With Covid-19 restrictions lifting, and more and more businesses either asking for proof of vaccination or weighing their options on doing so, I have had friends, family and clients come to me with the question, “Can a business ask me about my vaccination status to get in? What about HIPAA?” The short answer is, “Yes they can and HIPAA doesn't apply.”
In general, a private business can refuse service to anyone within the State of New York, if doing so is not in violation of the New York State Human Rights Law. The New York State Human Rights Law provides: "It shall be an unlawful discriminatory practice for any person, being the owner, lessee, proprietor, manager, superintendent, agent or employee of any place of public accommodation, resort or amusement, because of the race, creed, color, national origin, sexual orientation, military status, sex, or disability or marital status of any person, directly or indirectly, to refuse, withhold from or deny to such person any of the accommodations, advantages, facilities or privileges thereof, including the extension of credit . . . ." (N.Y. Exec. Law § 296(2)(a)). When it comes to Covid-19 vaccination, race, creed, color, national origin, sexual orientation, military status, sex, disability or marital status, are not at issue. That leaves the question as to whether a private business basing entry upon the disclosure of vaccination status is a violation of HIPAA.
HIPAA is one of the most misunderstood federal laws and one that applies to a limited group of providers and businesses. HIPAA stands for the Health Insurance Portability and Accountability Act of 1996, and protects your Protected Health Information (PHI) from being disclosed without your knowledge and consent. However, HIPAA permits the disclosure of personal health information needed for patient care, so that doctors can share your medical information with each other, such as during treatment or surgery, and as otherwise required by law. (45 CFR § 164.512(a)) and (45 CFR § 164.512(b)(i)).
HIPAA applies to “covered entities” and “business associates.” (45 CFR § 160.103). A covered entity is a 1) health care provider but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard, 2) a health plan, or 3) a health care clearinghouse. A business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A member of the covered entity's workforce is not a business associate. Additionally, HIPAA also covers “hybrid entities'' which are single legal entities that are 1) a covered entity, 2) whose business activities include both covered and non-covered functions, and 3) that designates health care components. (45 CFR § 164.105(a)).
A health care provider includes providers such as doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies. A health plan means an individual or group plan that provides, or pays the cost of, medical care, which includes health insurance companies, health maintenance organizations (HMOs), company health plans, and government programs that pay for health care such as Medicare, Medicaid, the military and veterans' health care programs. A health care clearinghouse means a public or private entity, including a billing service, repricing company, community health management information system or community health information system, and value-added networks and switches, that does either of the following functions: (1) processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction, or (2) receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.
Private businesses, such as your grocery store, the bank, and the deli, are not "covered entities", "business associates" or "hybrid entities" and are not bound by the privacy restrictions under HIPAA. Thus, if a business requires you to prove you're vaccinated to get inside, whether by providing your vaccine card or providing a verbal response, you are not able to use HIPAA as an excuse not to provide that information for entry.
If you have any questions about your rights when it comes to HIPAA, please give me a call at (631) 938-6543.