We last wrote about COVID-19, Employers and HIPAA a month ago. There we discussed that while HIPAA often does not apply, other employment laws might provide privacy protections to employees.
Last week new guidance about HIPAA and vaccination status was published by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). The purpose of the new guidance is to help the general public understand when the HIPAA Privacy Rule applies to disclosures and requests for information about whether a person has received a COVID-19 vaccine, both within and outside the workplace.
The new director of OCR, Lisa Pino, said:
We are issuing this guidance to help consumers, businesses, and health care entities understand when HIPAA applies to disclosures about COVID-19 vaccination status and to ensure that they have the information they need to make informed decisions about protecting themselves and others from COVID-19.
The guidance is presented in a question and answer format addressing lots of the same questions we’ve been hearing. Highlights from the guidance are excerpted and edited below.
Question: Does the HIPAA Privacy Rule prohibit businesses or individuals from asking whether their customers or clients have received a COVID-19 vaccine?
Answer: No. Asking someone about their COVID-19 vaccination status is not a HIPAA violation, despite prominent figures saying otherwise. It might be considered nosy, or impolite, but this does not violate HIPAA.
The Privacy Rule does not prohibit any person (e.g., an individual or an entity such as a business), including HIPAA covered entities and business associates, from asking whether an individual has received a particular vaccine, including COVID-19 vaccines.
First, the Privacy Rule applies only to covered entities (health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions) and, to some extent, their business associates.
Second, the Privacy Rule does not regulate the ability of covered entities and business associates to request information from patients or visitors. Rather, the Privacy Rule regulates how and when covered entities and business associates are permitted to use and disclose protected health information (e.g., PHI about whether an individual has received a COVID-19 vaccine) that covered entities and business associates create, receive, maintain, or transmit. Therefore, the Privacy Rule does not prohibit a covered entity (e.g., a covered doctor, hospital, or health plan) or business associate from asking whether an individual (e.g., a patient or visitor) has received a particular vaccine, including COVID-19 vaccines, although it does regulate how and when a covered entity or its business associate may use or disclose information about an individual’s vaccination status.
The guidance provides some examples. The Privacy Rule does not apply when an individual:
- Is asked about their vaccination status by a school, employer, store, restaurant, entertainment venue, or another individual.
- Asks another individual, their doctor, or a service provider whether they are vaccinated.
- Asks a company, such as a home health agency or a dental/chiropractic/or surgical practice, whether its workforce members are vaccinated. These are just examples, to illustrate that individuals may ask about a company’s workforce vaccination status without violating HIPAA.
Other state or federal laws address whether individuals are required to disclose whether they have received a vaccine under certain circumstances.
Question: Does the HIPAA Privacy Rule prevent customers or clients of a business from disclosing whether they have received a COVID-19 vaccine?
Answer: No. The Privacy Rule does not apply to individuals’ disclosures about their own health information, only to covered entities and their business associates.
Employers in General
Question: Does the HIPAA Privacy Rule prohibit an employer from requiring a workforce member to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties?
Answer: No. The Privacy Rule does not apply to employment records, including employment records held by covered entities or business associates in their capacity as employers. But other employment laws may apply.
Covered Entities and Business Associates as Employers
Question: Does the HIPAA Privacy Rule prohibit a covered entity or business associate from requiring its workforce members to disclose to their employers or other parties whether the workforce members have received a COVID-19 vaccine?
Answer: No. The Privacy Rule does not apply to employment records, including employment records held by covered entities and business associates acting in their capacity as employers.
The guidance includes examples, note that the Privacy Rule does not prohibit a covered entity or business associate from requiring or requesting each workforce member to:
- Provide documentation of their COVID-19 or flu vaccination to their current or prospective employer.
- Sign a HIPAA authorization for a covered health care provider to disclose the workforce member’s COVID-19 or varicella vaccination record to their employer.
- Wear a mask – while in the employer’s facility, on the employer’s property, or in the normal course of performing their duties at another location.
- Disclose whether they have received a COVID-19 vaccine in response to queries from current or prospective patients.
Question: Does the HIPAA Privacy Rule prohibit a doctor’s office from disclosing an individual’s protected health information (PHI), including whether they have received a COVID-19 vaccine, to the individual’s employer or other parties?
Answer: Generally, yes. Read the guidance for a full discussion of instances where PHI may be disclosed by a physician or other covered entity.
The HIPAA E-Tool® is Up to Date
There are lots of misconceptions about HIPAA. If you need answers, let us know because we have answers.