No. The Privacy Rule2 does not prohibit any person (e.g., an individual or an entity such as a business), including HIPAA covered entities and business associates, from asking whether an individual has received a particular vaccine, including COVID-19 vaccines.
First, the Privacy Rule3 applies only to covered entities4 (health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions) and, to some extent, their business associates.
Second, the Privacy Rule does not regulate the ability of covered entities and business associates to request information from patients or visitors. Rather, the Privacy Rule regulates how and when covered entities and business associates are permitted to use6 and disclose7 protected health information8 (PHI) (e.g., PHI about whether an individual has received a COVID-19 vaccine) that covered entities and business associates create, receive, maintain, or transmit.
Thus, the Privacy Rule does not prohibit a covered entity (e.g., a covered doctor, hospital, or health plan) or business associate from asking whether an individual (e.g., a patient or visitor) has received a particular vaccine, including COVID-19 vaccines, although it does regulate how and when a covered entity or its business associate may use or disclose information about an individual’s vaccination status.
Additional examples. The Privacy Rule does not apply when an individual:
Is asked about their vaccination status by a school,9 employer, store, restaurant, entertainment venue, or another individual.
Asks another individual, their doctor, or a service provider whether they are vaccinated.
Asks a company, such as a home health agency, whether its workforce members are vaccinated.
Other state or federal laws address whether individuals are required to disclose whether they have received a vaccine under certain circumstances.