HIPAA and non-medical businesses

May 28, 2021

The Healthcare Portability and Accountability Act of 1996, or HIPAA for short, was designed to do a few things. First, it created COBRA rights, making it easier for a employee who left a job to continue coverage for a time period afterwards. It also created Flexible Spending Accounts, set guidelines for group health plans and had provisions concerning life insurance. What most people know about HIPAA, however, is the provision that concerns the privacy expectations of medical information. However, the law was designed to keep some information private in some circumstances, not create a right.


For an entity to fall under the rubric of HIPAA, they must be a described entity, such as a doctor’s office, medical provider, nurse, hospital, insurance, or otherwise connected to the delivery of, payment for, and insurance of, health care. So, restaurants, grocery stores and law offices are not described because they do not deliver health care.


Second, information is supposed to flow through appropriate channels with safeguards under HIPAA. It allows a doctor’s office to transmit prescription information to a pharmacy, a hospital to send a bill to insurance and communicate to a doctor outside of the hospital, and researchers to obtain information to carry out medical reseach. Sometimes the information is anonymous, sometimes partially redacted, other times simply safeguarded.


It does not prevent you from giving your health information to your neighbor, wearing a FitBit that communicates to all sorts of entities, or broadcasting health information on the evening news. Taken to the illogical extreme, the question “How are you?” under the vaccine argument I see is the same violation.


If a covered entity (remember, doctors, hospitals, ect) discloses information they should not, they MAY have a liability. But who enforces that? The Department of Health and Human Services. They are the only entity who has enforcement rights, although persons can ask to have an investigation started if a covered entity is not appropriately safeguarding information. No one else does under HIPAA. So if you are going to get all indignant and threaten to sue a grocery store or bowling alley for violating HIPAA, the person you sue can turn around and get their costs of defense from you – because it is well-settled law there is no private right of action under HIPAA. ithout a private right of action, there is no right to protect by a private citizen, meaning an an individual person has no ability to sue for a purported HIPAA violation.


What does that mean for a non-medical place that wants to know your vaccine status? Well, they can ask and they have not violated HIPAA. Think about it: you volunteer your medical information all the dang time. Your smart watch that collects information about your heartrate and sleep? Health information. Filling out a form that asks for your height and weight? Health information. Telling a waiter you are gluten-intolerant or have a food allergy? Health information. There is literally nothing special about your vaccine status. Moreover, its just like all of the other information you already share. Facebook knows where you are – and probably knows if you are vaccinated, Google tracks every move you make too, and Apple is no different. So really, stop pretending there is something special about sharing your vaccine status. Nor is it a violation for a buisness to ask. If you do not want to answer, don’t. But be ready to accept the consequences. They may include you being barred from entry, receiving services remotely, or being asked to wear a mask.