Fact Check: No, That’s Not a HIPAA Violation

The Health Insurance Portability and Accountability Act of 1996, better known as “HIPAA,” is a very well-known federal law (and no, for the record, it is not “HIPPA” as you often see it referred to online).  In my experience, it is also one that is misunderstood by a large number of people.  The goal of this blog is to bring some clarity to questions that frequently arise.

  1. What is HIPAA? HIPAA is a federal law that deals with, among other things, the privacy and security of certain healthcare information.  But here is the kicker – HIPAA does not apply to every person or business. It only applies to “covered entities” and their business associates, as those terms are defined by the law.
  2. What does HIPAA protect? When HIPAA applies (see more below), it protects the use and disclosure of certain types of healthcare information (known as “protected health information” or “PHI”).  This can include your medical records, health insurance billing information, and things of that nature. HIPAA allows covered entities and their business associates to use PHI for certain defined purposes, such as providing treatment to the patient, processing payment for medical services, healthcare operations, and the like.  HIPAA prevents covered entities from using or disclosing PHI for non-authorized uses, absent patient consent. So, for instance, HIPAA would prevent your doctor’s office from sending your medical records or other PHI to your neighbor, unless you provided a specific authorization for that release.
  3. What is a “covered entity?” A “covered entity” is an entity that is subject to the requirements of HIPAA.  Generally speaking, covered entities are things such as healthcare providers, health plans, healthcare clearinghouse. HIPAA also applies to the business associates of covered entities (i.e., contractors or other outside persons and companies who are not employees of the covered entity, but who have access to protected health information for purposes of providing services to the covered entity). Examples of covered entities could include IT consultants, medical billing companies, etc.
  4. Who is not covered by HIPAA? A common misconception is that all individuals and companies are bound by HIPAA, but as stated above that’s simply not true.  HIPAA only applies to covered entities and their business associates, and those terms are specifically defined in the statute and regulations.  Therefore, any person or business that does not meet the definition of covered entity or business associate, as set forth in the law, is not subject to HIPAA. Practically speaking, this means that HIPAA really has nothing whatsoever to do with most people, businesses, and employers.  For instance, most places that people visit and interact with on a daily basis—schools, municipal offices and agencies, grocery stores, convenience stores and gas stations, gyms, movie theaters, stores, etc.—do not meet the definition of covered entity or business associate and therefore are not bound by HIPAA. The same is true of the average person off the street.
  5. Is it a HIPAA violation for a business to tell me to wear a mask? No. Most businesses are not covered entities and are therefore not subject to HIPAA.  But even if you went to a facility that is a covered entity (say, a hospital), it would not be a HIPAA violation for them to tell you to wear a mask. To be blunt, HIPAA just simply has nothing at all to do with masking requirements or directives.
  6. Is it a HIPAA violation for my employer to ask me if I am vaccinated? No. Again, most businesses are not even subject to HIPAA.  There is nothing in HIPAA that makes it unlawful for a company to ask you if you are vaccinated, or to ask you to provide proof of vaccination.  Individuals who have been asked to provide such information generally have the right to choose not to disclose it, but in that same vein, they may also have to live with the consequences of that decision (for instance, denial of entry into the workplace).


These materials have been prepared by Rudman Winchell for educational purposes only.  They should not be considered legal advice. The transmission of this information to you is not intended to create a lawyer-client relationship. Readers should not act upon this information without seeking professional counsel.  You should not send any confidential or private information to Rudman Winchell until a formal attorney-client relationship has been established, in writing.


Josh Randlett, Esq
Rudman Winchell