Editor’s note: As workplaces reopen, many employers are debating whether to require employees to be vaccinated or impose mask mandates. Some have encountered resistance in the form of false claims that asking someone to disclose their immunization status violates the privacy rule of the Health Insurance Portability and Accountability Act, or HIPAA..
To explain the rule, Margaret (Mimi) Foster Riley, professor of law, public health sciences, and public policy at the University of Virginia, wrote this article for The conversation. Riley has written and presented extensively on healthcare law, biomedical research, genetics, reproductive technologies, stem cell research, animal biotechnology, health disparities, and chronic disease.
he Health Insurance Portability and Liability Act Confidentiality Rule is a federal law that prohibits healthcare providers, businesses, and the people who work with them – including administrative staff, laboratories, pharmacies, health insurers, etc. – disclose your health information without your permission.
When people talk about HIPAA, they are generally referring to the privacy rule provision established in 2003, which is only part of a larger law initially passed by Congress in 1996. The privacy rule is came into force after tennis star Arthur Ashe’s HIV status was publicly disclosed. and country music star Tammy Wynette’s health records have been sold to the tabloids. People were starting to worry about genetic confidentiality. And Congress has recognized that the Internet will facilitate breaches of healthcare privacy.
Why the HIPAA privacy rule matters
The HIPAA privacy rule gives you the right to control the disclosure of your health information so that you can tell your health care provider what to share. If you do not want to share some of your health information with family members, you can ask your health care provider to hide this information from them.
However, HIPAA only protects healthcare information held by specific types of healthcare providers. For example, health data on your Apple Watch or Fitbit is generally not covered by HIPAA. The genetic data you enter on websites like Ancestry.com is also not covered by HIPAA. Other laws or agreements, such as privacy disclosures required on many applications, may protect this information, but HIPAA cannot.
Sometimes people try to use HIPAA as an excuse for actions that it doesn’t actually cover. For example, some people who refused to comply with the rules for coronavirus-related masks in stores claimed they could not be asked to explain why due to HIPAA protections. But that’s not how this privacy law works: It’s legal for someone to ask you about your immunization status. And anyone can provide information about their own immunization status (or any personal health information) without breaking HIPAA law.
Are there any exceptions to the HIPAA privacy rule?
Certain exceptions to the HIPAA nondisclosure requirements allow covered healthcare providers to disclose patient information to help treat another person, protect public health, and assist in certain law enforcement investigations.
During a pandemic, for example, public health departments can provide information on the number of people who test positive for a disease, but they cannot mention specific names to the general public, unless there is a need to. alert specific people that they may have been exposed. This is because HIPAA and other privacy laws require them not to disclose more information than is necessary to keep people safe.