HIPAA, COVID, and Your Privacy
By Susan Walberg, JD MPA CHC
Although HIPAA (The Health Insurance Portability and Accountability Act of 1996) has been around for a long time, the COVID epidemic has spawned a slew of misunderstandings, disinformation, and erroneous claims about the law’s reach and impact.
People have raised concerns, initially, about the right of a private business, employer, or government entity to request them to wear masks and then to further ask for medical information relating to their refusal to do so. People were claiming that a worker at Walmart, for instance, couldn’t ask them about mask-wearing due to HIPAA if they tried to enter without a mask.
When the vaccinations became available, this same misinformation circulated. “Nobody can ask me about my vaccination status due to HIPAA” people proclaimed all over social media.
I want to explain what HIPAA actually does. It defines the safeguards that Covered Entities (healthcare providers, insurers, and healthcare clearinghouses) must implement in order to protect the privacy and security of patient health information. That’s it, at a very high level.
HIPAA does not prohibit anyone from asking a person anything about their health status or history. The First Amendment still applies; people can ask and tell at their own discretion (some limits and exceptions apply, such as employers, as noted below). Conversely, it does not mandate that any individual has to share their information with that Walmart greeter. Other laws come into play as a result of that disclosure, or failure to do so, as outlined below.
The other aspect of HIPAA that is not well understood pertains to the government’s role and rights to your information. The government, in general, is not subject to or limited by HIPAA except to the extent it is a Covered Entity as explained above (health care plan or oversight). So, for instance if you have a government healthcare plan, that’s covered under HIPAA and they are required to adhere to privacy protections. Other government agencies, however, may not be, depending on their roles. In addition, HIPAA has a number of exceptions where a patient does not need to authorize the sharing of their information. One such exception applies to public health disclosures. The COVID pandemic is clearly considered a public health issue which does allow for broader sharing of information regarding things such as patient diagnosis, outcome, treatment, and vaccination to promote public health activities. So that pharmacy that gives you that COVID vaccine is not prohibited from reporting that information, nor is the testing site where you got a COVID test, regardless of whether they otherwise might be covered by HIPAA.
What about Employers?
Another common concern relates to employers asking about vaccination status.
Employers can ask if you’ve been vaccinated. And an employer can implement whatever policies they want related to masks and vaccines, so long as they don’t run afoul of laws such as the Americans with Disabilities Act (ADA) or a state/local law. Employers have a duty under OSHA to provide a safe workplace, so they are within their rights to inquire about vaccine status. Where they may run into trouble, however, is if they ask the follow-up question as to ‘why not’? At that point the ADA could be triggered if the employee has a disability that they feel compelled to disclose. This question has also been reviewed by the EEOC, who found that a vaccine question is acceptable because it does not pertain to a medical disability. But the follow-up question should be avoided.
In terms of privacy, however, employers need to exercise diligence to protect the privacy of that information, as they are required to do with all employee health information. In addition, state consumer protection and other privacy laws may dictate how they can collect and protect your information. Employers need to weigh the business need against your privacy rights, keeping in mind also the ever-changing local, state and federal guidance and requirements.
So what happens if you don’t wear a mask or don’t get the vaccine due to a medical condition, despite a company policy? That is where the ADA comes in, and you will be asked for documentation to support that claim. However, if the claim is supported by medical records, they do generally need to give you reasonable accommodations wherever possible (this determination is very fact specific, depending on the business and safety issues at play). The employer needs to request only the minimum records to support a review of the matter, and those records also must be kept private. Under the Civil Rights Act of 1964, discrimination based on religion or disability is prohibited, so this is a sticky and still evolving workplace issue, particularly with local, state, and federal laws, standards, and guidance constantly evolving. But employees refusing the vaccine, without these specific exemptions, may be terminated if the employer has determined that vaccines are a requirement in the workplace for health and safety reasons. That has already been tested in the courts.
Lastly, employee health records aren’t covered by HIPAA. Even if your employer is a healthcare organization-employee health records are subject to different protections. It seems counter-intuitive, but it’s true.
Please note that this article is not intended as legal advice, and this topic is a moving target in terms of the various laws and guidance around the COVID vaccine and related issues. Many states have issued specific laws regarding whether a business can inquire about vaccine status, etc. so it’s best to do your research if you have a specific concern. But just keep in mind, unless your concern relates to your healthcare provider or insurance company releasing your information without your authorization or as allowed by law…it’s not a HIPAA issue.
Privacy issues and laws have come to the forefront during this pandemic, but so has misinformation. My goal in writing this brief article is to provide a better understanding of this law and how it applies to you.