Whether an employee’s COVID-19 vaccination status is protected by the Health Insurance Portability and Accountability Act (HIPAA) has been (or should be) on the minds of all HR personnel as of late. That’s especially true as we await the Occupational Safety and Health Administration’s (OSHA) impending rule that will likely require employers with 100 or more employees to ensure their workforce is either vaccinated or regularly tested.
What to Consider
In the interim, you should become familiar with the HIPAA privacy rule’s application to vaccination status by asking whether it prohibits businesses or individuals from (1) asking customers whether they have gotten the shots or (2) requiring a workforce member to disclose whether they have received a vaccine to the employer, clients, or other parties.
Fortunately, the U.S. Department of Health and Human Services (HHS) recently addressed many such frequently asked questions in new guidance. Below is a quick refresher on the privacy rule as well as the HHS responses to the common inquiries.
Privacy Rule Refresher
The HIPAA privacy rule generally applies to information categorized as protected health information (PHI). It includes almost all health information identifying an individual—generally, any details relating to the person’s past, present, or future physical or mental health condition or the provision of, or payments for, health care. PHI can include not only traditional healthcare information but even names, addresses, ages, and so on when they’re connected to the information.
Not all healthcare information, however, constitutes PHI. It generally encompasses only health information that’s created, received, maintained, or transmitted by a covered entity or a business associate, which begs the question: What entities are covered entities?
Health plans are generally covered entities. HIPAA defines them broadly to include any individual or group plan that pays for the medical care costs. So, when in the hands of a covered entity, an individual’s vaccination status will likely constitute PHI and be protected under the privacy rule.
Notably, HIPAA specifically excludes any information the employer is holding in its employment records from PHI. An employer sponsoring a group health plan generally wears two separate hats. It has different responsibilities when acting as an employer versus when it’s acting as a covered entity, i.e., the health plan.
Even if certain information may not be PHI or protected by HIPAA, you also should consider whether state laws provide a stricter rule. While maybe not be less restrictive than the HIPAA requirements, they can provide additional restrictions.
HHS Answers our Common Questions
Given those basic rules, HHS answered the following common questions for employers:
Does the HIPAA privacy rule prohibit businesses or individuals from asking customers whether they have been vaccinated? No. HHS clarified the rule doesn’t prohibit anyone from simply asking other persons whether they have been vaccinated. When a business asks customers, it likely isn’t acting as a covered entity under the health plan. In that situation, the rule generally doesn’t apply.
Additionally, the privacy rule doesn’t prohibit covered entities from simply requesting health information. Instead, the rule is concerned with the manner in which they use and disclose PHI in their possession. HHS gave some examples for when the rule doesn’t apply:
- A school, employer, store, restaurant, entertainment venue, or another person asks the individual about vaccination status;
- The individual asks a doctor, service provider, or another person whether they have gotten the shots; or
- The individual asks a company, such as a home health agency, whether its workforce members are vaccinated.
The privacy rules also don’t prohibit people from disclosing their own vaccination status. HIPAA of course permits them to disclose their own health status as they wish. When an individual is discussing his own health information, he is most likely not acting as a covered entity or a business associate.
Does the HIPAA privacy rule prohibit an employer from requiring workforce members to disclose whether they have received a COVID-19 vaccine to the business, clients, or other parties? No. Remember, the privacy rule doesn’t apply to information the employer keeps in its employment records, in contrast to details held by the health plan. The rule doesn’t prohibit you from requesting an employee’s vaccination status as part of the terms and conditions of employment. According to HHS, the rule doesn’t prohibit a covered entity or business associate from requiring or asking workforce members to:
- Provide documentation of their COVID-19 or flu vaccination to the current or prospective employer;
- Sign a HIPAA authorization for a covered healthcare provider to disclose their coronavirus or varicella vaccination record to the employer;
- Wear a mask while in the employer’s facility or on the premises or in the normal course of performing job duties at another location; or
- Disclose whether they have received a COVID-19 vaccine in response to queries from current or prospective patients.
Although the examples are generally permitted under the privacy rule, you should be aware other federal or state laws may come into play when requiring employees to obtain vaccinations as a condition of employment and covering how you must handle the information. For example, documentation on an employee’s vaccination status must be kept confidential and stored separately from the individual’s other personnel files under the Americans with Disabilities Act (ADA).