Common Misconceptions About HIPAA and COVID-19 Vaccination Status

August 24, 2021 - The HIPAA Privacy Rule does not protect one’s COVID-19 vaccination status, despite popular misconceptions. As HIPAA turns 25 this year, common misinterpretations of the law persist, a blog post published in Harvard Health Publishing contended.

“For a rule that’s been around so long, it’s remarkable that HIPAA has been so misunderstood and so frequently featured in the news lately,” Robert H. Shmerling, MD, senior faculty editor at Harvard Health Publishing, wrote in the blog post.

When US Representative Marjorie Taylor Greene (R-GA) was asked if she received the vaccine during a recent press conference, she told a reporter that “with HIPAA rights, we don’t have to reveal our medical records, and that also involves our vaccine records.”

However, this common misconception is false, Shmerling pointed out. The HIPAA Privacy Rule prohibits the release of protected health information (PHI) by others without prior consent. The rule originated in 1996 with the goal of helping individuals maintain health insurance should they change or lose their jobs, with an emphasis on the use of electronic health records, Shmerling wrote.

Later, rules were added to quell privacy concerns as use of EHRs became the norm.

HIPAA rules strictly ensure that providers cannot share your PHI with family members, friends, or the public without written consent. But HIPAA does not prohibit gyms, restaurants, or employers from asking about one’s vaccination status or requesting proof of vaccination.

The following information is protected under HIPAA, according to the HHS website:

• Information your doctors, nurses, and other health care providers put in your medical record
• Conversations your doctor has about your care or treatment with nurses and others
• Information about you in your health insurer’s computer system
• Billing information about you at your clinic
• Most other health information about you held by those who must follow these laws

HIPAA is much narrower than many people think. Life insurers, employers, workers compensation carriers, most law enforcement agencies, and most schools are not required to follow these laws.

“If a friend, a relative, or a perfect stranger asks you about your vaccination history, or any other question about your health, you may consider it rude, nosy, or inappropriate,” Schmerling wrote.

“But it’s not illegal. And if you choose not to answer, don’t blame HIPAA.”

HIPAA is constantly evolving to match technological advancements and ensure patient privacy. Recent developments in patient right of access policies have left experts questioning the future of HIPAA and data sharing.

A recent proposed modification to the HIPAA Privacy Rule permitted individuals to transmit their protected health information to any third party in an electronic format. While the policy does give patients more agency over their own medical records, some experts worry that data could end up in the wrong hands if patients are not educated on best practices regarding privacy.

For 25 years and counting, HIPAA rules continue to protect patients’ PHI. But HIPAA is not a catch-all for all healthcare-related privacy concerns, despite common misconceptions. Keeping patients educated about their rights under HIPAA is crucial to ensuring that the rule’s original intent is not lost in translation.