What HIPAA is and is not: A primer on the healthcare privacy law

A line of people outside a bar.
Akbar, which reopened in June, is one of the L.A. bars requiring patrons to show proof of a COVID-19 vaccination to enter. A bar asking your vaccination status is not a HIPAA violation.
(Myung J. Chun / Los Angeles Times)

If you’re being interviewed and a journalist asks you if you’re vaccinated, is that a violation of HIPAA?


What if your employer is asking you to prove you’ve been vaccinated — is that a HIPAA issue?


What if you go to a bar or restaurant or store and a person at the front door says you need to show proof of vaccination to enter? Are they violating your HIPAA rights?


Still no.

HIPAA — short for the Health Insurance Portability and Accountability Act of 1996 — only covers what information specific healthcare-related entities can share about you without your consent. A journalist doing a televised interview or a post-game news conference is not one of them. Neither is your employer or your school. Neither is the bouncer at one of the bars in Los Angeles requiring proof of vaccination to enter.

California government and healthcare employees will soon be required to show proof they’ve been vaccinated against COVID-19 or be tested regularly.

July 26, 2021

“I think that the major thing for people to understand with regard to HIPAA is that it’s very specific,” said Ankit Shah, a pediatrician with a law degree who teaches health law as a lecturer at USC. “Healthcare entities have your information and are prohibited from sharing it without your consent. That’s it. That’s HIPAA.”

HIPAA has been in headlines a lot lately. U.S. Rep. Marjorie Taylor Greene of Georgia, fresh off a 12-hour Twitter suspension for vaccine misinformation, told a reporter that asking if she was vaccinated “is a violation of my HIPAA rights.” In a similar incident days later, Dallas Cowboys quarterback Dak Prescott told a reporter who asked the same question, “I think that’s HIPAA.”

Neither of those incidents are HIPAA violations, Shah said, because journalists are not included in HIPAA. Similarly, despite what North Carolina’s lieutenant governor recently suggested, people doing door-to-door outreach asking whether people are vaccinated also would not violate HIPAA.

“People always apply [HIPAA] to everybody. It’s not applicable to everybody. Only healthcare providers, health plans, and their business associates,” Shah said — collectively known as “covered entities” under the legislation.

So what would be a HIPAA violation? Hypothetically speaking, something like if your doctor’s office published a list on its website of every patient and which vaccines they’d received. Or if your employer called your doctor and asked whether you were vaccinated and the doctor’s office told them without your consent. It would have to be a scenario in which a specific healthcare provider or related business or entity was sharing your private medical information without you consenting to it being shared. It is not a legal shield that prevents anyone from asking you if you’ve been vaccinated against COVID-19.


It used to be hard to find a vaccine appointment. Not any more. Here’s how to get your COVID-19 shot.

July 20, 2021

“The general perception of HIPAA is that it’s this overarching privacy umbrella that covers everybody on Earth, but no, it’s very specific,” Shah said.

If someone asks whether you’re vaccinated and you don’t want to tell them, you don’t have to. But their asking does not violate your rights under HIPAA. And in response, that person can choose not to employ you or let you come in and grab a drink. Americans enjoy many rights, but entry to happy hour is not one of them.