Ooh Baby It’s a Wild World…Your Vaccination Status: What Does HIPAA Actually Protect and Prohibit

/in

by Leslie Thomson

Earlier this fall, the Office for Civil Rights (OCR) issued guidance to help the public understand when a business or employer can request information on an individual’s COVID-19 vaccination status without violating the HIPAA Privacy Rule. This blog addresses the impact of the HIPAA Privacy Rule only. Note there may be other federal or state laws that may apply resulting in a different conclusion.

The HIPAA Privacy Rule does not apply to employment records and generally does not regulate what information can be requested by an employer from employees as part of the terms and conditions of employment that an employer may impose on its workforce. For example, the HIPAA Privacy Rule does not prohibit an employer from requiring or requesting each workforce member to:

  • Provide documentation of their COVID-19 or flu vaccination.
  • Sign a HIPAA authorization for a covered health care provider to disclose the workforce member’s COVID-19 vaccination record to their employer.
  • Wear a mask while in the employer’s facility, on the employer’s property, or in the normal course of performing their duties at another location.

In addition, the HIPAA Privacy Rule does not apply when an individual:

  • Is asked about their vaccination status by a school, store, restaurant, entertainment venue, employer or another individual.
  • Asks another individual, their doctor, or a service provider whether they are vaccinated.
  • Asks a company, such as a home health agency, whether its workforce members are vaccinated.

The HIPAA Privacy Rule does prohibit covered entities and their business associates from using or disclosing a person’s protected health information (PHI). This means a doctor cannot disclose a person’s vaccination status without consent except under limited situations. For example, a doctor is permitted to disclose PHI relating to vaccination status to an individual’s health plan as necessary to obtain payment. Also, a covered pharmacy is permitted to disclose PHI relating to vaccination status (e.g., that a person received a COVID-19 vaccination, the date of vaccination, the vaccine manufacturer) to a public health authority, such as a state or local public health agency. In such situations, the covered pharmacy may rely, if such reliance is reasonable under the circumstances, on a representation by the public health authority that the information requested constitutes the minimum necessary for the stated purposes of the disclosure (e.g., to track and compare the effectiveness of different COVID-19 vaccines).