In general, no federal law prohibits businesses from asking for proof of vaccination as a condition of consumer services or employment. Kathryn Watson of CBS News interviewed me about this and I hit a few main points, beginning with the relatively few exceptions:
* Religious objections and employment. Title VII, the federal employment discrimination law, forces an employer to accommodate employees’ religious beliefs when it can do so without cost. For that reason, employees with religious objections to vaccination can ask employers to exempt them, and employers must at least consider the request. “Consider,” however, does not mean “accede to”: under a 1977 Supreme Court case called Trans World Airlines v. Hardison, which I’ve written about here, Title VII “does not require an employer to make any accommodation for an employee’s practice of religion if doing so would impose more than a de minimis burden.” (That’s Justice Alito’s description of the holding.) It amounts to a relatively lenient standard for employers, and given that lack of COVID-19 vaccination increases the risk of contagion of a serious illness, I think most courts most of the time will accept employers’ argument that obligatory waivers would ask them to shoulder more than a de minimis burden.
* ADA exceptions. A small minority of persons are medically fragile in ways that make vaccination inadvisable. The federal Americans with Disabilities Act imposes robust duties on both employers and private businesses to accommodate those who are disabled or regarded as such. So this (small) group is the one most likely to prevail in court on a right to accommodation. By the same token, however, the group includes many persons whose medical vulnerabilities would make them reluctant to enter crowded situations anyway. (Some suggest that in practice opportunists could widen this small exception by pretending falsely to have such medical conditions.)
* HIPAA and privacy. It is remarkable how many misconceptions are loose on the Internet about the federal medical privacy law known as HIPAA, or the Health Insurance Portability and Accountability Act of 1996. In general HIPAA imposes data-privacy obligations on “covered entities” that include many health care providers, health insurers, data clearinghouses and some others that gather and retain health data. It doesn’t cover employers, except insofar as they enter the category in the course of such activities as offering health plans. Unless the service offered is itself health care, insurance or the like, most businesses have no HIPAA obligations at all toward customers — that goes for restaurants, stadiums, and theaters, for example. HIPAA generally restricts release of data to third parties, which means even a business service that is probably covered, such as a doctor’s practice, can ask you all the medical questions it pleases.
Moreover, HIPAA rights are generally designed to be waivable; that’s why your doctor’s office asks you to sign all those forms. As I observed, “… The answer is, no, HIPAA does not provide you with rights to patronize a business that doesn’t want to serve you, much less to work for an employer.”
That’s the state of the law, I think. As a normative matter, I take what I believe to be the libertarian view based on free association and contract: private businesses should be free to condition their services as they see fit on a customer’s or employee’s being vaccinated.