Practice Management Alert

If patients are concerned about their personal privacy surrounding vaccination, you can educate them about other laws or mores that better apply — and everyday situations where health information is distributed freely and without any protections. For example, if a patient tracks their steps or their period, or has a medical emergency and hails a ride via an app — or those ubiquitous vaccine selfies — their medical or health information is collected or even shared without much in the way of protections.

Fletcher gives an example: If you go to a private company’s place of business, like a fast-food restaurant, and they have a mask mandate, they may refuse to serve you if you don’t comply and be within their rights. It wouldn’t be a breach of HIPAA. But if your doctor enters the same restaurant and shares information about your health with other people, without your express permission, that doctor would be violating HIPAA. But if another customer in line, who was not a covered entity or business associate, happened to be recording the doctor and then shared the disclosed information to social media, that individual wouldn’t be violating HIPAA — even though the information of the original disclosure was protected.

Understand How HIPAA Differs From the ADA

Patients may think a law exists protecting their private health or medical information at work but quoting HIPAA isn’t the answer. The Americans with Disabilities Act (ADA) can apply to situations where health privacy and employer/employee relationships intersect. Some medical or health information is considered private and confidential to the individual, and thus beyond appropriate access for employers. The ADA limits what information — specifically disability-related inquiries — employers can ask about their employees.

Employers can require that employees are vaccinated for COVID-19 and still remain compliant with the ADA, but there are some gray areas. For example, employers administering the necessary screening questions and/or giving the COVID-19 vaccine may violate the ADA, because the questions may include disability-related inquiries.

Still, employers are allowed to ask whether employees have been vaccinated elsewhere, as well as require proof of vaccination, without violating the ADA, because these situations are not related to disability, Fletcher explains. The ADA does require employers to treat vaccination status as confidential, and employers may need to make reasonable accommodations if employees can prove they cannot get vaccinated because of a disability.

The Pandemic Has Caused Some Misinformation to Bloom

Although our society may consider inquiries about health information to be rude or in poor taste, they generally aren’t violations of laws. If a patient asks you whether you’ve been vaccinated, HIPAA offers no protections. A concert venue requiring proof of vaccination is not violating HIPAA. Some states have instituted apps to showcase vaccine status, like New York’s Excelsior Pass; these vaccine passports do not violate HIPAA.

Bottom line: HIPAA applies only to healthcare organizations like covered entities and their business associates. If patients approach you with misinformation and seem open to gentle correction, explaining that HIPAA regulates healthcare entities and not “civilian” situations may be helpful.

Resource: The Centers for Medicare & Medicaid Services (CMS) has a tool for determining covered entity status, which you can access here www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/AreYouaCoveredEntity.