HIPAA, a rule that protects health records from being shared by medical providers, does not defend individuals from being asked for vaccination records by private businesses, an attorney who practices that type of law said. Maureen Brady, an attorney from Kansas City who works on HIPAA violation cases, said not only can employers and businesses request vaccination records, but they also can determine employment with those records.
Brady said the only gatekeepers of medical information are the individual and medical providers. She said if businesses went to medical providers and somehow received information, that would then be a HIPAA violation.
“We, the private citizens of the world, do not have HIPAA rights,” Brady said. “Covered entities include health-care providers, health insurance plans … those who provide medical treatments to patients.”
Brady said a lot of people get confused when understanding what actually is considered a violation of HIPAA rights. Issues with HIPAA violations usually come when “nosey neighbors” who work within health facilities go against HIPAA laws.
Brady said there have not been many HIPAA issues during the vaccination stage, but in the early stages of COVID-19 testing, there were problems with contact tracing when people who had false positives were having information spread incorrectly. While contact tracing did not go against HIPAA laws due to exceptions for the pandemic, false-positive contact tracing did.
“HIPAA is not just a procedural statute. The real teeth of HIPAA is that it can have civil and criminal penalties,” Brady said. “This is regulated by the federal and state governments and they can impose some pretty severe sanctions for wrongful disclosures of information.”