Majorie Taylor Greene isn’t really known for being reserved. The far-right Georgia rep hasn’t been afraid to fearlessly support Nancy Pelosi’s theoretical execution, blame California’s wildfires on Jewish Space Lasers, or ask whether a school shooting was actually an elaborately staged inside job. No topic is too racist, too homophobic, or too taboo to be commented on—except for one: whether she’s been vaccinated.
That question “is a violation of my HIPAA rights,” she told a reporter during a Tuesday press conference held in the wake of her latest Twitter suspension.
According to Twitter, Greene was hit with the 12-hour moratorium after she used the platform to propagate misinformation surrounding COVID-19 vaccines, which she most recently referred to as part of some nebulous “human experiment.” Sure, most would agree with overwhelming evidence that suggests getting jabbed is an easy way to combat future infections, but Greene isn’t most people. She isn’t going to let the Biden administration bully her oldest (and most at-risk) constituents into getting vaccinated, and she isn’t going to let some Mainstream Media outlet bully her into disclosing her vax status—especially not when she had a federal privacy law on her side.
“You see with HIPAA rights, we don’t have to reveal our medical records and that also involves our vaccine records,” she said, with the confidence of someone who’s invoked that line at least a dozen times when talking to the press. She also couldn’t be more wrong.
“HIPAA was never a general health privacy rule,” said Kirk Nahra, a privacy and cybersecurity lawyer based out of Washington DC. Last month, Nahra published a blog post addressed to the sudden wave of posters and pundits invoking the law in all the wrong ways—and not even spelling it correctly.
Despite kinda sounding like the word “hippo,” when said aloud, the acronym has always been HIPAA (with one “p,” two “a’s”), which stands for the Health Insurance Portability and Accountability Act. The original purpose for the law, per Nahra, was portability: the “ability to take your health insurance with you when you switched jobs,” he explained. Congress wouldn’t get around to tacking on a set of privacy standards until years later with the rollout of the Privacy Rule in 2003—but even then, these privacy statutes were always meant to apply to a specific set of figures handling a specific kind of data for a specific set of purposes. Period.
“HIPAA was never a general health privacy rule,” Nahra went on. “It mainly regulates how doctors, hospitals, and health insurers can use and disclose patient information. If you aren’t one of those or working on behalf of one of those the rules probably have zero impact on you.”
As you might expect from a 169-page slab of privacy law that’s been revised and remolded seemingly every time a new president steps into office, Greene isn’t the only one who’s turned HIPAA into a shorthand for all things health and privacy. As far back as 2013, some congress members expressed concerns that doctors across the country were broadly misconstruing what kind of data they were allowed to share without patient consent. They were right; since then, we’ve seen dozens of cases of so-called “covered entities,” like doctors and health insurers being sued after they disclosed more about patients than the law allowed. These are the sorts of parties subject to HIPAA’s privacy standards, along with so-called medical “clearinghouses” that physicians use when sending e-claims to insurance carriers.
In other words, you’re free to ask any elected official anything about their vaccination status—and they’re free to answer however they want. That’s not “violating HIPAA,” that’s just “having a conversation.”
You’re also allowed to (politely!) ask your friends, neighbors, potential hookups, or whoever else about their vax status, and they’re free to (politely!) decline. In a similar vein, bars, gyms, diners—or any business that isn’t primarily staffed by people handling some sort of e-record regarding your health—are free to ask the same. There are some nuances depending on where you live; there are more than a dozen states that have put some sort of restriction on requiring vaccination proof in general, while Texas, Montana, and Florida specifically bar private businesses from asking for that info.
Similar rules apply to the private businesses you might work for. The Equal Employment Opportunity Commission put out its own notice last December detailing the sorts of questions employers can ask their employees without falling afoul of HIPAA. In short, your boss is free to ask if you’ve tested positive for COVID-19 or your vaccination status—and they’re also free to store that data internally, as long as it’s kept in a confidential location that’s separate from other personnel files. And you’re free to decline.
Things get a bit trickier if that employer starts probing into certain specifics, like why you might not have gotten vaccinated, or why you might not be wearing a mask in the office—but not because of HIPAA. In this case, it opens the door for an employer to violate the Americans with Disabilities Act since those questions open the door to potential discrimination against workers who might not have gotten the jab for medical or religious reasons. Under the ADA, the most an employer is allowed to do is “bar an employee from physical presence in the workplace.”
“Think of HIPAA as who, not what,” Nahra said. “If your employer has health information because you need medical leave, it’s not under HIPAA. But the doctor who diagnosed you for the same thing had to follow [that law].”
In other words, you can’t ask Majorie Taylor Greene’s doctor for her full medical history. But you’re free to ask her any question you want.