As more workplaces mandate vaccinations, employers and employees alike have experienced confusion about COVID-19 vaccine status and the HIPAA Privacy Rule (the “Privacy Rule”).  Some have mistakenly thought that HIPAA restricts disclosure in the workplace setting.  HIPAA does not and has never applied to health information employers hold about employees in human resources or personnel files.

On September 30, HHS released guidance to clarify some of these issues.  We have summarized some of the key information below.

(1) Asking Customers or Clients about COVID-19 vaccine status.

Any individual or business may ask any person for their vaccine status.

HIPAA does not apply when an individual is asked about their vaccination status by a school, employer, restaurant, entertainment venue or another individual.

(2) Disclosing your own vaccine status

There has been some confusion as to whether an individual is allowed to disclose their own vaccine status.  The Privacy Rule does not prevent any person from disclosing their own health information; it only governs disclosure by covered entities and their business associates of patient or health plan member information.  “Covered entities” include health care providers (e.g. hospitals and doctors’ offices) and health plans.  A “business associate” is a vendor of a covered entity that provides a service using patient or health plan member information, such as certain law firms, consultants or data storage companies.

(3) Requiring Disclosure of Vaccine Status to Other Persons

Another common question is whether an employer may require an employee to disclose their own vaccine status to the employer, clients or third parties.  The Privacy Rule does not apply to any employment records, including if the employment record is held by a covered entity or business associate acting in their capacity as employers.  As a result, the Privacy Rule does not prevent an employer from requiring an employee to disclose vaccine status.

(4) Covered Entities, Business Associates and their Workforce

A covered entity or business associate may require its employees to disclose their vaccine status.  Because the Privacy Rule does not apply to employment records, it does not regulate the type of information that can be requested from employees by a covered entity or business associate.  As such, a covered entity or business associate may require its workforce to provide documents that show their vaccination against COVID-19.

(5) Disclosure of PHI by a Doctor’s Office

Generally, the Privacy Rule prohibits a doctor’s office from disclosing an individual’s protected health information (PHI). This includes disclosing to the individual’s employer, or other parties, whether the person received the COVID-19 vaccine.

A doctor’s office or other covered entity may only disclose vaccination status to an employer in two instances:

  1. When the employee provides the employer with a signed HIPAA compliance authorization; or
  2. For medical surveillance, if certain, specific requirements are satisfied.

Although HIPAA does not prevent employers from asking about vaccination status or collecting weekly COVID-19 test results, other state and federal laws address whether (1) employers may mandate the vaccine; and (2) how employers must treat medical information once it is obtained.

If you have any questions regarding how to handle an employee’s medical information – including vaccine status and test results – please contact Gabe Jiran at gjiran@goodwin.com, Bill Roberts at wroberts@goodwin.com, Rauchell Beckford-Anderson at rbeckfordanderson@goodwin.com, or Sarah Niemiroski at sniemiroski@goodwin.com

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Gabriel Jiran Gabriel Jiran

Gabriel Jiran is a partner in Shipman’s Employment and Labor Practice Group. Gabriel practices labor and employment law on behalf of corporations and public employers. He assists employers in addressing the full spectrum of issues associated with the employment relationship. He negotiates collective…

Gabriel Jiran is a partner in Shipman’s Employment and Labor Practice Group. Gabriel practices labor and employment law on behalf of corporations and public employers. He assists employers in addressing the full spectrum of issues associated with the employment relationship. He negotiates collective bargaining agreements, and frequently represents employers before administrative agencies and courts in labor disputes. Gabriel also litigates employment disputes on behalf of employers.

Photo of William J. Roberts William J. Roberts

William Roberts is the Chair of Shipman & Goodwin LLP’s Privacy and Data Protection team. Bill is also a Certified Information Privacy Professional (CIPP/US) through the International Association of Privacy Professionals (IAPP). Bill focuses his practice at the intersection of privacy, technology and…

William Roberts is the Chair of Shipman & Goodwin LLP’s Privacy and Data Protection team. Bill is also a Certified Information Privacy Professional (CIPP/US) through the International Association of Privacy Professionals (IAPP). Bill focuses his practice at the intersection of privacy, technology and the law, and represents a wide range of public and private entities. He assists clients nationwide in navigating legal challenges with respect to regulatory compliance, governmental investigations, data breaches and complex contracting. Clients who seek Bill’s guidance range from start-ups to Fortune 50 companies.

Aside from helping his busy clients, Bill is a father and lifelong skier.

Bill’s complete biography can be found here.

Photo of Rauchell Beckford-Anderson Rauchell Beckford-Anderson

Rauchell is a member of the firm’s Employer Defense and Labor Relations practice group. She represents employers in all employment law matters before the Connecticut Commission on Human Rights and Opportunities, the Equal Employment Opportunity Commission, and state and federal court. Her experience…

Rauchell is a member of the firm’s Employer Defense and Labor Relations practice group. She represents employers in all employment law matters before the Connecticut Commission on Human Rights and Opportunities, the Equal Employment Opportunity Commission, and state and federal court. Her experience includes defending public and private sector employers in employment-related litigation including wrongful termination, discrimination, retaliation, sexual harassment, and wage claims.

Photo of Sarah N. Niemiroski Sarah N. Niemiroski

Sarah is a member of the firm’s Employment and Labor practice group.  She assists public and private sector clients in a variety of matters, including grievance and interest arbitrations, prohibited practice proceedings, and labor negotiations. Sarah also represents employers before state and federal…

Sarah is a member of the firm’s Employment and Labor practice group.  She assists public and private sector clients in a variety of matters, including grievance and interest arbitrations, prohibited practice proceedings, and labor negotiations. Sarah also represents employers before state and federal courts and agencies with respect to employment matters ranging from employment discrimination and wrongful termination to tortious interference, breach of contract, and wage and hour claims.