Two people are wearing masks in a garden, theoretically discussing whether asking about vaccination status breaks the law.

Does Asking About Vaccination Status Break the Law?

Does asking about your COVID-19 vaccination status break the law? Specifically, does it violate HIPAA or FERPA? The answer may surprise you: probably not!

Questions about the COVID-19 Vaccination and the Law

You can’t escape the COVID-19 news these days – Delta variants, mask mandates, vaccine mandates. There have also been news stories about whether asking someone about their vaccine status violates HIPAA. Or if you are a student, does asking about vaccine status violate FERPA? As we continue to navigate COVID and more businesses and employers require vaccinations, this might become more important for you to understand.

What is HIPAA?

HIPAA, or the Health Insurance Portability and Accountability Act of 1996, is a federal law that keeps our private medical information exactly that – private. But only in certain situations.

HIPAA’s protections only apply to certain actions of a very specific set of actors, called “covered entities.” Covered entities are institutions or individuals providing health care or health insurance. It can also include companies that provide related services such as health data storage or billing. A covered entity is restricted from sharing your protected health information with others, without your consent.

Myths About HIPAA

First, when people spell HIPAA wrong (e.g., HIPPA), that is usually a sign they are not actually familiar with what is in the law.

Second, people often mistakenly think HIPAA covers every situation that involves your medical information. And, it doesn’t. There are circumstances where a health care provider can disclose your medical information. For example, when they notify your insurance company that you received medical care and request payment.

Third, HIPAA also generally doesn’t cover your employer. If your employer discloses your medical information to others, that usually isn’t a violation of HIPAA. One possible exception is if your employer (a hospital) is also your health care institution.

But, your employer disclosing your medical information may bring up some other legal protections such as the FMLA or ADA. For more information about disclosure and privacy in these situations, read our Quick Guide to Disclosure, Privacy, & Medical Certification Forms.

Does Asking About Your COVID-19 Vaccination Status Violate HIPAA?

It depends on who is asking. Let’s look at some examples:

  • A patient in a hospital asks if a nurse is vaccinated. The patient asking the question is not a covered entity. Answer: Not a HIPAA violation.
  • A customer in a restaurant asks a server if the server is vaccinated. The customer is not a covered entity. Answer: Not a HIPAA violation.
  • Your doctor’s neighbor knows you and asks the doctor if you have been diagnosed with cancer. The doctor is a covered entity, sharing your individually identifiable, protected health information, gathered through providing health care services to you, and is not sheltered by an acceptable exception. Answer: Is a HIPAA violation.
  • You work for a construction company. Your employer asks you if you have been vaccinated. Your employer is not a covered entity. Answer: Not a HIPAA violation.

Does Asking About Your COVID-19 Vaccination Status Violate FERPA?

Another federal law, the Family Educational Rights and Privacy Act (FERPA), has also created some confusion for people.

FERPA protects student records in many – but not all – situations. The type of information that FERPA protects is limited: usually to the educational records of a student, and even those can be shared without parental consent in many instances. And, schools are only bound by FERPA if they receive certain types of federal funding.

  • A parent asks whether there has been COVID-19 exposures in their child’s classroom. Answer: Not a HIPAA violation; not a FERPA violation.
  • An advocate asks if a school knows how many of their students older than 12 have been vaccinated. Answer: Not a HIPAA violation; not a FERPA violation.
  • A school sends an e-blast to the entire school sharing the names of the five students who are positive for COVID-19. Answer: Not a HIPAA violation; possibly a FERPA violation.
  • The school nurse shares your child’s name with other parents of kids in the same class as someone who was diagnosed with COVID-19. Answer: Possibly a HIPAA violation; possibly a FERPA violation.

For more information about HIPAA, read: Health Information & Privacy.

Sign up for our blog to get late-breaking news, including the latest about employer vaccine mandates and whether you qualify for a reasonable accommodation.

About Triage Cancer

Triage Cancer is a national, nonprofit providing free education to people diagnosed with cancer, advocates, caregivers, and health care professionals on cancer-related legal and practical issues. Through eventsmaterials, and resources, Triage Cancer is dedicated to helping people move beyond diagnosis.

Similar Posts You May Like To Read:

Triage Cancer