What HIPAA's Privacy Rule Says
As someone who deals with HIPAA's privacy compliance as part of my job, I don’t ever want to hear the word HIPAA again from someone who isn’t adjacent to healthcare. Almost no one understands what it is, but a hundred million people are explaining their wrong ideas of it to each other in a giant game of telephone.
Here's a short summary of HIPAA's Privacy Rule, as described by the U.S. Department of Health & Human Services:
Who it applies to: a healthcare provider such as a doctor or hospital, health plans, their business associates, and other people who manage patients' healthcare information.
What it does: limit the information a covered entity can share about their patients to fulfill specific medical and business requirements.
What it doesn't do: apply to anyone else except those covered entities; prevent you from sharing your own information; prevent others from asking you about your health, including vaccination status.
Anyone who says that doesn't allow you to ask whether they've been vaccinated, or prevents them from answering, is factually wrong.