News reports centered around patient privacy and COVID-19 seem to break on the daily – bringing newfound fame to HIPAA law and even more speculation on what is – and isn’t – covered within its requirements. Most recently, the conversation of vaccinations has been a trending headline with the question of ‘HIPAA violation’ commonly featured. So while there’s still plenty of uncertainty where COVID-19 is concerned, hopefully, we can at least shed some light on where HIPAA truly comes into play.
When it comes to the commonly asked question of whether HIPAA protects against employers and other businesses requesting vaccination records, the short answer is no. HIPAA law only applies to covered entities which therefore means that private businesses and citizens are not obligated under the stringent data protection laws and CAN ask about vaccination status. However, patients do have the right to not disclose their own health information and can choose to decline to answer, but based on state-specific laws and company requirements there may be repercussions as a result. In a quote from Kayte Spector-Bagday, a lawyer and bioethicist at the University of Michigan, she highlights the popular misconception in saying, “People often feel like HIPAA protects them from being asked about their medical information, or prohibits other people from asking about their medical information. Neither is true. HIPAA prohibits health professionals, such as your doctor, from sharing your identified health information without your permission in most circumstances. People can always ask about your health information, and you can almost always decline to answer.”
So where does HIPAA come in?
As we just mentioned, healthcare organizations and their business associates are liable under the federal law meaning that your practice can NOT disclose vaccination information (or any protected health information for that matter) unless direct patient authorization is granted. So, say a patient’s employer calls your office to ask about their employee’s vaccination status. Well, because of the standards outlined in the HIPAA Privacy Rule, you cannot disclose any sensitive health information without patient consent, and doing so would result in a HIPAA violation.
While vaccination status and test results are the trending topics at the moment, it’s important to note that these stipulations go for any and all types of patients’ health information, not just what’s related to COVID-19. And while the current state of the public health emergency still leaves a lot of unanswered questions – when it comes to your practice’s ability to disclose protected health information (PHI), HIPAA law still applies.