b'informationthatitreceives.Thelawalso doesntrestricthowanemployercanrespond if the employee or applicant refuses to share the requested medical information.Onlyacoveredentitymustcomplywith HIPAA.A covered entity includes:(1) health plans, such as health insurance companies, HMOs, company health plans, Medicare, and Medicaid; (2) most health care providers that conduct certain business electronically, (including most doctors, clinics,hospitals,psychologists,chiropractors, nursing homes, pharmacies, and dentists); and (3) healthcareclearinghouses(entitiesthatprocess and format health information they receive from another covered entity.Nowhere in the defi nition ofcoveredentityisthereanyreferencetoa passenger vessel operator.Anemployer(includingapassengervessel operator)isnotsubjecttotheprivacyrulesof HIPAA.Theemployercanaskaworkerfora doctors note or other health information if the informationisneededforsickleave,workers compensation,wellnessprograms,orhealth insurance.But if the employer goes directly to an employees health care provider to get that information, the provider in most cases cannot give it without the employees authorization.As a general premise, HIPAAsprivacyrulesapplytothedisclosures madebyanindividualshealthcareprovider. They do not deal with the medical questions the employer may ask.Similarly, a business that serves the general public but is not in the health care industry is not covered byHIPAA.So,restaurants,retailstores,and passengervesseloperatorsarenotpreventedby HIPAA from asking a customer whether he or she has been vaccinated against COVID-19 or some other medical or health information.Of course, the customer is entirely free to refuse to provide the requested medical information.In the event of such refusal, HIPAA presents no bar to the establishment refusing to provide service.Medicalprivacyisatouchyissue.Lawsother than HIPAA (for example, the Americans with DisabilitiesActorindividualstatelaws)limit whatmedicalinformationapassengervessel operator can seek from a job applicant, worker, or customer.But HIPAA doesnt.JUNE 2021 27 LEGISLATIVE REPORT'