Civic Lab Online: What is HIPAA?

Posted on July 1, 2021 at 6:00 am

About Civic Lab Online

Civic Lab Online provides information on issues facing our community for you to explore. Take a look at thought-provoking materials for teens and adults that allow us to engage in open conversation and grow together as a community. You’ll find all past topics on the Civic Lab Online web page.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) protects our privacy when it comes to personal health issues. You may be wondering what HIPAA covers and what organizations must abide by HIPAA. Here are some fast facts about HIPAA to provide some answers and help you dig even deeper into this act.

Fast Facts

What is HIPAA? Who must follow the rules of HIPAA? What rights do I have under HIPAA? What are HIPAA’s limitations?

The Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA, operates under a Privacy Rule that provides guidelines as to when citizens can control who accesses their health information, have input on their health records, and access copies of their records.

Organizations that must follow HIPAA are covered entities. Covered entities include:

  • Health care plans and providers or processers of health information.
  • Their business associates, such as lawyers, IT professionals, and billing companies that have access to healthcare information.

The penalties for violating HIPAA may be civil penalties of large fines, criminal penalties of jail time, or both.

Most school districts, employers, child protective services, law enforcement, and life insurers do not have to follow HIPAA, though they may have access to medical information about you.

Under HIPAA, you have the right to ask for a copy of your healthcare records (except for psychotherapy notes) and cannot be denied access if you haven’t paid your bill.

  • You may have to pay shipping to receive a record, but in most cases, it must be sent to you within 30 days.

HIPAA also gives you the right to ask that any wrong or incomplete information be changed in your records.

  • If you and your healthcare provider disagree on whether information is correct, you have the right to have your disagreement noted in the file.
  • In most cases, it must be changed within 60 days.

Information about your health can be legally shared with certain organizations outside your doctor’s office to protect public health, such as reporting total numbers of flu cases in an area. HIPAA gives you the right to know who accesses your information.

  • In most cases, doctor’s offices and health care plans provide you with this information up front, but you can request it again at any time.
  • Usually, to provide health information to advertisers, your place of employment, or other third parties, you must give your written permission first.
  • A doctor can discuss your health in front of others if you are present and don’t object or if you are unconscious and medical personnel judge it in your best interest.

You can also request that your health information not be given to specific people.

  • You can request that certain information not be shared with a spouse or family member.
  • You can request that a clinic not share your prescriptions or diagnosis with your health insurance provider so that the cost of your insurance doesn’t rise, as long as you pay the cost of your treatment out of pocket.
  • You can also request that your health information not be shared with other healthcare professionals, but your request can be refused, especially if it interferes with your care.
  • A doctor also might share information about your health with immediate family if you are incapacitated or in crisis, such as a drug overdose or mental breakdown.
  • You can make reasonable requests about how you are contacted, such as what phone number you prefer to be reached at and that health information be sent in envelopes rather than postcards in order to protect your privacy.

What about HIPAA and COVID-19? When can people ask me about my vaccination status? When can my employer ask if I have COVID-19?

COVID-19 vaccines do count as protected health information (PHI) and are covered by HIPAA.

  • This means the healthcare organizations that provide vaccines and doctors cannot disclose who has been vaccinated without patient permission.

HIPAA does not apply to employers or your employment records, even if health related.

  • Your employer does have the right to ask you for health information or a doctor’s note if it applies to sick leave, workers’ compensation, wellness programs, or health insurance.
  • They can also ask your doctor directly, but if your doctor were to provide any information without your permission, the doctor would be in violation of HIPAA. 

Just as employers are legally allowed to require uniforms, employers can require that employees wear a mask to work.

An employer can require employees to provide their vaccination status, such as a copy of their vaccine card, according to the U.S. Equal Employment Opportunity Commission’s recent guidance for the workplace. However, if an employer asks why a person is not vaccinated, they may be in violation of other federal laws, such as the Americans with Disabilities Act (ADA), or the Genetic Information Non-discrimination Act (GINA).

There is no current requirement to get a COVID-19 vaccination at the state or federal level, but there is precedent for legal vaccine requirements.

  • The U.S. Supreme Court did establish in 1918 that health departments have the right to require a smallpox vaccination for the good of public health.
  • School registration also requires proof of recommended childhood vaccinations in Washington State.
  • Vaccinations are required to travel to certain countries.
  • It is not yet clear whether the COVID-19 vaccine will be required for some public settings, or just recommended.

Read, Watch, Listen


Chiu, Allyson. Explaining HIPAA: No, it doesn’t ban questions about your vaccination status. The Spokesman-Review, May 26, 2021.

An explanation of when you may be asked about your vaccination status; recent misconceptions about HIPAA in the news; and some tips for respectful conversations

Quick Reference to HIPAA compliance. Wolters Kluwer Legal & Regulatory, 2008.

A comprehensive guide for those in professional positions that has information for when your organization may need to adhere to HIPAA guidelines and how to do that.


Update on HIPAA and Covid-19. Office for Civil Rights, U.S. Department of Health and Human Services. 24 April 2020. Webinar.

Experts from the Office for Civil Rights offer explanations of when COVID-19 medical information may be shared in compliance with HIPAA.


McGee, Marianne Kolbasuk. “Could HIPAA Changes Weaken Patient Privacy?” Health Information Security, 9 March 2021.

Medical professionals from the Association of Health Information Outsourcing Services discuss proposed changes to HIPAA under Donald Trump’s administration and how healthcare professionals balance convenience for patients and protecting patient information.

Digital Resources

Digital Resource

Gale in Context: Science

Learn more about HIPAA with our digital resource Gale in Context: Science.

Print & Other Materials in Our Catalog

Search our catalog for books, large print, eBooks, and audiobooks.

Downloadable Documents

Fast Facts: What is HIPAA?
Read, Watch, Listen: What is HIPAA?

Tags: , , , , ,