Aug. 4—Can businesses legally ask if someone is vaccinated? The Centers for Disease Control and Prevention and the U.S. Department of Health and Human Services say yes.
The Health Insurance Portability and Accountability Act of 1996, known as HIPAA, ensures privacy of medical records through insurance reforms, administrative simplification and cost savings, the CDC's website states. The HHS issued the "Standards or Privacy of Individually Identifiable Health Information," also called the Privacy Rule. HIPAA's privacy rule helps prevent organizations from spreading an individual's protected health information.
The Privacy Rule also sets standards for an individual's privacy rights to understand and control how their health information is used.
The HIPAA Privacy Rule permits disclosure of health information if it is required by law or for "public health activities and purposes," the CDC's website states. The HIPAA Privacy Rule allows disclosure of someone's health information for the purpose of "preventing or controlling disease, injury, or disability, including but not limited to, the reporting of disease, injury, vital events ... and the conduct of public health surveillance ... investigations, and ... interventions," the CDC's website states.
HIPAA applies only to "covered entities," such as health care providers such as doctors, clinics, pharmacies or nursing homes, a health plan, such as health insurance or a company health plan or a health care clearinghouse, the HHS website says. Therefore, it is not illegal for a business to ask an employee or customer for proof of vaccination. If a business were to contact an employee or customer's doctor or healthcare provider about their vaccination status and the healthcare provider complied, that would be considered a HIPAA violation.