HIPAA has become a bit of a buzzword recently for people concerned about their vaccination status becoming public.
HIPAA, the Health Insurance Portability and Accountability Act of 1996, was signed into law by President Bill Clinton in 1996. The statute’s main concern was not, in fact, privacy, but modernization of the flow of health care information.
One part of HIPAA does cover privacy. The Privacy Rule stipulates that so-called “protected health information” should not be disclosed without the individual’s consent by certain organizations, called “covered entities.” These include health plans, health care providers, health care clearinghouses, and business associates. Business associates refers to “a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information.”
In other words, your doctor can’t release your medical records without your consent. It does not mean that you cannot be questioned about your vaccination status.
According to the U.S. Department of Health and Human Services, “The Privacy Rule does not protect your employment records, even if the information in those records is health-related. In most cases, the Privacy Rule does not apply to the actions of an employer.”
This is the reason that your employer can ask you for a doctor’s note or other health information. It would only be a violation of HIPAA for your doctor to reveal health information directly to your boss, but your employer is well within their rights to ask you for that information.
HIPAA is about protecting you from breaches of security — intentional or not — by your health care provider, not from questions about your vaccination status by your employer or other individuals.