As more workplaces mandate vaccinations, employers and employees alike have experienced confusion about COVID-19 vaccine status and the HIPAA Privacy Rule (the “Privacy Rule”). Some have mistakenly thought that HIPAA restricts disclosure in the workplace setting. HIPAA does not and has never applied to health information employers hold about employees in human resources or personnel files.
On September 30, HHS released guidance to clarify some of these issues. We have summarized some of the key information below.
(1) Asking Customers or Clients about COVID-19 vaccine status.
Any individual or business may ask any person for their vaccine status.
HIPAA does not apply when an individual is asked about their vaccination status by a school, employer, restaurant, entertainment venue or another individual.
(2) Disclosing your own vaccine status
There has been some confusion as to whether an individual is allowed to disclose their own vaccine status. The Privacy Rule does not prevent any person from disclosing their own health information; it only governs disclosure by covered entities and their business associates of patient or health plan member information. “Covered entities” include health care providers (e.g. hospitals and doctors’ offices) and health plans. A “business associate” is a vendor of a covered entity that provides a service using patient or health plan member information, such as certain law firms, consultants or data storage companies.
(3) Requiring Disclosure of Vaccine Status to Other Persons
Another common question is whether an employer may require an employee to disclose their own vaccine status to the employer, clients or third parties. The Privacy Rule does not apply to any employment records, including if the employment record is held by a covered entity or business associate acting in their capacity as employers. As a result, the Privacy Rule does not prevent an employer from requiring an employee to disclose vaccine status.
(4) Covered Entities, Business Associates and their Workforce
A covered entity or business associate may require its employees to disclose their vaccine status. Because the Privacy Rule does not apply to employment records, it does not regulate the type of information that can be requested from employees by a covered entity or business associate. As such, a covered entity or business associate may require its workforce to provide documents that show their vaccination against COVID-19.
(5) Disclosure of PHI by a Doctor’s Office
Generally, the Privacy Rule prohibits a doctor’s office from disclosing an individual’s protected health information (PHI). This includes disclosing to the individual’s employer, or other parties, whether the person received the COVID-19 vaccine.
A doctor’s office or other covered entity may only disclose vaccination status to an employer in two instances:
- When the employee provides the employer with a signed HIPAA compliance authorization; or
- For medical surveillance, if certain, specific requirements are satisfied.
Although HIPAA does not prevent employers from asking about vaccination status or collecting weekly COVID-19 test results, other state and federal laws address whether (1) employers may mandate the vaccine; and (2) how employers must treat medical information once it is obtained.
If you have any questions regarding how to handle an employee’s medical information – including vaccine status and test results – please contact Gabe Jiran at gjiran@goodwin.com, Bill Roberts at wroberts@goodwin.com, Rauchell Beckford-Anderson at rbeckfordanderson@goodwin.com, or Sarah Niemiroski at sniemiroski@goodwin.com