With states starting to issue vaccine passports, proving that a resident has been vaccinated against COVID, many have been asking, is this a HIPAA violation? To provide guidance, immunization passports and HIPAA implications are discussed.

Do Vaccine Passports Violate HIPAA?

There has been a lot of debate as to whether or not businesses would be in violation of HIPAA by requiring customers to provide proof of vaccination to receive service. The quick answer is, no this is not a HIPAA violation. This is because of two reasons; HIPAA only applies to healthcare organizations and patients would be self-disclosing their status.

Vaccine Passports and HIPAA

First, HIPAA does not apply to all businesses. Ever since the start of the pandemic, individuals have been claiming that businesses have violated HIPAA by requiring proof of a negative COVID test, vaccination proof, or the requirement to wear a mask to receive service. However, none of these fall under HIPAA’s jurisdiction. HIPAA only applies to HIPAA covered entities and business associates. Covered entities are healthcare providers, healthcare clearinghouses, and health plans. Business associates are vendors contracted by covered entities, and as such may come into contact with patient protected health information (PHI) over the course of their work. Any other business such as a restaurant, movie theater, department store, theme park, etc. cannot violate HIPAA because they are not legally required to comply with the regulation.

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

Easiest To Do Business With 2024

The second, less important, reason why vaccine passports cannot violate HIPAA is because patients (consumers) would be self-disclosing their PHI. Patients are permitted to disclose their health information to any entity they wish without violating HIPAA. Use and disclosure regulations were created to ensure the confidentiality of PHI, and require covered entities and business associates to limit use and disclosure of PHI to the minimum necessary to perform a job function. Individuals (unless they are healthcare workers) cannot violate HIPAA by disclosing PHI, even if it is not their own.

Vaccine Passports and HIPAA

In essence, any business outside the healthcare space can ask consumers to present a vaccine passport or proof of a negative COVID test without violating HIPAA. They also have the right to refuse service to anyone who will not or cannot present proof of their status. 

See How It Works