Disclaimer: At UPMC HealthBeat, we strive to provide the most up-to-date facts in our stories when we publish them. We also make updates to our content as information changes. However, education about COVID-19 can shift quickly based on new data, emerging variants, or other factors. The information in this story was accurate as of its publish date. We also encourage you to visit other reliable websites for updated information, including the Centers for Disease Control and Prevention (CDC), Food and Drug Administration (FDA), and your state and local governments.
In May 2021, the Centers for Disease Control and Prevention (CDC) released updated guidelines for people fully vaccinated against COVID-19.
People who are fully vaccinated can resume activities without wearing a mask or physically distancing unless required by laws, rules, or regulations from a government, business, or workplace. But people who are not fully vaccinated should follow prevention efforts like mask-wearing.
Some businesses allow only fully vaccinated customers to go without a mask.
A widely circulating rumor claims that people who ask you whether you’ve been vaccinated are violating your rights under the Health Insurance Portability and Accountability Act (HIPAA). This is not true. Businesses and other entities are allowed to ask about your vaccine status. It is not a HIPAA violation.
Never Miss a Beat!
Subscribe to Our HealthBeat Newsletter!
Get Healthy Tips Sent to Your Phone!
What Is HIPAA?
The United States Congress passed HIPAA in 1996. President Bill Clinton signed it into law on Aug. 21, 1996.
HIPAA regulates several aspects of health care, including the privacy of individuals’ medical information.
Under HIPAA, health care professionals — including plans, providers, and clearinghouses — cannot share health information without your permission. Protected information includes:
- Your past, current, or future physical or mental health or condition.
- Health care you received.
- Past, current, or future payment for health care you received.
- Information that could identify you (i.e. name, address, Social Security information).
COVID-19 and HIPAA: What to Know
Under the HIPAA Privacy Rule, your health care information is protected from disclosure by health care providers.
Providers can release protected information in limited situations — such as in the interest of public health.
For example, if someone tests positive for COVID-19, that information may be shared with close contacts to prevent a wider spread. Providers should make an effort to share the least amount of information possible to protect your HIPAA rights.
In terms of the COVID-19 vaccine, health care providers cannot report that you received the vaccine without your permission.
It’s important to note that HIPAA protects your information from being shared by health care organizations without your permission. It does not apply to businesses or individuals outside of health care.
Can People Ask If You Got the COVID-19 Vaccine?
In short, yes.
A business or an individual asking if you got the COVID-19 vaccine is not a HIPAA violation. Neither is asking for proof. It’s up to you to provide the information they request.
If you choose not to say whether you’ve been fully vaccinated against COVID-19, a business may require you to wear a facemask. Those facemask requirements do not violate HIPAA.
Proof of COVID-19 vaccination may be necessary for future travel within or outside of the United States.
Some employers may make vaccination mandatory and ask for proof of vaccination. In December 2020, the U.S. Equal Employment Opportunity Commission released guidelines for mandatory workplace vaccination. While employers must make accommodations for people who can’t or choose not to get vaccinated for medical or religious reasons, mandatory vaccinations for workers don’t violate HIPAA.
Although HIPAA is an important law that protects your health privacy, it does not apply in all situations. It is not against the law for someone to ask if you’ve been vaccinated.
Simone Jasper, Miami Herald, Is It a HIPAA Violation if Businesses Request Proof of COVID Vaccine? What Experts Say. Link
Fran Kritz, NPR, Coronavirus FAQ: Am I Legally (And Ethically) Bound To Say If I Got A COVID Vaccine? Link
Devon Link, USA Today, Fact Check: Businesses Can Legally Ask If Patrons Have Been Vaccinated. HIPAA Does Not Apply. Link
The Network for Public Health Law, FAQ: COVID-19 and Health Data Privacy. Link
U.S. Department of Health and Human Services, Summary of the HIPAA Privacy Rule. Link
U.S. Department of Health and Human Services, Office of Civil Rights, HIPAA, Health Information Exchanges, and Disclosures ofProtected Health Information for Public Health Purposes. Link
U.S. Equal Employment Opportunity Commission, What You Should Know About COVID-19 and the ADA, the Rehabilitation Act, and Other EEO Laws. Link
Headquartered in Pittsburgh, UPMC is a world-renowned health care provider and insurer. We operate 40 hospitals and 800 doctors’ offices and outpatient centers, with locations throughout Pennsylvania, Maryland, New York, West Virginia, and internationally. We employ 4,900 physicians, and we are leaders in clinical care, groundbreaking research, and treatment breakthroughs. U.S. News & World Report consistently ranks UPMC Presbyterian Shadyside as one of the nation’s best hospitals in many specialties and ranks UPMC Children’s Hospital of Pittsburgh on its Honor Roll of America’s Best Children’s Hospitals. We are dedicated to providing Life Changing Medicine to our communities.