the information of the original disclosure was protected.

Understand How HIPAA Differs From the ADA

Patients may think a law exists protecting their private health or medical information at work but quoting HIPAA isn’t the answer. The Americans with Disabilities Act (ADA) can apply to situations where health privacy and employer/employee relationships intersect. Some medical or health information is considered private and confidential to the individual, and thus beyond appropriate access for employers. The ADA limits what information — specifically disability-related inquiries — employers can ask about their employees.

Employers can require that employees are vaccinated for COVID-19 and still remain compliant with the ADA, but there are some gray areas. For example, employers administering the necessary screening questions and/or giving the COVID-19 vaccine may violate the ADA, because the questions may include disability-related inquiries.

Still, employers are allowed to ask whether employees have been vaccinated elsewhere, as well as require proof of vaccination, without violating the ADA, because these situations are not related to disability, Fletcher explains. The ADA does require employers to treat vaccination status as confidential, and employers may need to make reasonable accommodations if employees can prove they cannot get vaccinated because of a disability.

The Pandemic Has Caused Some Misinformation to Bloom

Although our society may consider inquiries about health information to be rude or in poor taste, they generally aren’t violations of laws. If a patient asks you whether you’ve been vaccinated, HIPAA offers no protections. A concert venue requiring proof of vaccination is not violating HIPAA. Some states have instituted apps to showcase vaccine status, like New York’s Excelsior Pass; these vaccine passports do not violate HIPAA.

Bottom line: HIPAA applies only to healthcare organizations like covered entities and their business associates. If patients approach you with misinformation and seem open to gentle correction, explaining that HIPAA regulates healthcare entities and not “civilian” situations may be helpful.

Resource: The Centers for Medicare & Medicaid Services (CMS) has a tool for determining covered entity status, which you can access here www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/AreYouaCoveredEntity.