Good Question: Do HIPAA rules apply to vaccine passports?

[anvplayer video=”5020403″ station=”998131″]

ROCHESTER, N.Y.(WHEC)— Vaccine passports. That’s a phrase getting a lot of attention recently.

Here in New York, the state has the new Excelsior Pass, a free app to show if you’re either fully vaccinated or you have proof of a negative COVID test to get into a game, a concert, even a wedding.

But is it legal to ask for that?

News10NBC’s Brennan Somers heard from people raising that concern.

Dennis says: So why do we have to prove a vaccine or negative COVID test to do anything? What about the HIPAA laws? They don’t apply to this?

To address the first point, private companies are free to do business with whomever they want. There are exceptions protected under civil rights laws. You can’t discriminate based on race or gender as examples.

But, legal experts say when it comes to your vaccine or COVID status, requiring proof seems like "no shirt, no shoes" and in this case, no shots, then no service.

As for HIPAA, the Health Insurance Portability and Accountability Act, it’s a federal law protecting sensitive patient health details from being released without your consent or knowledge. It’s important, but does it affect the new world of these vaccine passports?

Somers took that Good Question to Michael Scott-Kristansen, he’s with the local firm Pullano & Farrow. This field is their specialty.

News10NBC’s Brennan Somers: What’s the answer? If someone were to come to you and say is this a violation of my privacy when it comes to my vaccine record?

Scott-Kristansen: Well you can’t violate your own privacy rights under HIPAA. By virtue of you putting that info out there and sharing it when you enter the concert venue, by using your phone and showing that app to whoever is scanning your phone, you’re putting that information out there yourself.

That’s the key. The Excelsior Pass is 100% voluntary. This is you choosing to download and use the app, not your doctor’s office, which is covered under HIPAA.

Scott-Kristansen: My understanding of the app is it’s actually pulling verification of your vaccination status from a state database that’s being maintained, and not being pulled from your health care provider or your health plan or anything like that.

The state’s website has that detailed in a disclaimer saying why HIPAA doesn’t apply. Users will see it before hitting accept.

State officials say there are robust privacy protections in the digital health pass. You can print it out or show the secure QR code on your phone. It only informs the venue if a pass is valid.

The rules state a business will just see the pass type, status, your name, and birthdate to double-check with a photo ID.

If you don’t want to use the Excelsior Pass, you can show other proof like a picture on your phone, or a paper copy of test results or vaccination. That will get you through the door.


Watch previous Good Question segments here. If you have a question you’d like answered, email