You Can Ask about Vaccinations

An explanation of what is covered under HIPAA Privacy Rule when it comes to asking your patients about their status on vaccinations.

Physicians, other health care professionals, and their offices or practices often ask patients whether they have been vaccinated against specific diseases, such as COVID-19. Some patients may reply by asking, “Well, are you vaccinated?” Other patients may answer by saying they do not have to provide that information because their vaccination status is protected by the Health Insurance and Portability and Accountability Act of 1996 (HIPAA). A member of Congress has even said that a vaccine status question itself would be a violation of a patient’s HIPAA rights. These exchanges do not have to result in conflict or ruined relationships. Instead, they create opportunities to build or fortify trust through patient education.

Privacy regulations under HIPAA are collectively called the HIPAA Privacy Rule.1 The Privacy Rule governs uses and disclosures2 of protected health information (PHI) by physicians, clinics, hospitals, psychologists, dentists, chiropractors, nursing homes, pharmacies, and other clinicians who electronically transmit PHI as part of a defined transaction.3 The Privacy Rule also governs the business associates of these physicians, clinicians, and health care organizations.4 The Privacy Rule does not govern patients or their uses or disclosures of their own PHI.

Key terms related to vaccination status questions are “use” and “disclosure.” Use of PHI is the sharing, employment, application, utilization, examination, or analysis of PHI within the medical office, practice, or health care organization.5 A disclosure is the release, transfer, provision of access to, or divulging, in any manner, of information outside the medical office, practice, or health care organization holding the information.6 Physicians, clinicians, or practices asking a patient for their COVID-19 or other vaccination status is neither the “use” nor the “disclosure” of a patient’s PHI. HIPAA does not prohibit fact- and information-gathering related to the patient’s care or the safety of physicians, clinicians, and practices. Physicians, clinicians, or practice staff can ask patients or visitors whether they have received a particular vaccine, including COVID-19 vaccines.7

Once the physician, clinician, or practice obtains or receives the patient’s answer to the vaccination status question, the physician, clinician, or practice is then positioned to “use” or “disclose” the information. Except in certain situations permitted or required by the Privacy Rule, physicians, clinics, hospitals, psychologists, dentists, chiropractors, nursing homes, pharmacies, and other clinicians must obtain the patient’s or patient’s representative’s authorization before using or disclosing patient’s vaccination status or other PHI. The Privacy Rule generally permits the use or disclosure of a patient’s vaccination status to the patient’s health plan when required to obtain payment for vaccine administration and public health authorities.8

When asked about their vaccination status, some patients turn the question on the inquiring physician, clinician, or practice staff, especially after reading or hearing about a physician or nurse who is not vaccinated against COVID-19. The HIPAA Privacy Rule governs physicians, clinicians, and practices as keepers of patients’ PHI but not as keepers of their own PHI. Physicians, clinicians, and practice staff may or may not choose to share their vaccination status. The patient asking about your vaccination status may be sincerely fact- or information-gathering to assess their own risk for COVID-19 or other infectious diseases. Your positive vaccination status may encourage the patient to pursue vaccination.

MICA’s Risk Management Consultants are frequently asked whether the physician or clinician must continue to treat the patient if the patient has not been vaccinated and/or does not intend get vaccinated. Some physicians or clinicians may see the patient’s refusal to be vaccinated as a breakdown in the treatment relationship and believe the patient can have a more effective relationship with another physician or clinician. Before deciding to terminate the treatment relationship, the physician should carefully evaluate the acuity of a patient's medical condition, any special circumstances, and need for uninterrupted care. High acuity may necessitate continued treatment and tabling consideration of termination until after the patient stabilizes.

One acuity consideration is the availability of a physician to take over the patient's care and how quickly another physician can see the patient. Some specialists may not be able to schedule an appointment for the patient for two to four months. The physician should assess the patient’s medications, how closely the medications need to be monitored, the need for prescription refills, and arrange for the patient’s medication needs during a transition to a new physician. The physician should take reasonable steps to ensure continuity of care during the termination process to minimize the risk of an alleged injury or adverse outcome before the patient begins treatment with a new physician.

Acuity Considerations

- Availability of appointments with other qualified physicians within a reasonable geographical location
- Medications requiring monitoring and/or refills
- Need for follow up appointments, wound care, and monitoring post-hospitalization or surgery
- Pregnancy stage and co-morbidities
- Medical, mental, and surgical history
- Psychiatric condition and medications

Like the decision to perform a surgery or procedure, appropriate termination of patient relationships should include a discussion with the patient, documentation of the discussion, and sending a letter by mail and, if applicable, email, summarizing the discussion and restating the result. The physician should talk to the patient and explain the decision to terminate the treatment relationship. After documenting the discussion and the patient’s replies in the medical record, the physician or practice should send a letter to the patient summarizing the discussion, emphasizing the breakdown in the physician-patient relationship, and the next steps. Sometimes, a physician knows a reasonable conversation with the patient is not possible and sends a letter to the patient without having a discussion. In that case, the letter should include a simple and short explanation for ending the patient relationship. The physician should edit any template-based letter to the specific patient and situation. In all cases, the physician should sign the termination letter. The practice should put a copy of the letter in the patient’s medical record and notify appointment schedulers of terminations.

Finally, in considering whether to terminate a patient relationship based on vaccination status, you may also wish to consider whether the relationship can be maintained during the pandemic by alternative means such as by telemedicine. Additionally, as noted by the response of some to vaccine mandates in employment, there is the risk that a patient will allege that their refusal to be vaccinated is due to religious belief, and the physician’s office engaged in religious discrimination by terminating the patient relationship.

Correctly and respectfully answering patients’ HIPAA questions promotes the patient’s impression of your competence and care, further strengthening your relationship. The U.S. Department of Health and Human Services (HHS) issued HIPAA, COVID-19 Vaccination, and the Workplace to help ensure clear, unambiguous communication between physicians and clinicians, their practices, and their patients when dealing with the question of COVID-19 vaccinations as well as all other vaccinations. The frequently-asked-questions-and-answers affirm that the HIPAA Privacy Rule9 does not prohibit physicians, clinicians, or practices from asking patients whether they have received a particular vaccine. Physicians and practices are welcome to print HIPAA, COVID-19 Vaccination, and the Workplace to share with patients and their families and caregivers.

1 The HIPAA Rules are the Privacy, Security, Breach Notification, and Enforcement rules.

2 45 CFR 160.103 defines “use,” “disclosure,” and “protected health information.”

3 A defined transaction carries out financial or administrative activities related to health care. See 45 CFR 160.103 (definition of “covered entity” and “transaction”). See also

4 See 45 CFR 160.103 (definition of “business associate”). See also the HHS’ Direct Liability of Business Associates Fact Sheet at

5 See 45 CFR 160.103 (definition of “use”). 

6 45 CFR 160.103 (definition of “disclosure”).

7 See HHS’ guidance HIPAA, COVID-19 Vaccination, and the Workplace.

8 See 45 CFR 164.506(c)(1) & 164.512(b)(1)(i). Disclosure is limited to the minimum information reasonably necessary to accomplish the stated purpose. See 45 CFR 164.514(d)(3) & (d)(3)(iii)(A).

9 For more specific information and details, see HHS’ guidance HIPAA, COVID-19 Vaccination, and the Workplace.

The content of this publication or presentation is intended for educational purposes only; is not an official position statement of Mutual Insurance Company of Arizona (MICA); and should not be considered or relied upon as professional, medical, or legal advice or as a substitute for your professional judgment. Consult your attorney about your individual situation and the applicable laws. The authors, presenters, and editors made a reasonable effort to ensure the accuracy of the information at the time of publication or presentation but do not warrant or guarantee accuracy, completeness, or currency of such information. As medical and legal information is constantly changing and evolving, check for updated information and consult your attorney before making decisions.

Similar posts

Subscribe to Our Monthly Newsletter, MICA Insider 

Sign up to receive new articles, free resources, and industry updates relevant to running an independent medical practice.