The Spokane Regional Health District says no, it's not. 

The Health Insurance Portability and Accountability Act (HIPAA) only governs those in the healthcare sphere (Your doctor, hospital, etc.) It doesn't apply to the average person or businesses, nor does it provide someone protection from ever having to disclose their health information. 

To be clear, a vaccine card would qualify as protected health information. However businesses, airlines, restaurants, etc. are not healthcare providers, so they are not governed by HIPAA laws. 

Institutions rarely have the right to force someone to get vaccinated, but they do have the right to ask you to provide proof of vaccination before they serve you. Those businesses requiring proof of vaccination can also allow unvaccinated people to do something else besides get a vaccine. 

Here is the explanation we received from SRHD in its entirety:

Here’s a general explanation of how HIPAA works, using the COVID-19 vaccination as an example:

The COVID-19 vaccine increases your freedom because it allows you to travel where you want to go, shop where you want to shop, and do what you want to do.

Asking about a person’s vaccination status is not a HIPAA violation.

HIPAA only governs certain kinds of entities – your clinician, hospital, or others in the healthcare sphere. It does not apply to the average person or to a business outside healthcare. It doesn’t give someone personal protection against ever having to disclose their health information.

Institutions rarely have the right to require you get vaccinated, but if you want to work somewhere in particular, or want others to provide you services (such as schools, or businesses, or travel), they have the right to ask you to provide proof of vaccination first.

Entities that require proof of vaccination can also choose to allow unvaccinated people to do something in lieu of getting a vaccine.

A vaccine card would qualify as protected health information, but an airline, retailer or restaurant are not healthcare providers. HIPAA also doesn't protect medical information that a patient shares about themselves. However, an entity or business still has to follow state privacy and identity theft policies.