There’s nothing stopping hospitals and other providers from asking patients whether they’ve been vaccinated for COVID-19 under HIPAA. Patients don’t have to answer, but if they do, the privacy rule kicks in, according to new guidance from the HHS Office for Civil Rights (OCR).[1] By the same token, HIPAA doesn’t apply to employment records or have anything to say about employer vaccination mandates and related documentation requirements.
“The Privacy Rule does not regulate the ability of covered entities and business associates to request information from patients or visitors. Rather, the Privacy Rule regulates how and when covered entities and business associates are permitted to use and disclose protected health information (PHI) (e.g., PHI about whether an individual has received a COVID-19 vaccine) that covered entities and business associates create, receive, maintain, or transmit,” the guidance explains.
And despite what’s on social media, HIPAA doesn’t apply when people are asked their vaccination status by other people, employers, restaurants, and anyone else that’s not regulated by HIPAA, OCR explained. People can reveal whether they got the shot or any health information and it has nothing to do with HIPAA.