“The guidance reminds the public that the HIPAA Privacy Rule does not apply to employers or employment records.”
On September 30, 2021, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) released guidance (the “Guidance”) entitled, “HIPAA, COVID-19 Vaccination, and the Workplace,” regarding the applicability of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule (“Privacy Rule”) to disclosures and requests for information regarding COVID-19 vaccination status. In a frequently-asked-questions format, the Guidance sets forth a series of workplace-related scenarios involving the confidentiality of an employee’s vaccination status, an employer’s ability to obtain vaccination information from its employees, and the confidentiality of such information.
Per the Guidance, HIPAA does not prevent or apply to the following scenarios:
- An individual or entity, including HIPAA covered entities and business associates, schools, employers, stores, restaurants, entertainment venues, or other individuals (such as doctors or service providers) asking whether an individual has received a particular vaccine, including COVID-19 vaccines. An individual or entity can ask for such information.
- An individual asking a company whether its workforce is vaccinated. An individual can ask for such information.
- A covered entity or business associate requesting vaccination information from patients or visitors. A covered entity or business associate can ask for such information.
According to the Guidance, the Privacy Rule does not prevent or apply to an employer requiring a workforce member to disclose whether he or she has received a COVID-19 vaccine to the employer, clients or other parties, including patients or members of the public. The Privacy Rule does not apply to employment records, or regulate what information can be requested from employees as part of the terms and conditions of employment imposed by the employer, even if the employer is a covered entity or business associate. Specifically, an employer may request or require:
- Documentation of vaccination status;
- Execution of a HIPAA authorization for a covered health care provider to disclose the employee’s COVID-19 or varicella record to the employer;
- Disclosure of COVID-19 vaccination status in response to queries from current or prospective patients; and
- Mask mandates while the member of the workforce is in the employer’s facility, on the employer’s property, or in the normal course of performing the duties at another location.
Note, however, the Privacy Rule does impact how and when the covered entity or business associate can use and disclose such protected health information (“PHI”), including information about an individual’s vaccination status to an employer or other business. For instance, a doctor’s office may not disclose an individual’s PHI, including whether they have received a COVID-19 vaccine, to the individual’s employer or other party unless it has the individual’s authorization or as otherwise expressly permitted by the Privacy Rule. Similarly, the individual’s authorization is required for the covered entity to disclose vaccination status for entertainment, leisure or travel purposes.
Even where authorized, the covered entity or business associate should only disclose the PHI that is reasonably necessary to accomplish the purpose of the disclosure, or where otherwise required by law. For example:
- A physician may disclose vaccination status to the individual’s health plan for purposes of payment for the administration of the vaccine;
- A pharmacy may disclose vaccination status and relevant information to public health authorities; and
- A COVID-19 vaccine clinical trial investigator may disclose the PHI about trial participants to the manufacturer and FDA for quality, safety, or effectiveness purposes.
However, a covered entity hospital may disclose PHI related to an employee’s vaccination status to the employer for purposes of medical surveillance of the workplace or for evaluation of whether the individual has a work-related illness as long as (i) the hospital is providing the healthcare service to the individual at the employer’s request or as a member of the employer’s workforce; (ii) the PHI that is disclosed consists of findings concerning work-related illness or medical surveillance; (iii) the employer needs the findings to comply with the Occupational Safety and Health Administration (“OSHA”), the Mine Safety and Health Administration (“MSHA”) or state laws with similar purposes; and (iv) the provider provides written notice to the individual that the PHI will be disclosed to the employer.
Additionally, given that the Privacy Rule only applies to covered entities and their business associates, it does not impact an individual’s decision on whether or not to disclose his or her vaccination status. Healthcare pundits have frequently noted a common misconception that HIPAA protects PHI, including an individual’s vaccination status, from voluntary disclosure by the individual whose PHI is at issue. As shown in the Guidance, this is not true. Notably, public figures who are asked about their vaccination status and decline to answer based upon what they identify as their “HIPAA rights” are, in fact, simply making a personal choice to not disclose their information. HIPAA does not prevent an individual from asking the question and it does not prevent an individual from answering the question in any way they choose.
As the OCR reminds the reader in the Guidance, the Guidance only sets forth the applicability of HIPAA to the scenarios described therein. Other state or federal laws and regulations may still apply to requests for, or the disclosure of, vaccination status. For example, under Title I of the Americans with Disabilities Act, employers that collect documentation regarding employee vaccination status must keep such documentation confidential and store it separately from the employee’s personnel files. State laws may have similar provisions which go above-and-beyond what may be required under State law.
We will continue to monitor and provide updates on any further guidance released in relation to COVID-19 vaccines and disclosure or requests for information requirements.
 “HIPAA, COVID-19 Vaccination, and the Workplace,” Department of Health and Human Services, Office of Civil Rights (September 30, 2021) at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-covid-19-vaccination-workplace/index.html.
 “Common Misconceptions About HIPAA and COVID-19 Vaccination Status; Asking someone about their COVID 19 vaccination status is not a HIPAA violation, despite prominent figures saying otherwise,” by Jill McKeon, Xtelligent Healthcare Media (August 21, 2021) at https://healthitsecurity.com/news/common-misconceptions-about-hipaa-and-covid-19-vaccination-status.