No, HIPAA isn’t a be-all, end-all medical privacy law
Anyone who has spent time on social media knows there are a lot of folks who think HIPAA, the Health Insurance Portability and Accountability Act of 1996, prevents any entity from asking whether an individual has received a coronavirus vaccine, and also prevents stores and retail outlets from requiring patrons to wear masks.
As the Cato Institute’s Walter Olson writes, the heated assertions about HIPAA’s powers are dead wrong:
Let’s talk about the ways HIPAA is narrow. In general, its data-privacy obligations apply to “covered entities,” a legal term that includes many health care providers, insurers, and some related entities like clearinghouses that gather and retain health data. It doesn’t cover employers except insofar as they may enter the category in the course of such activities as operating a health plan.
What that means is unless the service they are offering is itself health care or the like, most businesses have no HIPAA obligations at all toward customers—that goes for restaurants, stadiums, and theaters, for example.
Next on the list of misconceptions is that HIPAA somehow bans asking you questions about your health. It doesn’t. Even businesses that are covered by the law, such as doctor’s practices, can in general ask you all the medical questions they please.
What they can’t do, without paying close attention to the law’s provisions, is let others see the resulting information. If your employer collects health data about you while running a health benefit plan, it must avoid disclosures you have not consented to.
Bottom line: HIPAA isn’t the invincible barrier some people think it is…never was, never will be.