On Sept. 30, 2021, the Department of Health and Human Services published guidance, “HIPAA, COVID-19 Vaccination, and the Workplace,” (the Guidance) that details the ways in which the Health Insurance Portability and Accountability Act (HIPAA) intersects with workplace and other third-party inquiries regarding COVID-19 vaccinations. 

The HIPAA Privacy Rule, at issue here, applies the use and disclosure of protected health information (PHI) to covered entities and business associates. “Covered entities” include health plans, health care clearinghouses, health care providers that conduct standard electronic transactions and “business associates” are entities that perform certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.

Per the Guidance, the Privacy Rule is not implicated by a business inquiring whether their employees, customers or clients have received a COVID-19 vaccine. Additionally, the Privacy Rule does not apply when an individual (1) is asked about their vaccination status by a school, employer, store, restaurant, entertainment venue or another individual; (2) asks another individual, their doctor or a service provider whether they are vaccinated; or (3) asks a company, such as a home health agency, whether its workforce members are vaccinated.

Moreover, the Privacy Rule is not violated when an employer requires an employee to disclose whether they have received the COVID-19 vaccine. Generally, the Privacy rule does not apply to employment records, including employment records held by covered entities or business associates, and does not regulate what information can be requested from employees as part of the terms and conditions of employment that an employer may impose on its workforce. Furthermore, the Privacy Rule does not prohibit a covered entity or business associate from requiring or requesting that a workforce member (1) provide documentation of their COVID-19 or flu vaccination to their current or prospective employer; (2) sign a HIPAA authorization for a covered health care provider to disclose the workforce member’s COVID-19 or varicella vaccination record to their employer; or (3) wear a mask – while in the employer’s facility, on the employer’s property or in the normal course of performing their duties at another location.

The Guidance also notes that the Privacy Rule is not implicated when an employee discloses their own vaccination status, there is additional information contained within the Guidance for specific covered entities regarding when they may disclose vaccination information without patient consent. Finally, the Guidance reminds employers that documentation or other confirmation of vaccination, to the extent is received by an employer, must be kept confidential and stored separately from the employee’s personnel files under Title I of the Americans with Disabilities Act (ADA). 

[View source.]