Monday, May 17, 2021

Coronavirus Update 5-17-2021: It’s spelled HIPAA, not HIPPA … fixing some common misconceptions about the Health Insurance Portability and Accountability Act

Ever since the CDC amended its COVID-19 guidance to say that the fully vaccinated no longer need to wear masks indoors, I've read myriad variations of this tweet:
Friendly reminder that under HIPPA, your vaccination status is private.

Or this tweet:

The rule is simple, HIPAA protects EVERY American from disclosing ANY of their health records to ANYONE.
Their point? That medical privacy laws protect their vaccination status, and it's illegal for any business to ask as a condition of anything.

They are very, very wrong. So, I thought today I'd clear up some common misconceptions about HIPAA specifically and medical privacy more generally.

1/ HIPAA stands for the Health Insurance Portability and Accountability Act. It's HIPAA. Not HIPPA, HIPPO, or anything else.

2/ Broadly speaking, HIPAA does protect the privacy of individuals' medical information. But not all medical information and only in certain circumstances.

HIPAA applies only to "covered entities," defined as: (1) health plans; (2) healthcare clearinghouses; (3) healthcare providers that electronically transmit certain health information; and certain "business associates" of covered entities. If an employer does not fall into one of those categories, HIPAA does not apply to it at all. Thus, HIPAA does not apply to employee health information collected or maintained by an employer in its role as an employee's employer. 

For employees, HIPAA does not:
  • Prohibit an employer from asking for a doctor's note related to an absence (or, in the case of Covid, an employee's vaccination status).
  • Impact the ability to request information necessary to administer programs, such as healthcare benefits, workers' comp, or sick leave.
  • Protect all health data maintained in employment records, only those employees' medical and health plan records that relat to their participation as a member of the employer's healthcare plan.
For businesses dealing with the public (such as a retail store or restaurant, for example), HIPAA simply does not apply at all. HIPAA does not prohibit a business from asking a customer about his or her vaccination status as a condition to entry or donning a mask upon entry. Period. Hard stop.

3/ An employer that merely asks its employees for proof of vaccination status does not violate other laws, such as the Americans with Disabilities Act. The ADA does place limits on an employer's disability-related inquiries of its employees. But, as the EEOC has clearly and succinctly stated, "requesting proof of receipt of a COVID-19 vaccination is not likely to elicit information about a disability and, therefore, is not a disability-related inquiry." 

The bottom line is that private businesses absolutely can require employees to provide vaccination status as a condition of employment (subject to certain reasonable accommodation obligations), and further a business can require the same as a condition to entry. A business can't force anyone to provide that information, it can legally deny access to anyone who won't or can't provide it. We all have a choice to make—to vax or not to vax. It's really this simple. If you don't want to wear a mask, get vaccinated. If you don't want to get vaccinated, wear a mask. If you don't want to do either, then accept that there are places you won't be able to go for now and for the foreseeable future.