employees questions

COVID-19, Employers and HIPAA

Now that vaccinations are widely available in the U.S., we are hearing more questions every week about vaccination status and HIPAA privacy. Employers and employees are asking the same questions.

Common Questions about Vaccination Status and HIPAA

The two most common vaccination questions we hear are:

  1. May employers ask employees whether they have been vaccinated?
  2. May employers ask for proof of vaccination?

In general, according to HHS, HIPAA does not prevent employers from asking if an employee has been vaccinated or for proof of their vaccination. However, employees have important rights under laws that protect against discrimination, discussed further below.

NOTE: The purpose of this blog is to convey current information provided by official government sources. It is neither legal advice nor a complete explanation of all fact situations that occur. This is a general overview of issues and cautions related to vaccination requirements in the workplace and employee privacy rights.

HIPAA Does Not Apply

Many people think of HIPAA first when it comes to medical issues and privacy. However, HIPAA does not apply to employers in relation to employees and employment policies. HIPAA only applies to covered entities in relation to individuals for whom they are providing care (health care providers) or facilitating payment for care (health care clearinghouses and health plans). HIPAA of course also applies to business associates but only in relation to their role assisting a covered entity to provide patient care or to facilitate payment for care.

In other words, if an employer asks an employee to provide proof that they have been vaccinated, that is not a HIPAA violation, and employees may decide whether to provide that information to their employer.

What Laws Apply to Employee Rights?

The Equal Employment Opportunity Commission (EEOC) enforces workplace anti-discrimination laws (for employers with 15 or more employees), including:

  1. the Americans with Disabilities Act (ADA);
  2. the Rehabilitation Act (which include the requirement for reasonable accommodation and non-discrimination based on disability, and rules about employer medical examinations and inquiries);
  3. Title VII of the Civil Rights Act (which prohibits discrimination based on race, color, national origin, religion, and sex, including pregnancy);
  4. the Age Discrimination in Employment Act (which prohibits discrimination based on age, 40 or older); and
  5. the Genetic Information Nondiscrimination Act.

Other federal laws, as well as state or local laws, may provide employees with additional protections.

Information about vaccination status from the EEOC website includes the following:

The federal EEO laws do not prevent an employer from requiring all employees physically entering the workplace to be vaccinated for COVID-19, subject to the reasonable accommodation provisions of Title VII and the ADA and some other EEO considerations mentioned below.

In some circumstances, Title VII and the ADA require an employer to provide reasonable accommodations for employees who, because of a disability or a sincerely held religious belief, practice, or observance, do not get vaccinated for COVID-19, unless providing an accommodation would pose an undue hardship on the operation of the employer’s business.

The analysis for undue hardship depends on whether the accommodation is for a disability (including pregnancy-related conditions that constitute a disability) or for religion.

Examples of reasonable accommodations include requiring an unvaccinated employee to wear a face mask, work at a social distance from coworkers or non-employees, work a modified shift, get periodic tests for COVID-19, be given the opportunity to telework, or finally, accept a reassignment

The EEOC points out that (as with any employment policy) employers that have a vaccine requirement may need to respond to allegations that the requirement has a disparate impact on – or disproportionately excludes – employees based on their race, color, religion, sex, or national origin under Title VII (or age under the Age Discrimination in Employment Act (40+)).  Employers are reminded to keep in mind that because some individuals or demographic groups may face greater barriers to receiving a COVID-19 vaccination than others, some employees may be more likely to be negatively impacted by a vaccination requirement.

Privacy Still Matters

Under the ADA, employers are required to maintain the confidentiality of employee medical information including documentation or confirmation of COVID-19 vaccination. This requirement applies regardless of where the employee gets the vaccination.  Although the EEO laws themselves do not prevent employers from requiring employees to bring in documentation or other confirmation of vaccination, this information, like all medical information, must be kept confidential and stored separately from the employee’s personnel files under the ADA.

Tips for Employers re Vaccination Status in Workplace

  • While employers may ask an employee whether they were vaccinated, they should be careful not to ask for more information than necessary. If an employer asks why an employee was not vaccinated and the answer includes information about disability, religious or genetic information the employer may obtain more information than necessary. This knowledge could make a claim of discrimination more difficult to defend.
  • When asking employees to show proof of vaccination, remind them not to include any other medical information that may be listed on their vaccination-related documents.
  • Employers who wish to ask for vaccination status and proof should engage legal counsel to help guide the process.

The HIPAA E-Tool® makes compliance fast and easy. Get your free HIPAA Quick Start Kit, complete with a webcam privacy guard, HIPAA Hot Zone labels and a HIPAA checklist delivered directly to your office.

Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2022 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Service | Privacy Policy

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
St. Louis, MO 63124

Free hipaa kit!

hipaa compliance Quick start kit
Delivered free