Read More

HHS Issues Guidance on HIPAA and COVID-19 Vaccination in the Workplace

As employers grapple with workplace vaccination policies, strong convictions and misinformation continue to color the conversation.

On October 2, 2021, the U.S. Department of Health & Human Services (HHS) issued guidance on how the Health Insurance Portability and Accountability Act of 1996 (HIPAA) applies to COVID-19 vaccination disclosures in the workplace. HHS’s guidance does not alter the law in any way, serving only as a reminder of what HIPAA’s Privacy Rule protects and what it doesn’t protect.

Here’s a rundown of the four HIPAA scenarios addressed by HHS:

HIPAA’s Privacy Rule does not prohibit any person or business from asking whether an individual has received a COVID-19 vaccine.

Mainly, this is because the Privacy Rule does not govern the ability to ask questions. However, the Privacy Rule does regulate how and when a “covered entity” and its business associates may disclose information about an individual’s vaccination status once revealed. Covered entities include health care providers, health plans, and health care clearinghouses. HHS provided the following examples of when HIPAA’s Privacy Rule does not apply:

  • Someone is asked about their vaccination status by an employer, school, store, restaurant, entertainment venue, or other individual.
  • Someone asks another individual, their doctor, or a service provider whether they are vaccinated.
  • Someone asks a company, such as a home health agency, whether its workforce members are vaccinated.

HIPAA’s Privacy Rule does not prevent business customers from disclosing whether they have received a COVID-19 vaccine.

This is because the Privacy Rule does not apply to an individual’s disclosures about their own health information, including personal vaccination status.

HIPAA’s Privacy Rule does not prohibit any employer from requiring its workforce to disclose whether they have received a COVID-19 vaccine.

This is because the Privacy Rule does not apply to employment records held by any business (even a covered entity) in its capacity as an employer. Specifically, the Privacy Rule does not prohibit a covered entity from requiring an employee to disclose whether they have been vaccinated in response to queries from patients.

However, other federal and state laws address terms and conditions of employment. Anti-discrimination laws do not prevent an employer from mandating employees be vaccinated, but such mandates are subject to reasonable accommodations and other equal employment opportunity considerations. Under the Americans with Disabilities Act, documentation of vaccination must be kept confidential and stored separately from personnel files.

HIPAA’s Privacy Rule does prohibit a doctor’s office from disclosing an individual’s COVID-19 vaccination status to an employer.

This is because the Privacy Rule prohibits covered entities from disclosing protected health information (PHI) except with the individual’s authorization or as otherwise permitted (e.g., to health plan for payment or to a public health authority). PHI includes vaccination status.

A covered hospital is permitted to disclose vaccination status to an individual’s employer for the employer’s medical surveillance of the workplace or to evaluate whether the individual has a work-related illness, provided the following conditions are met:

  • The covered hospital is providing the health care service to the individual at the request of the employer;
  • The PHI disclosed consists of findings concerning workplace medical surveillance or work-related illness;
  • The employer requires the findings to comply with Occupational Safety and Health Administration (OSHA) legal obligations or state laws having a similar purpose (e.g., under OSHA’s recordkeeping requirements, vaccination side effects must be recorded); and
  • The covered health care provider gives written notice to the individual that the PHI related to workplace medical surveillance or work-related illnesses will be disclosed to the employer.

Finally, be sure to review the latest state and local laws and regulations on COVID-19 vaccination of employees. More information and resources on navigating workplace issues stemming from the pandemic can be found at OneDigital’s Coronavirus Advisory Hub.