HIPAA

DISCLOSING COVID-19 VACCINATION STATUS

HHS has published an article on the HIPAA Privacy Rule’s effect on the disclosure of COVID-19 vaccination status for healthcare. The following are excerpts from the article. For the full text see: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-covid-19-vaccination-workplace/index.html. Remember that HIPAA is not the only set of laws that regulate this information.

1. Does the HIPAA Privacy Rule prohibit businesses or individuals from asking whether their customers or clients have received a COVID-19 vaccine?

No. The Privacy Rule does not prohibit any person, including HIPAA covered entities and business associates, from asking whether an individual has received a particular vaccine, including COVID-19 vaccines. The Privacy Rule does not regulate the ability of covered entities and business associates to request information from patients or visitors. Rather, the Privacy Rule regulates how and when covered entities and business associates are permitted to use and disclose protected health information (PHI) that covered entities and business associates create, receive, maintain, or transmit.

The Privacy Rule does not apply when an individual is asked about their own vaccination status or asks another individual, their doctor, or a service provider whether they or their workforce members are vaccinated. Other state or federal laws address whether individuals are required to disclose whether they have received a vaccine under certain circumstances.

2. Does the HIPAA Privacy Rule prevent customers or clients of a business from disclosing whether they have received a COVID-19 vaccine?

No. The Privacy Rule does not prevent any individual from disclosing whether they been vaccinated against COVID-19 or any other disease. The Privacy Rule does not apply to individuals’ disclosures about their own health information.

3. Does the HIPAA Privacy Rule prohibit an employer from requiring a workforce member to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties?

No. The Privacy Rule does not apply to employment records, including employment records held by covered entities or business associates in their capacity as employers. Generally, the Privacy Rule does not regulate what information can be requested from employees as part of the terms and conditions of employment. However, other federal or state laws do address terms and conditions of employment. For example, federal anti-discrimination laws do not prevent an employer from choosing to require that all employees physically entering the workplace be vaccinated against COVID-19 and provide documentation or other confirmation that they have met this requirement, subject to reasonable accommodation provisions and other equal employment opportunity considerations. Documentation or other confirmation of vaccination, however, must be kept confidential and stored separately from the employee’s personnel files under Title I of the Americans with Disabilities Act (ADA).

4. Does the HIPAA Privacy Rule prohibit a covered entity or business associate from requiring its workforce members to disclose to their employers or other parties whether the workforce members have received a COVID-19 vaccine?

No. The Privacy Rule does not apply to employment records, including employment records held by covered entities and business associates acting in their capacity as employers. Thus, the Privacy Rule generally does not regulate what information can be requested from employees as part of the terms and conditions of employment that a covered entity or business associate may impose on its workforce, such as the ability of a covered entity or business associate to require its workforce members to provide documentation of their vaccination against COVID-19 or to disclose whether they have been vaccinated to their employer, other workforce members, patients, or members of the public.

Other federal or state laws address whether an employer may require a workforce member to obtain any vaccinations as a condition of employment and provide documentation or other confirmation of vaccination. Documentation or other confirmation of vaccination must be kept confidential and stored separately from the employee’s personnel files under Title I of the Americans with Disabilities Act (ADA).

5. Does the HIPAA Privacy Rule prohibit a doctor’s office from disclosing an individual’s protected health information (PHI), including whether they have received a COVID-19 vaccine, to the individual’s employer or other parties?

Generally, yes. The Privacy Rule prohibits covered entities and their business associates from using or disclosing an individual’s PHI (e.g., information about whether the individual has received a vaccine, such as a COVID-19 vaccine; the individual’s medical history or demographic information) except with the individual’s authorization or as otherwise expressly permitted or required by the Privacy Rule.

Generally, where a covered entity or business associate is permitted to disclose PHI (treatment, payment, healthcare operation or required by law), it is limited to disclosing the PHI that is reasonably necessary to accomplish the stated purpose for the disclosure.

In other circumstances, the Privacy Rule generally requires a covered entity to obtain an individual’s written authorization before disclosing the individual’s PHI, such as disclosure of whether the individual has received a vaccine, to, for example:

• a sports arena,
• a hotel, resort, or cruise ship,
• airline or car rental agency.

In conclusion, HIPAA only applies to covered entities and Business Associates Use of Patient Information, not to the general public or employee information.