COVID Vaccines: When is an employee’s immunization status protected by HIPAA? | McAfee and Taft
The question of whether an employee’s immunization status is HIPAA protected has been (or should be) on the minds of all human resources staff lately. This is especially true in the wake of the impending rule by the US Department of Labor’s Occupational Safety and Health Administration (OSHA) that will likely require employers with more than 100 employees to ensure that their workforce is either vaccinated or regularly tested. Until the OSHA rule is finalized and published, employers should ensure they are familiar with the application of the confidentiality rule to vaccination status by asking questions such as:
- Does the HIPAA privacy rule prohibit businesses or individuals from asking their customers if they’ve been vaccinated?
- Does the HIPAA privacy rule prohibit an employer from requiring a staff member to disclose if they have received a COVID-19 vaccine to the employer, customers or other parties?
Fortunately, the Department of Health and Human Services (HHS) recently addressed these and other frequently asked questions in new guidelines. Below is a quick reminder of the HIPAA privacy rule, along with the HHS ‘answer to these common questions.
Reminder of confidentiality rules
The HIPAA privacy rule generally applies to information classified as Protected Health Information (PHI). PHI includes almost all health information that identifies an individual – typically, information relating to an individual’s past, present, or future physical or mental health status, the provision of health care to an individual, or payments for health care. PHIs can include not only traditional health information, but even names, addresses, ages, etc. when connected to health information.
However, not all health care information constitutes PHI. PHI generally only includes health information that is created, received, maintained or transmitted by a covered entity or business associate. This therefore raises the question: which entities are covered entities? Health plans are generally covered entities. HIPAA defines this broadly to include any individual or group plan that pays the cost of medical care. Thus, when in the hands of a covered entity, an individual’s immunization status will likely constitute an RPS and be protected under the rule of confidentiality.
It is important to note that HIPAA specifically excludes PHI information held by the employer in its employment records. An employer sponsoring a group health plan usually wears two different hats – they have different responsibilities when acting as an employer and when acting as a covered entity i.e. the plan health.
While some information may not be PHI and HIPAA protected, employers should also consider whether state law provides for a stricter rule. While state laws are no less restrictive than HIPAA requirements, they may provide additional restrictions.
HHS answers our common questions
Based on these ground rules, HHS has answered these common questions for employers:
1. Does the HIPAA privacy rule prohibit businesses or individuals from asking their customers if they have been vaccinated?
No. The HHS has clarified that the privacy rule does not prohibit anyone from simply asking another if they are vaccinated. When a business asks its customers if they are vaccinated, the business is probably not acting as a covered entity i.e. the health plan. When the employer is not acting as a health insurance plan, the rule of confidentiality does not generally apply.
In addition, the confidentiality rule does not prohibit covered entities from simply requesting health information. Instead, the rule of confidentiality concerns the way in which covered entities use and disclose the PSR in their possession. HHS gave a few examples. The confidentiality rule does not apply when an individual:
- is asked about their immunization status by a school, employer, store, restaurant, entertainment venue or other person;
- ask another person, their doctor or a service provider if they are vaccinated;
- asks a business, such as a home care agency, if its employees are vaccinated.
Nor do the rules of confidentiality prohibit a person from disclosing their own immunization status. HIPAA of course allows a person to disclose their own health condition as they wish. When an individual discusses their own health information, they are probably not acting as a covered entity or as a business associate.
2. Does the HIPAA privacy rule prohibit an employer from requiring a staff member to disclose if they have received a COVID-19 vaccine to the employer, customers, or other parties?
No. Remember that the rule of confidentiality does not apply to information held by the employer in its employment records, unlike information held by the health insurance plan. The confidentiality rule does not prohibit an employer from requesting an employee’s immunization status as part of the terms of employment. HHS also gave some examples here. The confidentiality rule does not prohibit a covered entity or a business associate from requiring or asking each staff member to:
- provide documentation of their COVID-19 or influenza vaccination to their current or potential employer;
- sign a HIPAA authorization for a covered healthcare provider to disclose the staff member’s COVID-19 or chickenpox vaccination record to their employer;
- wearing a mask – on the employer’s premises, on the employer’s property or in the normal course of carrying out his duties at another location;
- disclose if they have received a COVID-19 vaccine in response to questions from current or potential patients.
While these examples are generally allowed under the rule of confidentiality, employers should be aware that other federal or state laws may also come into play when they require employees to be vaccinated as a condition of employment and how to do so. employers must process this information. For example, documentation of an employee’s immunization status should be kept confidential and kept separate from other employee personal records in accordance with the Americans with Disabilities Act.