Just to be clear, the Health Insurance Portability and Accountability Act (“HIPAA”)[fn1] does not prevent your bishop from asking you about your vaccination status. It doesn’t prevent your ward from doing contact tracing and informing people who attended church that someone had Covid at a meeting you attended. It doesn’t prevent the ward from asking (or requiring) attendees to wear masks.[fn2]
And look, I guess it’s fair to be a little scared. HIPAA does provide that a “person who knowingly and in violation of this part … discloses individually identifiable health information to another person[] shall be punished” with fines and potential imprisonment.
But–and this is critical–those penalties do not apply to just anybody who discloses individually identifiable health information to another person. It has to be someone who does so in violation of the HIPAA rules. And guess what? The HIPAA rules define the scope of who they apply to: health plans, health care clearinghouses, and certain health care providers. (Congress subsequently added Medicare prescription drug health card sponsors to this list.) If you’re not one of these four types of people–and the church is not–HIPAA doesn’t apply to you.[fn3]
Also, for what it’s worth, courts have consistently held that HIPAA does not create a “private right of action.” In non-lawyer-speak that means that even if your HIPAA rights are violated, you don’t get to sue. The civil prohibitions are enforced by fines from the Secretary of Health and Human Services. So if you think your HIPAA privacy rights have been violated and you go to court, the court will dismiss your suit. If you want something done about it, you file a complaint with HHS.
Which is to say, there’s nothing in the law prohibiting the church from asking if you’ve been vaccinated, from requiring you to wear a mask at church, or from doing contact tracing. If it choses not to do any of these things, the church has made a deliberate choice.
Note that I’m not a health law expert and that this post doesn’t represent legal advice. But also, I’m perfectly capable of reading the law and I’m right.
[fn1] Remember, the acronym has two As, not two Ps. This chart is really helpful in remembering the difference between HIPAA and HIPPA (and, for that matter, HIPPO).
[fn2] I’ve heard about church leaders in various places around the country asserting that they can’t do [X] because of HIPAA. So I’m subtweeting all of them here.
[fn3] If you still aren’t sure that the church isn’t subject to HIPAA, you can use this tool from the Centers for Medicare and Medicaid Services.