HARRISBURG, Pa. (WHTM) — With questions about enforcing different mask rules for different people — given that the difference is something people can choose to keep private — social media was abuzz with speculation that the Centers for Disease Control (CDC) was paving the way for countless “HIPAA violations.”
How else, the reasoning went, could you possibly find out someone’s vaccination status without violating HIPAA?
Colloquially, “HIPAA” has come to mean roughly “health privacy rules” to a lot of Americans, the same way some might ask for a “Kleenex” even if they don’t care who manufactures a tissue.
In fact, HIPAA is something very specific: The Health Insurance Portability and Accountability Act of 1996.
And it applies — said Cynthia Haines, a Harrisburg-based lawyer, and partner at the firm Post & Schell — to specific entities or people: primarily doctors, hospitals, and health insurance companies.
In many (but not all) cases, they can’t disclose your health records to someone else without your permission, Haines said.
But your boss asking whether you’ve been vaccinated? Not a HIPAA violation.
A supermarket or movie theater asking the same question? Not a HIPAA violation, she said.
That doesn’t mean all of those examples are necessarily OK or even legal, Haines said. But they are not covered by HIPAA.
The employer question is likely to be a thorny one, Haines said.
“I don’t think that that’s been fully decided,” she said, while noting she focuses on HIPAA, not employment law, which covers that realm. “We will likely see lawsuits about that, because there’s an argument that you’re protecting other people to determine whether individuals are vaccinated and can be unmasked or not.”
As for businesses where we’re consumers, not employees, she said business logic will more likely intervene before legal questions come up.
“Will a for-profit entity like a grocery store or a movie theater really want to take that on?” — in other words, asking customers to give evidence of their vaccination status — she asked rhetorically.
Oh, and one thing that’s most certainly not a HIPAA violation? You spilling the beans about your own health history, whether vaccinations or something else.
“You cannot violate your own privacy, because that’s your decision,” Haines said.