Fixing some common misconceptions about HIPAA

Jon Hyman

17 May 2021

Ever since the CDC amended its COVID-19 guidance to say that the fully vaccinated no longer need to wear masks indoors, I’ve read myriad variations of this tweet:

Friendly reminder that under HIPPA, your vaccination status is private.

Or this tweet:

The rule is simple, HIPAA protects EVERY American from disclosing ANY of their health records to ANYONE.

Their point? That medical privacy laws protect their vaccination status, and it’s illegal for any business to ask as a condition of anything.

They are very, very wrong. So, I thought today I’d clear up some common misconceptions about HIPAA specifically and medical privacy more generally.

  1. HIPAA stands for the Health Insurance Portability and Accountability Act. It’s HIPAA. Not HIPPA, HIPPO, or anything else.
  2. Broadly speaking, HIPAA does protect the privacy of individuals’ medical information. But not all medical information and only in certain circumstances.
HIPAA applies only to “covered entities,” defined as: (1) health plans; (2) healthcare clearinghouses; (3) healthcare providers that electronically transmit certain health information; and certain “business associates” of covered entities. If an employer does not fall into one of those categories, HIPAA does not apply to it at all. Thus, HIPAA does not apply to employee health information collected or maintained by an employer in its role as an employee’s employer.
For employees, HIPAA does not:
  • Prohibit an employer from asking for a doctor’s note related to an absence (or, in the case of COVID-19, an employee’s vaccination status).
  • Impact the ability to request information necessary to administer programs, such as health care benefits, workers’ comp, or sick leave.
  • Protect all health data maintained in employment records, only those employees’ medical and health plan records that relate to their participation as a member of the employer’s healthcare plan.
For businesses dealing with the public (such as a retail store or restaurant, for example), HIPAA simply does not apply at all. HIPAA does not prohibit a business from asking a customer about his or her vaccination status as a condition to entry or donning a mask upon entry. Period. Hard stop.
An employer that merely asks its employees for proof of vaccination status does not violate other laws, such as the Americans with Disabilities Act. The ADA does place limits on an employer’s disability-related inquiries of its employees. But, as the EEOC has clearly and succinctly stated, “requesting proof of receipt of a COVID-19 vaccination is not likely to elicit information about a disability and, therefore, is not a disability-related inquiry.”
The bottom line is that private businesses absolutely can require employees to provide vaccination status as a condition of employment (subject to certain reasonable accommodation obligations), and further a business can require the same as a condition to entry.
A business can’t force anyone to provide that information, it can legally deny access to anyone who won’t or can’t provide it. We all have a choice to make — to vax or not to vax. It’s really this simple. If you don’t want to wear a mask, get vaccinated. If you don’t want to get vaccinated, wear a mask.
If you don’t want to do either, then accept that there are places you won’t be able to go for now and for the foreseeable future.

Written by Jon Hyman


blog workforce

We build robust scheduling & attendance software for businesses with 500+ frontline workers. With custom BI reporting and demand-driven scheduling, we help our customers reduce labour spend and increase profitability across their business. It's as simple as that.

Book a call
See the software
workforce news

Relevant Videos

This is

Hi, My name is Meg and this is my introduction to

Case Study: COVIDCheck Colorado

Find out how powered vaccine sites with demand driven scheduling and attendance.

Related Articles

workforce blog


EEOC says that employers legally can offer incentives to employees to get vaccinated in almost all instances

If you’re an employer looking to get as many of your employees vaccinated as possible, you can rest eas...

ADA, CDC, COVID-19, EEOC, GINA, pandemic, vaccinated

workforce blog


We are in the midst of a public mental health crisis; how employers can help

Do not ignore these issues or your employees who are living with them. Mental health illnesses are no d...

ADA, benefits, Coronavirus, FMLA, mental health, paid time off

workforce blog


EEOC commissioner wants industry-specific COVID-19 guidelines

With COVID-19 vaccine hesitancy a legitimate barrier to reaching herd immunity, we need rules that will...

benefits, COVID-19, EEOC, health care, wellness

Read the magazine

workforce magazine