We are living in a time when each and every person is somehow acknowledged about COVID-19 and vaccination. Fully vaccinated people no longer need to wear face masks or practice social distancing in most settings. As a result of that many businesses ask customers about their COVID-19 vaccination status before allowing them entry or permitting them to be maskless.
The Health Insurance Portability and Accountability Act (HIPAA) was created primarily to modernize the flow of healthcare information, stipulate how personally identifiable information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage.
Personal details such as whether or not an individual has been vaccinated against COVID-19 comes within the “provision of care” classification of health information that should be protected when it can be combined with other personal details (i.e., name, social security number, etc.) that can identify the individual. Protected health information is commonly referred to as PHI.
The HIPAA Privacy Rule limits use and disclosures of individuals’ PHI to uses and disclosures required for treatment, payment, or healthcare operations. Other uses and disclosures generally require consent to be provided by the individual in writing. However, HIPAA only applies to certain organizations and businesses. So how does HIPAA relate to requests for proof of vaccine status?
HIPAA and Proof of Vaccine Status
“Asking for the [vaccination] status is not in itself a HIPAA violation since no PHI has been disclosed”JONATHAN ISHEE, JD, MPH, MS, LLM, assistant professor of biomedical informatics at the University of Texas.
A violation would only occur if a covered entity discloses PHI to an unauthorized person without your consent.
Anyone can ask your healthcare provider about your vaccination status, but it would only be a violation if they disclose it without permission. When non-covered entities such as family or friends ask you directly about your status, that’s not a violation. You are also allowed to disclose that information yourself.
“HIPAA is not something an individual can attempt to invoke as a shield if employers or schools ask about vaccination status. It’s a convenient—and often misspelled—buzzword, but it has no relevance in this context.”— MICHAEL S. SINHA, MD, JD, MPH
Circumstances The Violation Takes Place
Healthcare providers can ask if a patient has been vaccinated as asking the question in no way violates HIPAA. It would be permitted for the healthcare provider to share vaccine status information with another covered entity or business associate, provided the disclosure was permitted under the HIPAA Privacy Rule – for treatment, payment, or healthcare operations – or if authorized to do so by a patient.
Authorizations would not be required when sharing vaccine status information for “public health activities.” For instance, a disclosure would be permitted to “a public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including but not limited to, the reporting of disease, injury, vital events,” and also for “the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority.”
Surrounding indicates the behavior. The world has changed greatly since COVID-19 was first diagnosed, but this is the world we live in. Despite the fact, we are all united by a single problem, still, the behavior ethics principles should be followed each time.
Once you have any doubts about your PHI rights have been broken, check the COVID and HIPAA article and don’t hesitate to act!