WASHINGTON, D.C., USA —
As more businesses and events decide to require proof of vaccination, some Verify viewers have asked if a vaccination card on its own is a protected by the Health Insurance Portability and Accountability Act of 1996, more commonly known as HIPAA. Let's verify.
THE QUESTION
Is a vaccine card on its own protected under HIPAA?
OUR SOURCES
- Department of Health and Human Services (HSS)
- Centers for Disease Control and Prevention (CDC)
- Kayte Spector-Bagdady, a lawyer and bioethicist who is also the associate director at the University of Michigan’s Center for Bioethics and Social Sciences in Medicine
THE ANSWER
No. HIPAA only applies when your medical information is in the hands of a "covered entity," defined below. HIPAA does not apply to your vaccine card in any one else's hands, including your own.
WHAT WE FOUND
The CDC defines HIPAA as a federal law “that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.”
One of the rules created to protect people’s health information is the privacy rule, which sets standards for the use and disclosure of people's protected health information. The privacy rule applies to what are called “covered entities.”
There are three different categories of covered entities, according to the U.S. Department of Health and Human Services (HHS). One group is health care providers, including doctors, clinics and pharmacies, that electronically transmit health information in connection with certain transactions, such as claims or benefit eligibility inquiries.
The second category is health plans, which include health insurance companies and government programs that pay for health care, such as Medicare and Medicaid.
The third is health care clearinghouses, which HHS says includes billing services and repricing companies.
The HIPAA privacy rule also applies to business associates, which HHS defines as “a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information.”
HSS established HIPAA standards and set privacy rules that protect your sensitive health information in 1996.
Kayte Spector-Bagdady, a lawyer and bioethicist who is also the associate director at the University of Michigan’s Center for Bioethics and Social Sciences in Medicine, said there is sometimes a misunderstanding of what HIPAA does.
“People often feel like HIPAA protects them from being asked about their medical information, or prohibits other people from asking about their medical information,” she said.
According to Spector-Bagdady, "HIPAA does not protect your medical information from anyone at any time and your vaccination card is not a 'HIPAA-protected document.'"
She says medical information is only HIPAA-protected if a healthcare provider, health plan, or associate is holding it.
For example, if your doctor has your vaccination information, she cannot share it with other people without your permission. But this does not prevent other places, like restaurants or stores, from asking you for it or from telling you that you can't come in without showing it.