Update on HIPAA and COVID
October 13, 2021
U.S. Department of Health & Human Service (HHS) issued additional guidance concerning how HIPAA rules intertwine with the COVID environment. The guidance provides greater clarity to employers as to when HIPAA does and does not apply in various situations. The following is a rundown of the guidance.
1. Does the HIPAA Privacy Rule prohibit businesses or individuals from asking whether their customers or clients have received a COVID-19 vaccine?
HHS states that HIPAA does not apply in these situations. Specifically, the guidance states:
First, the Privacy Rule applies only to covered entities (health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions) and, to some extent, their business associates.
Second, the Privacy Rule does not regulate the ability of covered entities and business associates to request information from patients or visitors. Rather, the Privacy Rule regulates how and when covered entities and business associates are permitted to use and disclose protected health information
Further, the guidance identifies additional situations that HIPAA does not apply to:
- Is asked about their vaccination status by a school, employer, store, restaurant, entertainment venue, or another individual.
- Asks another individual, their doctor, or a service provider whether they are vaccinated.
- Asks a company, such as a home health agency, whether its workforce members are vaccinated.
- Or is required by other state or federal laws address if individuals are required to disclose whether they have received a vaccine under certain circumstances (think New York City restaurants requesting to see vaccination cards or records before seating).
The most important exception is the first, when an employer asks about vaccination status. It reinforces the right of employers to ask and require an answer when asked from an employee their vaccination status. This will become even more important when the OSHA emergency temporary rules (ETS) are issued which will likely require a vaccine mandate of all employers with a 100 or more employees (however that will be counted).
2. Does the HIPAA Privacy Rule prevent customers or clients of a business from disclosing whether they have received a COVID-19 vaccine?
The answer again is no. Specifically, the guidance states:
Privacy Rule does not prevent any individual from disclosing whether that individual has been vaccinated against COVID-19 or any other disease. The Privacy Rule does not apply to individuals’ disclosures about their own health information.
Therefore, when an employee states they cannot disclose because of HIPAA requirements, they are wrong. HIPAA does not apply to them.
3. Does the HIPAA Privacy Rule prohibit an employer from requiring a workforce member to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties?
This question has come up more often through the ASE Hotline – employers sending employees to customer sites and the customer requires vaccine information of the employee. The guidance states:
The Privacy Rule does not apply to employment records, including employment records held by covered entities or business associates in their capacity as employers. Generally, the Privacy Rule does not regulate what information can be requested from employees as part of the terms and conditions of employment that an employer may impose on its workforce.
The guidance also points out, though, that there may be specific laws that might apply about disclosures, such as equal opportunity laws that the employer needs to be aware of when taking any action against an employee who refuses to disclose.
4. Does the HIPAA Privacy Rule prohibit a covered entity or business associate from requiring its workforce members to disclose to their employers or other parties whether the workforce members have received a COVID-19 vaccine?
Again, the answer is no. The guidance states:
The Privacy Rule does not apply to employment records, including employment records held by covered entities and business associates acting in their capacity as employers. Thus, the Privacy Rule generally does not regulate what information can be requested from employees as part of the terms and conditions of employment that a covered entity or business associate may impose on its workforce, such as the ability of a covered entity or business associate to require its workforce members to provide documentation of their vaccination against COVID-19 or to disclose whether they have been vaccinated to their employer, other workforce members, patients, or members of the public.
In addition, the guidance discusses that HIPAA does not apply to the following situations:
- Provide documentation of their COVID-19 or flu vaccination to their current or prospective employer.
- Sign a HIPAA authorization for a covered health care provider to disclose the workforce member’s COVID-19 or varicella vaccination record to their employer.24
- Wear a mask–while in the employer’s facility, on the employer’s property, or in the normal course of performing their duties at another location.
Employees have tried to use HIPAA as a reason not to wear a mask when they are unvaccinated because fellow employees will know that they are not vaccinated.
Finally, the guidance reiterates that physicians’ offices cannot release COVID information to employers unless specific to an investigation by the employer in order to comply with OSHA or similar laws. It will be important for employers who do not believe that their situation falls under this guidance contact their legal counsel to ensure that what they are doing does not violate law.