The introduction of vaccine mandates in many places of work has led many people to question how the Health Insurance Portability and Accountability Act (HIPAA) Rules apply to disclosures of COVID-19 vaccination information. There are a number of misconceptions about when, how, and to whom HIPAA applies, and confusion about whether employers are permitted by HIPAA to request information from employees about their vaccination status, or if businesses can ask their customers or clients if they have been vaccinated.
Recently, the Department of Health and Human Services’ Office for Civil Rights (OCR) released guidance for the public on HIPAA and COVID-19 vaccination information to help clear up confusion. The guidance covers some of the most commonly asked questions about HIPAA and COVID-19 vaccine information, and outlines situations when HIPAA does and does not apply.
“We are issuing this guidance to help consumers, businesses, and health care entities understand when HIPAA applies to disclosures about COVID-19 vaccination status and to ensure that they have the information they need to make informed decisions about protecting themselves and others from COVID-19,” said OCR Director Lisa Pino.
OCR confirmed that the HIPAA Privacy Rule only applies to HIPAA-covered entities and some of their business associates. A HIPAA-covered entity is a health plan, healthcare clearinghouse, or healthcare provider that conducts electronic transactions for which the HHS maintains standards. Business associates are vendors of those entities that are provided with access to protected health information. Most businesses are therefore not covered by the HIPAA Rules. HIPAA does not apply to schools, employers, stores, restaurants, or entertainment venues, and does not cover disclosures of health information by an individual to another individual. HIPAA therefore does not prohibit a business from asking if their customers or clients have been vaccinated and individuals are not prohibited from providing vaccination information to other individuals or businesses.
HIPAA does not regulate the ability of covered entities to ask for any information about patients and visitors. The HIPAA Privacy Rule only regulates how “protected health information” can be used and disclosed once it has been provided to a HIPAA-regulated entity.
HIPAA-regulated entities do not always need to obtain authorizations from patients before disclosing vaccination information. The HIPAA Privacy Rule allows uses and disclosures of protected health information, which includes vaccination information, for treatment, payment, or healthcare operations without a prior authorization. HIPAA-regulated entities are allowed to disclose vaccination information to a health plan for instance to obtain payment for a vaccination. They are also permitted to disclose vaccination information to public health authorities or disclosures to third parties when required to do so by law. A healthcare provider would however need to receive an authorization from a patient before disclosing vaccination information to an entertainment venue or an airline.
OCR confirmed that the HIPAA Privacy Rule does not apply to employers or employment records, so any information on the vaccination status of employees requested or collected by employers is not protected health information under HIPAA. Even if vaccine information is collected by a HIPAA-regulated entity, it is not classed as protected health information if requested or collected in the regulated entity’s capacity as an employer.
It is worth noting that other federal laws or state laws may apply to disclosures of vaccination information. The U.S. Equal Employment Opportunity Commission (EEOC) has issued guidance on COVID-19, the ADA, the Rehabilitation Act and other EEO laws.
HIPAA-regulated entities are generally not permitted to disclose an individual’s vaccination status or other vaccination information to the individual’s employer without prior authorization from a patient, although there are exceptions.
“A covered hospital is permitted to disclose PHI relating to an individual’s vaccination status to the individual’s employer so that the employer may conduct an evaluation relating to medical surveillance of the workplace (e.g., surveillance of the spread of COVID-19 within the workforce) or to evaluate whether the individual has a work-related illness,” explained OCR.
In such cases, the disclosed information should be restricted to the minimum necessary amount to achieve the purpose for which the disclosure is required, and the disclosure is only permitted if all of the following conditions are met:
- The covered entity is providing healthcare to the individual at the request of the individual’s employer or as a member of the employer’s workforce;
- The PHI disclosed is the findings concerning a work-related illness or injury or workplace-related medical surveillance;
- The employer needs the findings to comply with its legal obligations under OSHA, the Mine Safety and Health Administration, or state laws that have a similar purpose; and
- The covered entity provides written notice to the individual that the PHI related to the medical surveillance of the workplace and work-related illnesses will be disclosed to the employer, for instance, by providing the notice at the time healthcare is provided, posting the notice in a prominent position where healthcare is provided on the work site of the employer.