The Department of Health and Human Services (“HHS”), in a series of Qs & As, has stated that the HIPAA Privacy Rules do not prohibit covered entities and business associates from asking whether an individual has received a COVID-19 vaccine.
Legal Background. The HIPAA Privacy Rule establishes standards to protect individuals’ medical records and other protected health information (“PHI”). The rules apply to “covered entities,” including group health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Privacy Rule requires covered entities and their business associates to implement appropriate safeguards to protect the privacy of PHI, and sets limits and conditions on the uses and disclosures of PHI without patient authorization.
HHS Qs & As. HHS says the Privacy Rule does not regulate the ability of “persons,” including covered entities and business associates, to request information from employees, patients or visitors. Rather, the Privacy Rule regulates how and when covered entities and business associates are permitted to use and disclose PHI, including information about whether an individual has received a vaccine. Thus, the Privacy Rule does not prohibit a covered entity or business associate from asking whether an individual has received a COVID-19 vaccine, although it does regulate how and when a covered entity or a business associate may use or disclose information about an individual’s COVID vaccination status.
According to HHS, this means the Privacy Rule does not apply when an individual is asked about their vaccination status by a school, employer, store, restaurant, entertainment venue, or another individual.
NOTE: The Privacy Rule does not apply to employment records, including records held by covered entities or business associates in their capacity as employers. Generally, the Privacy Rule does not regulate what information can be requested from employees as part of the terms and conditions of employment that an employer may impose on its workforce.
HHS notes that other federal or state laws do address terms and conditions of employment. For example, federal anti-discrimination laws do not prevent an employer from requiring that all employees physically entering the workplace be vaccinated against COVID-19 and provide documentation or other confirmation that they have met this requirement. However this rule is subject to reasonable accommodation provisions and other equal employment opportunity considerations. Also, documentation or other confirmation of vaccination must be kept confidential and stored separately from the employee’s personnel files under laws such as the Americans with Disabilities Act.
Finally, HHS notes that the Privacy Rule does prohibit covered entities and their business associates from disclosing an individual’s PHI (including information about whether the individual has received a vaccine, such as a COVID-19 vaccine) except with the individual’s authorization or as otherwise expressly permitted or required by the Privacy Rule.
The Q&As are available at: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-covid-19-vaccination-workplace/index.html