Whether an employee’s vaccination status is protected by HIPAA has been (or should be) on the minds of all human resources personnel as of late. This is especially true in the wake of the U.S. Department of Labor’s Occupational Safety and Health Administration (OSHA) impending rule that will likely require employers with 100+ employees to ensure their workforce is either vaccinated or regularly tested. While waiting for the OSHA rule to be finalized and released, employers should ensure they are familiar with the Privacy Rule’s application to vaccination status by asking questions like:

1. Does the HIPAA Privacy Rule prohibit businesses or individuals from asking their customers whether they have been vaccinated?
2. Does the HIPAA Privacy Rule prohibit an employer from requiring a workforce member to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties?

Fortunately, the Department of Health and Human Services (HHS) recently addressed these and other frequently asked questions in new guidance. Below is a quick refresher on the HIPAA privacy rule, as well as the HHS response to these common questions.

Privacy rule refresher

The HIPAA Privacy Rule generally applies to information categorized as protected health information (PHI). PHI includes almost all health information that identifies an individual – generally, information that relates to the past, present, or future physical or mental health condition of an individual, the provision of healthcare to an individual, or payments for healthcare. PHI can include not only traditional healthcare information, but even names, addresses, ages, etc. when connected to healthcare information.

However, not all healthcare information constitutes PHI. PHI generally only encompasses health information that is created, received, maintained, or transmitted by a covered entity or a business associate. So that begs the question – what entities are covered entities? Health plans are generally covered entities. HIPAA defines this broadly to include any individual or group plan that pays for the cost of medical care. So, when in the hands of a covered entity, an individual’s vaccination status will likely constitute PHI and be protected under the Privacy Rule.

Importantly, HIPAA specifically excludes from PHI information held by the employer in its employment records. An employer who sponsors a group health plan generally wears two separate hats – it has different responsibilities when acting as an employer and when acting as a covered entity, i.e. the health plan.

Even if certain information may not be PHI and protected by HIPAA, employers should also consider whether state law provides a stricter rule. While state laws may not be less restrictive than HIPAA requirements, they can provide additional restrictions.

HHS answers our common questions

Given those basic rules, HHS answered these common questions for employers:

1. Does the HIPAA Privacy Rule prohibit businesses or individuals from asking their customers whether they have been vaccinated?

No. HHS clarified that the Privacy Rule does not prohibit anyone from simply asking another whether he or she is vaccinated. When a business asks customers whether they are vaccinated, the business is likely not acting as a covered entity, i.e. the health plan. When the employer is not acting as the health plan, the Privacy Rule generally does not apply.

Additionally, the Privacy Rule does not prohibit covered entities from simply requesting health information. Instead, the Privacy Rule is concerned with the manner in which covered entities use and disclose PHI in their possession. HHS gave some examples. The Privacy Rule does not apply when an individual:

• is asked about their vaccination status by a school, employer, store, restaurant, entertainment venue, or another individual;
• asks another individual, their doctor, or a service provider whether they are vaccinated;
• asks a company, such as a home health agency, whether its workforce members are vaccinated.

The Privacy Rules also does not prohibit a person from disclosing his or her own vaccination status. HIPAA of course permits a person to disclose his own health status as he or she wishes. When an individual is discussing his own health information, he is most likely not acting as a covered entity or a business associate.

2. Does the HIPAA Privacy Rule prohibit an employer from requiring a workforce member to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties?

No. Remember that the Privacy Rule does not apply to information held by the employer in its employment records – in contrast to information held by the health plan. The Privacy Rule does not prohibit an employer from requesting an employee’s vaccination status as part of the terms and conditions of employment. HHS also gave some examples here. The Privacy Rule does not prohibit a covered entity or business associate from requiring or requesting each workforce member to:

• provide documentation of their COVID-19 or flu vaccination to their current or prospective employer;
• sign a HIPAA authorization for a covered health care provider to disclose the workforce member’s COVID-19 or varicella vaccination record to their employer;
• wear a mask – while in the employer’s facility, on the employer’s property, or in the normal course of performing their duties at another location;
• disclose whether they have received a COVID-19 vaccine in response to queries from current or prospective patients.

Although these examples are generally permitted under the Privacy Rule, employers should be aware that other federal or state laws may also come into play when requiring employees to obtain vaccinations as a condition of employment and how employers must handle that information. For example, documentation on an employee’s vaccination status must be kept confidential and stored separately from the employee’s other personnel files pursuant to the Americans with Disabilities Act.