A red herring is something that misleads or distracts us from a relevant, important question. The vast majority of times we see the term HIPAA these days on social media, it’s a great example of what a red herring is in practice.
HIPAA stands for Health Insurance Portability and Accountability Act and is often raised by people today in discussing COVID-19-related issues, such as vaccine passports.
Some people have argued that vaccine passports (being asked by a private business such as an airline, a supermarket or even an NFL team, to prove that you have been vaccinated) are a HIPAA violation so they can’t be enforced. This is simply wrong, no matter how often it is repeated and no matter how meme-worthy it is on social media.
It is not a HIPAA violation if a business requires you to provide proof for vaccination before they let you fly, buy your groceries or watch your favorite team play in person. Yet the reasons why might surprise many people.
The first reason – the one that most people miss when invoking HIPAA as either a sword or a shield in an argument – is that it applies only to health care organizations.
The second is that you would be self-disclosing your status. HIPAA exists to prevent others from now illegally disclosing certain health care information about you. You can’t violate HIPAA in revealing health care information about yourself and, sadly for many social media pundits, you can’t invoke HIPAA as a defense when a burger joint says, “no shirt, no shoes, no vax, no service.”
As Florida lawyer Adriana Gonzalez explains:
“What HIPAA actually does is protect against impermissible disclosures of your protected health information. HIPAA has 115 pages of information and contains hundreds of ways its rules can be violated. But a private business asking you whether you’ve been vaccinated isn’t one of them.”
HIPAA was designed to cover only certain covered entities and business associates. Examples of these covered entities are your doctor and other providers of health care and your health insurance plan. Business associates are vendors contracted by the covered entities. They are covered because they could conceivably have access to your HIPAA-protected health information.
Again, the importance of the voluntary nature of self-disclosure can’t be overstated here. When you go to a business because you want their services and they ask you for proof of vaccination, from a legal perspective you are actually providing this information voluntarily. HIPAA permits you to disclose your own health information to any entity you want. It’s your information.
So how is this voluntary? Because you can choose to provide it or choose not to.
Sure, if you don’t provide the information, you won’t be allowed to fly, buy your chicken nuggets or watch the 49ers play. But if you do, it is – whether you like it or not – a self-disclosure.
Back to the red herring, the problem with these ongoing HIPAA conversations is that they distract from the real issue — that bodies such as the Center for Disease Control and Prevention are advising people to get vaccinated. While there are reasons some Americans aren’t getting vaccinated, those who choose not to take a COVID-19 vaccine are going to have other types of choice limited. For these individuals, HIPAA will prove as ineffective a defense as being unvaccinated.
Aron Solomon is the head of strategy for Esquire Digital and the editor of Today’s Esquire. He has taught entrepreneurship at McGill University and the University of Pennsylvania, and was the founder of LegalX, the world’s first legal technology accelerator.