Is it a HIPAA violation to ask about the COVID-19 vaccine?

The pandemic has drummed up many questions surrounding the Health Insurance Portability and Accountability Act (HIPAA), including what it is and who it applies to. In particular, a number of employers have wondered if it is a HIPAA violation to ask about the COVID-19 vaccine?

What is HIPAA?

HIPAA (not to be confused with the commonly misspelled “HIPPA”) established a national platform of consumer privacy protection and marketplace reform. Some key provisions include insurance reforms, privacy and security, administrative simplification, and cost savings.

To implement HIPAA, the U.S. Department of Health and Human Services (HHS) issued the “Standards for Privacy of Individually Identifiable Health Information” which established a set of national standards to address the use and disclosure of individuals’ health information – called “protected health information (PHI) – by organizations subject to the Privacy Rule – called “covered entities” – as well as standards for individuals’ privacy rights to understand and control how their health information is used.

Covered entities

HIPAA defines covered entities to include healthcare providers (physicians, psychologists, dentists, chiropractors, pharmacies, hospitals, diagnostic and treatment centers, federally qualified healthcare centers). Health plans, including health insurance companies, HMOs, company health plans, and government plans such as Medicare and Medicaid are also covered entities. Healthcare clearinghouses – entities that process nonstandard health information that they receive from another entity – are considered covered entities as well.

Unless permitted by HIPAA, covered entities may not disclose PHI. However, HIPAA allows covered entities to disclose positive test results for COVID-19 to local health departments, the CDC, or HHS.

Is it a HIPAA violation to ask for proof of vaccine status?

In general, HIPAA rules do not apply to employers or employment records. HIPAA only applies to HIPAA-covered entities – healthcare providers, health plans, and healthcare clearinghouses – and, to some extent, to their business associates.

Therefore, it is not a HIPAA violation for most employers to ask employees if they’ve received the COVID-19 vaccination.

Help is available

Employers, government entities, or individuals with questions regarding HIPAA may contact the attorneys at O’Reilly Rancilio by calling 586-726-1000 or by visiting

Categories: Business