Breaking News
More () »

What and who does HIPAA cover?

Can a private business ask customers to wear a mask as a condition for service? Some say that's a HIPAA violation, experts say it's not.

BOISE, Idaho — You may have heard the phrase HIPAA before, but do you know what it entails?

Living through a pandemic has prompted very public discussions about health and information. Although CDC guidance has recently changed, some businesses are still asking customers to wear a mask, regardless of vaccine status. Some businesses have received pushback on that from customers, some claiming it is a HIPAA violation to ask them to wear a mask or inquire about vaccine status.

To explain how HIPAA fits in with things like masks and vaccines, KTVB asked medical law expert Kim Stanger for insight. He says HIPAA does tend to trip some people up.

“There is a lot of misinformation out there. A lot of people think it’s a lot broader than it is,” Stanger said.

Stanger is a partner at Holland & Hart law firm where he is the head of the health law group there. He specializes in HIPAA. For starters, what is HIPAA?

“HIPAA is short for the Health Insurance Portability and Accountability Act. HIPAA was designed to protect health information that is generated by a covered entity. Covered entities are healthcare providers, health plans, and certain healthcare clearinghouses and also their business associates. So, HIPAA only applies to those covered entities in their use or disclosure of protected health information,” Stanger said.

HIPAA was signed into U.S. law in 1996, Stanger explains the goal behind the act.

“The government was concerned, especially as we move to more and more electronic records, that this information would be subject to breaches of confidentiality. So, they put in place HIPAA that required those covered entities to implement certain safeguards. Electronic, physical, technical safeguards to maintain the privacy of protected health information,” Stanger said.

So, is a private business violating HIPAA by asking people to wear a mask or by simply bringing up a something that could be seen as a personal health question?

“No, not in that particular context. There might be some limitations for employers on what employers can ask about employees. There might be situations involving public entities that can’t engage in discrimination but for just your private run-of-the-mill shop owner who asks questions of customers, no that’s not a violation of the law,” Stanger said.

Some may not like it, but if a customer in a private business is asked if they’ve been vaccinated or if they will wear a mask, it isn’t a violation of HIPAA.

“It doesn’t violate HIPAA. HIPAA doesn’t apply to those shop owners,” Stanger said.

So, is the no shirt, no shoes, no service rule also translate to no mask, no service? Stanger says yes.

“That’s a good way to look at it, that is pretty much the same. Most of these businesses are privately owned and as private entrepreneurs they are generally entitled to make the rules for those who want to come onto their land. Just like in your house you can require certain things of those people who come into your house. That’s your space, your private space,” Stanger said.

Stanger adds that, of course, businesses can’t violate discrimination statutes, but that HIPAA isn’t one of those types of statutes.

So, the final word on HIPAA, can a private business violate it by asking customers to wear a mask?

“Private individuals can’t assert a HIPAA violation against people who are not healthcare providers or health insurance companies,” Stanger said.  

Join 'The 208' conversation:

Before You Leave, Check This Out