HHS Clarifies Very Limited HIPAA Protections for Vaccine Disclosures
The US Department of Health and Human Services decided to celebrate the last day of September by offering its guidance on the question of whether or not the HIPAA Privacy Rule prohibits businesses or individuals from asking whether their customers or clients have received a COVID-19 vaccine?
Spoiler alert – the answer is no.
The HHS also quite definitely shut the door on any notion of prohibitions in the Privacy Rule from customers or clients of a business disclosing whether they have received a COVID vaccine and the notion of prohibiting an employer from requiring a workforce member to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties?
For a detailed overview of this and more, please continue reading.
HHS Clarifies Scope of Vaccine Disclosures Allowed by HIPAA
Employers, including those in the healthcare sector, have considerable latitude to monitor employees’ vaccination status within the permissible bounds of the Health Insurance Portability and Accountability Act’s (HIPAA) privacy rules, according to guidance from the U.S. Department of Health and Human Services (HHS).
HIPAA does not “prohibit an employer from requiring a workforce member to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties,” according to question-and-answer document released September 30 by HHS’ Office for Civil Rights (OCR).
HIPAA does not apply to records that a business holds in its capacity as an employer, so generally “the Privacy Rule does not regulate what information can be requested from employees as part of the terms and conditions of employment that an employer may impose on its workforce,” the OCR explained. Even if the employer is a HIPAA-covered entity (e.g., a healthcare provider or insurer) or its business associate, the privacy rules would allow requiring or requesting employees to:
- Provide documentation of their COVID-19 or flu vaccination to their current or prospective employer;
- Sign a HIPAA authorization for a covered health care provider to disclose the employee’s COVID-19 or varicella vaccination record to their employer;
- Wear a mask while in the employer’s facility, on the employer’s property, or in the normal course of performing their duties at another location; or
- Disclose whether they have received a COVID-19 vaccine in response to queries from current or prospective patients.
“We are issuing this guidance to help consumers, businesses, and health care entities understand when HIPAA applies to disclosures about COVID-19 vaccination status and to ensure that they have the information they need to make informed decisions about protecting themselves and others from COVID-19,” said OCR Director Lisa Pino in announcing the guidance, titled “HIPAA, COVID-19 Vaccination, and the Workplace.”
HIPAA’s privacy rules apply only to HIPAA “covered entities”—health plans, healthcare clearinghouses, and most healthcare providers—and “business associates” that handle protected health information (PHI) on their behalf.
When in the hands of a healthcare provider or insurer—or sometimes an employer’s benefits staff—information on an employee’s vaccination status could be PHI and thus subject to HIPAA’s strict limits on use and disclosure. However, information that an employer holds, obtains, or requests in its employer capacity (rather than as administrator of the health plan) will not be subject to HIPAA. (See the Health Information Privacy (HIPAA) analysis.)
Employment Laws Like ADA Apply
Even if HIPAA is not implicated, the employer still must comply with other laws, such as the Americans with Disabilities Act (ADA). The ADA’s implications for employee vaccination were previously addressed in separate guidance from the U.S. Equal Employment Opportunity Commission (EEOC).
“For example, federal anti-discrimination laws do not prevent an employer from choosing to require that all employees physically entering the workplace be vaccinated against COVID-19 and provide documentation or other confirmation that they have met this requirement, subject to reasonable accommodation provisions and other equal employment opportunity considerations,” the OCR noted. “Documentation or other confirmation of vaccination, however, must be kept confidential and stored separately from the employee’s personnel files under Title I of the [ADA].”
Physician Disclosures to Employer
HIPAA still must be considered when an employer tries to obtain employee vaccine information from a physician or other healthcare provider.
“The Privacy Rule prohibits covered entities and their business associates from using or disclosing an individual’s PHI (e.g., information about whether the individual has received a vaccine, such as a COVID-19 vaccine …) except with the individual’s authorization or as otherwise expressly permitted or required by the Privacy Rule,” the OCR stated. Such disclosures generally must be limited to what is reasonably necessary for the stated purpose (for example, to obtain payment from a health plan).
Under HIPAA’s “workplace surveillance” exception, the OCR noted, a hospital may “disclose PHI relating to an individual’s vaccination status to the individual’s employer so that the employer may conduct an evaluation relating to medical surveillance of the workplace (e.g., surveillance of the spread of COVID-19 within the workforce) or to evaluate whether the individual has a work-related illness,” assuming the following conditions are met:
- The hospital is providing the health care service to the individual at the request of the individual’s employer or as a member of the employer’s workforce.
- The PHI that is disclosed consists of findings concerning work-related illness or workplace-related medical surveillance.
- The employer needs the findings in order to comply with its obligations under the legal authorities of the Occupational Safety and Health Administration (OSHA), the Mine Safety and Health Administration, or state laws having a similar purpose (e.g., under OSHA’s recordkeeping requirements, worker side effects from vaccination constitute a “recordable illness,” and thus, employers are responsible for recording such side effects in certain circumstances).
- The covered healthcare provider provides written notice to the individual that the PHI related to the medical surveillance of the workplace and work-related illnesses will be disclosed to the employer. (This can be accomplished by providing the individual with a copy of the notice at the time the health care is provided, or by posting the notice in a prominent place at the location where the health care is provided, if this is on the employer’s worksite.)
In general, though, a healthcare provider may not disclose PHI related to individual vaccination to a third party—be it the individual’s employer or a business like a hotel or airline. However, providers may always disclose an individual’s own PHI to the individual, who may in turn disclose it to whomever they wish.