Can existing HIPAA laws protect us from a de facto forced vaccine via private companies requiring proof of vaccination?

Tyler S. Farley

As covid-19 vaccines are rolled out around the globe, there is a growing concern the vaccine will be made mandatory through restrictions on those who choose not to get it.

These are indeed real concerns as we have seen over the last 10 months, local and state governments have no issue at all overstepping their authority and stripping people of their rights and freedoms under the guise of “emergency declarations”.

However, from a legal standpoint it will be almost impossible for states to make the vaccine mandatory. Forcing a medical procedure on people is filled with too many legal pitfalls. However, what they will do instead is work with private companies to severely limit your ability to live your life unless you show proof of being vaccinated. Such actions would not constitute a mandatory vaccine as you could still choose to not get it. However, it becomes a de facto mandate as not getting the vaccine will make modern life almost impossible.

But there may very well be a legal challenge to this plan as well and that is through the federal HIPAA laws.

For those not aware, HIPAA laws are there to provide individuals with privacy protections in regards to their healthcare information. It also includes penalties for those who violate that privacy. Since these are federal laws, they supersede any state law or mandate.

So with that in mind, let’s say an airline decides to require proof of vaccination before you could book a flight, this would be a HIPAA violation. A vaccination is a medical procedure, and you are not required to disclose that information simply upon being asked. If a private company wants to access to that information, they have to get a signed consent from you authorizing them to access your healthcare information.

So the only way private companies could start requiring proof of vaccination would be if they also had a signed release for them to access your medical records.

The question then would be if people are willing to allow all these separate private companies to each acquire a signed waiver giving them access to your medical history.

As you can see, this opens up a whole can of worms. Now airlines would be responsible for patient confidentiality and safeguarding a patients medical history. Do they really want that sort of additional liability and responsibility? Even if they were willing to accept that, they have no infrastructure or protocols to deal with such requirements.

Some people may argue that the required vaccination would be no different than what schools do for children. The school requires vaccination proof before the child is admitted.

However, this process does include following HIPPA laws. You can see an excerpt from the HIPPA code below and how it requires authorization.

“…The Privacy Rule permits a covered health care provider to disclose proof of immunization about a student or prospective student to a school that is required by State or other law to have such proof prior to admitting the student, provided the health care provider obtains and documents the agreement to the disclosure from either:

  • A parent, guardian, or other person acting in loco parentis of the student, if the student is an unemancipated minor; or
  • The student himself or herself, if the student is an adult or emancipated minor.

See 45 CFR 164.512(b)(1)(vi).

So this is the crux of the legal argument in order to refuse a defacto mandated vaccination. It would require each of these private companies requiring you to show proof of vaccination to also get a HIPAA waiver signed, which would then make them responsible for the security of the medical information. This means it could not be shared or viewed by normal employees. Such requirements would make it impossible for most private companies to require customers show proof of vaccination as they are simply not set up to handle such information in a private way.

Of course, this would have to be argued in court and would most likely go up to the Supreme Court if it were ever argued. The government could also simply change the HIPAA guidelines and laws, but this would change the laws for everybody and pretty much make HIPAA useless, something else that would likely end up in court.

So it’s very possible that forced vaccination through private companies requiring proof of vaccination could be stopped by existing HIPAA laws. Hopefully such things will never be needed, but it’s good to know there is a legal recourse already available should the covid-19 vaccination start to be required to conduct normal day-to-day activities.

Note: If you enjoyed this article, please make sure to share it!