Guidance on Applicability of HIPAA Privacy Rule to COVID-19 Vaccine Disclosures in the Workplace

By Burnham Compliance

10.01.21

On September 30th, the Office for Civil Rights (OCR) division of the Department of Health and Human Services (HHS) issued Q&A guidance to address questions about when and how the HIPAA Privacy Rule applies to uses and disclosures of COVID-19 vaccination-related information, specifically to their applicability to individuals’ disclosures of their COVID-19 vaccination status in the employment and health care contexts. These Q&As expand on existing guidance issued during the pandemic regarding HIPAA’s privacy and security requirements and COVID-19. (The HIPAA Privacy Rule refers to the privacy regulations under the Health Insurance Portability and Accountability Act of 1996, 45 CFR part 160 and subparts A and E of part 164, which regulates the uses and disclosure of protected health information (PHI).)

The applicability of the Q&As is not intended to be limited to the COVID-19 vaccine, but to apply to all vaccinations, regardless of the disease or condition being addressed, or whether the vaccine has been fully approved or authorized via an emergency use authorization.

These Q&As are summarized below and available in their entirety here.

Q1. Does the HIPAA Privacy Rule prohibit businesses or individuals from asking whether their customers or clients have received a COVID-19 vaccine?

No. The Privacy Rule does not prohibit any person (e.g., an individual or an entity such as a business), including HIPAA covered entities and business associates, from asking whether an individual has received a particular vaccine, including COVID-19 vaccines.

Q2. Does the HIPAA Privacy Rule prevent customers or clients of a business from disclosing whether they have received a COVID-19 vaccine?

No. The Privacy Rule does not prevent any individual from disclosing whether that individual has been vaccinated against COVID-19 or any other disease. The Privacy Rule does not apply to individuals’ disclosures about their own health information. It applies only to covered entities and, to some extent their business associates. Therefore, the Privacy Rule does not apply when an individual tells another person, such as a colleague or business owner, about their own vaccination status.

Q3. Does the HIPAA Privacy Rule prohibit an employer from requiring a workforce member to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties?

No. The Privacy Rule does not apply to employment records, including employment records held by covered entities or business associates in their capacity as employers. Generally, the Privacy Rule does not regulate what information can be requested from employees as part of the terms and conditions of employment that an employer may impose on its workforce.

However, other federal or state laws do address terms and conditions of employment. For example, federal anti-discrimination laws do not prevent an employer from choosing to require that all employees physically entering the workplace be vaccinated against COVID-19 and provide documentation or other confirmation that they have met this requirement, subject to reasonable accommodation provisions and other equal employment opportunity considerations. Documentation or other confirmation of vaccination, however, must be kept confidential and stored separately from the employee’s personnel files under Title I of the Americans with Disabilities Act (ADA).

Q4. Does the HIPAA Privacy Rule prohibit a covered entity or business associate from requiring its workforce members to disclose to their employers or other parties whether the workforce members have received a COVID-19 vaccine?

No. The Privacy Rule does not apply to employment records, including employment records held by covered entities and business associates acting in their capacity as employers. Thus, the Privacy Rule generally does not regulate what information can be requested from employees as part of the terms and conditions of employment that a covered entity or business associate may impose on its workforce, such as the ability of a covered entity or business associate to require its workforce members to provide documentation of their vaccination against COVID-19 or to disclose whether they have been vaccinated to their employer, other workforce members, patients, or members of the public.

Other federal or state laws address whether an employer may require a workforce member to obtain any vaccinations as a condition of employment and provide documentation or other confirmation of vaccination. These laws also address how employers must treat medical information that they obtain from employees. For example, documentation or other confirmation of vaccination must be kept confidential and stored separately from the employee’s personnel files under Title I of the ADA.

Q5. Does the HIPAA Privacy Rule prohibit a doctor’s office from disclosing an individual’s protected health information (PHI), including whether they have received a COVID-19 vaccine, to the individual’s employer or other parties?

Generally, yes. The Privacy Rule prohibits covered entities and their business associates from using or disclosing an individual’s PHI (e.g., information about whether the individual has received a vaccine, such as a COVID-19 vaccine; the individual’s medical history or demographic information) except with the individual’s authorization or as otherwise expressly permitted or required by the Privacy Rule. Generally, where a covered entity or business associate is permitted to disclose PHI, it is limited to disclosing the PHI that is reasonably necessary to accomplish the stated purpose for the disclosure.

NOTE: The Privacy Rule does not prohibit an individual from choosing to provide any of these individuals or entities with information regarding their vaccination status.

MORE RESOURCES

For additional information on the Privacy Rule and its application, visit here.
The Centers for Disease Control (CDC) has issued the publication, “Updated Healthcare Infection Prevention and Control Recommendations in Response to COVID-19 Vaccination”,
Additional guidance and resources from OSHA on COVID-19 and the workplace, are available here and here, and
The U.S. Equal Employment Opportunity Commission issued guidance entitled, “What You Should Know About COVID-19 and the ADA, the Rehabilitation Act, and Other EEO Laws”.

ADDITIONAL INFORMATION

Please also contact your Burnham Benefits Consultant or Burnham Benefits at 949‐833‐2983 or inquiries@burnhambenefits.com.

Burnham Benefits does not engage in the practice of law and this publication should not be construed as the providing of legal advice or a legal opinion of any kind. The consulting advice we provide is intended solely to assist in assessing its compliance with the Patient Protection and Affordable Care Act and other applicable federal and state law requirements, and is based on Burnham Benefit’s interpretation of federal guidance in effect as of the date of this publication. To the best of our knowledge, the information provided herein, and assumptions relied on, are reasonable and accurate as of the date of this publication. Furthermore, to ensure compliance with IRS Circular 230, any tax advice contained in this publication is not intended to be used, and cannot be used, for purposes of (i) avoiding penalties imposed under the United States Internal Revenue Code or (ii) promoting, marketing or recommending to another person any tax-related matter.

Insights

Stay a step ahead with our curated views on key issues of the day.

View All

Careers

See what it takes to join a team that’s shaping the future of consulting.

View All

Press & News

Learn how our approach to consulting is changing our industry for the better.

View All