OCR Issues Advice on HIPAA and Vaccination Disclosures

HIPAA and vaccination disclosures

The introduction of vaccine mandates by employers, especially in healthcare, has raised questions about HIPAA and vaccination disclosures. The Privacy Rule of the Health Insurance Portability and Accountability Act does restrict uses and disclosures of protected health information, and protected health information does include vaccination information. It is understandable for there to be confusion about how HIPAA applies to disclosures of an individual’s vaccination status, and whether questions can be asked – and answered – about an individual’s vaccination status.

To help clear up the confusion, the HHS’ Office for Civil Rights (OCR) has issued new guidance on HIPAA and vaccination disclosures and explains in a Q&A how HIPAA applies in certain situations in the workplace. “We are issuing this guidance to help consumers, businesses, and health care entities understand when HIPAA applies to disclosures about COVID-19 vaccination status and to ensure that they have the information they need to make informed decisions about protecting themselves and others from COVID-19,” said OCR Director Lisa Pino.

Much of the confusion around HIPAA and vaccination disclosures comes from a misunderstanding of when and to whom HIPAA applies. OCR explained that the HIPAA Privacy Rule does not prohibit any person from asking whether a person has received a COVID-19 vaccination or any other type of vaccine. Whether that person decides to answer the question and disclose that information is entirely up to the individual.

OCR explains that:

1) HIPAA only applies to HIPAA-covered entities (health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions) and some of their business associates (those that are provided with protected health information (PHI) or access to systems containing PHI) and;

2) The Privacy Rule does not regulate the ability of covered entities and business associates to request information from patients or visitors. The Privacy Rule only places restrictions on uses and disclosures of that information.

That means, as far as HIPAA is concerned, an employer, school, entertainment venue, store, or restaurant can ask whether their customers, clients, or employees have been vaccinated. HIPAA does not prevent students, employees, or customers or clients of a business from disclosing whether they have received a COVID-19 vaccine.

Workplace vaccination mandates have been introduced in many businesses and at those businesses employers require workforce members to disclose whether they have received a COVID-19 vaccine. Again, this is not restricted by the HIPAA Privacy Rule, as most businesses are not HIPAA-covered entities or business associates; however, even if they are, the HIPAA Privacy Rule does not apply as HIPAA does not cover employment records, including employment records held by covered entities or business associates in their capacity as employers.

That means covered entities or business associates are permitted under HIPAA to require workforce members to:

  • Provide documentation of vaccination to their current or prospective employer.
  • Sign a HIPAA authorization for a covered health care provider to disclose the workforce member’s COVID-19 or varicella vaccination record to their employer.
  • Wear a mask while in the employer’s facility, on the employer’s property, or in the normal course of performing their duties at another location.
  • Disclose whether they have received a COVID-19 vaccine in response to queries from current or prospective patients.

COVID-19 or other vaccination mandates by employers are not a HIPAA issue, but there may be other federal or state laws that dictate whether vaccination can be made a condition of employment and have requirements for storing that information. For example, Title I of the Americans with Disabilities Act (ADA) requires any information collected to be kept separate from the employee’s personnel files and that information must be kept confidential.

There has been confusion about whether doctors’ offices are permitted to disclose vaccination status information to an employer. This is one case when the HIPAA Privacy Rule does apply. Generally this is not permitted unless authorization has been received from the individual in question. Disclosures of the vaccination status information of an individual to a third party, or any other PHI, is only permitted for reasons expressly permitted by the HIPAA Privacy Rule, which generally means uses and disclosures for treatment, payment, or healthcare operations. Exceptions include disclosures to a public health authority such as a state or local public health agency, or to the vaccine manufacturer or FDA if the individual is enrolled in a clinical trial of the vaccine.

OCR said HIPAA-covered hospitals are permitted to disclose an individual’s vaccination status to an employer “so that the employer may conduct an evaluation relating to medical surveillance of the workplace (e.g., surveillance of the spread of COVID-19 within the workforce) or to evaluate whether the individual has a work-related illness,” however, only if all of the following conditions are met:

  • The covered hospital is providing the health care service to the individual at the request of the individual’s employer or as a member of the employer’s workforce.
  • The PHI that is disclosed consists of findings concerning work-related illness or workplace-related medical surveillance.
  • The employer needs the findings in order to comply with its obligations under the legal authorities of the Occupational Safety and Health Administration (OSHA), the Mine Safety and Health Administration (MSHA), or state laws having a similar purpose.
  • The covered health care provider provides written notice to the individual that the PHI related to the medical surveillance of the workplace and work-related illnesses will be disclosed to the employer.

The guidance, HIPAA, COVID-19 Vaccinations, and the Workplace, can be found on the HHS website on this link.