Current News



What HIPAA is and is not: A primer on the health care privacy law

Jessica Roy, Los Angeles Times on

Published in News & Features

If you're being interviewed and a journalist asks you if you're vaccinated, is that a violation of HIPAA?


What if your employer is asking you to prove you've been vaccinated — is that a HIPAA issue?


What if you go to a bar or restaurant or store and a person at the front door says you need to show proof of vaccination to enter? Are they violating your HIPAA rights?

Still no.

HIPAA — short for the Health Insurance Portability and Accountability Act of 1996 — only covers what information specific health care-related entities can share about you without your consent. A journalist doing a televised interview or a postgame news conference is not one of them. Neither is your employer or your school. Neither is the bouncer at a bar requiring proof of vaccination to enter.

"I think that the major thing for people to understand with regard to HIPAA is that it's very specific," said Ankit Shah, a pediatrician with a law degree who teaches health law as a lecturer at the University of Southern California. "Health care entities have your information and are prohibited from sharing it without your consent. That's it. That's HIPAA."


HIPAA has been in headlines a lot lately. U.S. Rep. Marjorie Taylor Greene of Georgia, fresh off a 12-hour Twitter suspension for vaccine misinformation, told a reporter that asking if she was vaccinated "is a violation of my HIPAA rights." In a similar incident days later, Dallas Cowboys quarterback Dak Prescott told a reporter who asked the same question, "I think that's HIPAA."

Neither of those incidents is a HIPAA violation, Shah said, because journalists are not included in HIPAA. Similarly, despite what North Carolina's lieutenant governor recently suggested, people doing door-to-door outreach asking whether people are vaccinated also would not violate HIPAA.

"People always apply (HIPAA) to everybody. It's not applicable to everybody. Only health care providers, health plans, and their business associates," Shah said — collectively known as "covered entities" under the legislation.

So what would be a HIPAA violation? Hypothetically speaking, something like if your doctor's office published a list on its website of every patient and which vaccines they'd received. Or if your employer called your doctor and asked whether you were vaccinated and the doctor's office told them without your consent. It would have to be a scenario in which a specific health care provider or related business or entity was sharing your private medical information without you consenting to it being shared. It is not a legal shield that prevents anyone from asking you if you've been vaccinated against COVID-19.

"The general perception of HIPAA is that it's this overarching privacy umbrella that covers everybody on Earth, but no, it's very specific," Shah said.

If someone asks whether you're vaccinated and you don't want to tell them, you don't have to. But their asking does not violate your rights under HIPAA. And in response, that person can choose not to employ you or let you come in and grab a drink. Americans enjoy many rights, but entry to happy hour is not one of them.


©2021 Los Angeles Times. Visit Distributed by Tribune Content Agency, LLC.