On September 30, 2021, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) issued guidance to help the public understand when the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule applies to disclosures and requests for information about whether a person has received a COVID-19 vaccine.
The guidance reminds the public that the HIPAA Privacy Rule does not apply to employers or employment records. This is because the HIPAA Privacy Rule only applies to HIPAA covered entities (health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions), and, in some cases, to their business associates.
The guidance also addresses common workplace scenarios and answers questions about whether and how the HIPAA Privacy Rule applies; in sum:
1. Does the HIPAA Privacy Rule prohibit businesses or individuals from asking whether their customers or clients have received a COVID-19 vaccine?
No. The Privacy Rule does not prohibit any person (e.g., an individual or an entity such as a business), including HIPAA covered entities and business associates, from asking whether an individual has received a particular vaccine, including COVID-19 vaccines…. The Privacy Rule does not apply when an individual:
- Is asked about their vaccination status by a school, employer, store, restaurant, entertainment venue, or another individual.
- Asks another individual, their doctor, or a service provider whether they are vaccinated.
- Asks a company, such as a home health agency, whether its workforce members are vaccinated.
Other state or federal laws address whether individuals are required to disclose whether they have received a vaccine under certain circumstances.
2. Does the HIPAA Privacy Rule prevent customers or clients of a business from disclosing whether they have received a COVID-19 vaccine?
No. The Privacy Rule does not prevent any individual from disclosing whether that individual has been vaccinated against COVID-19 or any other disease. The Privacy Rule does not apply to individuals’ disclosures about their own health information. It applies only to covered entities and, to some extent their business associates. Therefore, the Privacy Rule does not apply when an individual tells another person, such as a colleague or business owner, about their own vaccination status.
3. Does the HIPAA Privacy Rule prohibit an employer from requiring a workforce member to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties?
No. The Privacy Rule does not apply to employment records, including employment records held by covered entities or business associates in their capacity as employers. Generally, the Privacy Rule does not regulate what information can be requested from employees as part of the terms and conditions of employment that an employer may impose on its workforce. However, other federal or state laws do address terms and conditions of employment. For example, federal anti-discrimination laws do not prevent an employer from choosing to require that all employees physically entering the workplace be vaccinated against COVID-19 and provide documentation or other confirmation that they have met this requirement, subject to reasonable accommodation provisions and other equal employment opportunity considerations. Documentation or other confirmation of vaccination, however, must be kept confidential and stored separately from the employee’s personnel files under Title I of the Americans with Disabilities Act (ADA).
4. Does the HIPAA Privacy Rule prohibit a covered entity or business associate from requiring its workforce members to disclose to their employers or other parties whether the workforce members have received a COVID-19 vaccine?
No. The Privacy Rule does not apply to employment records, including employment records held by covered entities and business associates acting in their capacity as employers. Thus, the Privacy Rule generally does not regulate what information can be requested from employees as part of the terms and conditions of employment that a covered entity or business associate may impose on its workforce, such as the ability of a covered entity or business associate to require its workforce members to provide documentation of their vaccination against COVID-19 or to disclose whether they have been vaccinated to their employer, other workforce members, patients, or members of the public.
For example, the Privacy Rule does not prohibit a covered entity or business associate from requiring or requesting each workforce member to:
- Provide documentation of their COVID-19 or flu vaccination to their current or prospective employer.
- Sign a HIPAA authorization for a covered health care provider to disclose the workforce member’s COVID-19 or varicella vaccination record to their employer.24
- Wear a mask–while in the employer’s facility, on the employer’s property, or in the normal course of performing their duties at another location.
- Disclose whether they have received a COVID-19 vaccine in response to queries from current or prospective patients.
5. Does the HIPAA Privacy Rule prohibit a doctor’s office from disclosing an individual’s protected health information (PHI), including whether they have received a COVID-19 vaccine, to the individual’s employer or other parties?
Generally, yes. The Privacy Rule prohibits covered entities and their business associates from using or disclosing an individual’s PHI (e.g., information about whether the individual has received a vaccine, such as a COVID-19 vaccine; the individual’s medical history or demographic information) except with the individual’s authorization or as otherwise expressly permitted or required by the Privacy Rule…. For example, if consistent with other law and applicable ethical standards, under the Privacy Rule:
- A covered physician is permitted to disclose PHI relating to an individual’s vaccination to the individual’s health plan as necessary to obtain payment for the administration of a COVID-19 vaccine.
- A covered pharmacy is permitted to disclose PHI relating to an individual’s vaccination status (e.g., that an individual has received a COVID-19 vaccination, the date of vaccination, the vaccine manufacturer) to a public health authority, such as a state or local public health agency. In such situations, the covered pharmacy may rely, if such reliance is reasonable under the circumstances, on a representation by the public health authority that the information requested constitutes the minimum necessary for the stated purpose(s) of the disclosure (e.g., to track and compare the effectiveness of different COVID-19 vaccines).
- A health plan is permitted to disclose an individual’s vaccination status where required to do so by law.
- A covered nurse practitioner is permitted to provide PHI relating to an individual’s COVID-19 vaccination status to the individual.
- A covered hospital is permitted to disclose PHI relating to an individual’s vaccination status to the individual’s employer so that the employer may conduct an evaluation relating to medical surveillance of the workplace (e.g., surveillance of the spread of COVID-19 within the workforce) or to evaluate whether the individual has a work-related illness, and all of the following conditions are met:
- The covered hospital is providing the health care service to the individual at the request of the individual’s employer or as a member of the employer’s workforce.
- The PHI that is disclosed consists of findings concerning work-related illness or workplace-related medical surveillance.
- The employer needs the findings in order to comply with its obligations under the legal authorities of the Occupational Safety and Health Administration (OSHA), the Mine Safety and Health Administration (MSHA), or state laws having a similar purpose (e.g., under OSHA’s recordkeeping requirements, worker side effects from vaccination constitute a “recordable illness,” and thus, employers are responsible for recording such side effects in certain circumstances).
- The covered health care provider provides written notice to the individual that the PHI related to the medical surveillance of the workplace and work-related illnesses will be disclosed to the employer. (This can be accomplished by providing the individual with a copy of the notice at the time the health care is provided, or by posting the notice in a prominent place at the location where the health care is provided if the health care is being provided on the work site of the employee.