HIPAA and COVID-19 Vaccination Status: The Office of Civil Rights Issues Workplace Guidance – JD Supra

The guidance reminds the public that the HIPAA Privacy Rule does not apply to employers or employment records.[1]

On September 30, 2021, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released guidance (the Guidance) entitled, HIPAA, COVID-19 Vaccination, and the Workplace, regarding the applicability of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule (Privacy Rule) to disclosures and requests for information regarding COVID-19 vaccination status. In a frequently-asked-questions format, the Guidance sets forth a series of workplace-related scenarios involving the confidentiality of an employees vaccination status, an employers ability to obtain vaccination information from its employees, and the confidentiality of such information.

Per the Guidance, HIPAA does not prevent or apply to the following scenarios:

According to the Guidance, the Privacy Rule does not prevent or apply to an employer requiring a workforce member to disclose whether he or she has received a COVID-19 vaccine to the employer, clients or other parties, including patients or members of the public. The Privacy Rule does not apply to employment records, or regulate what information can be requested from employees as part of the terms and conditions of employment imposed by the employer, even if the employer is a covered entity or business associate. Specifically, an employer may request or require:

Note, however, the Privacy Rule does impact how and when the covered entity or business associate can use and disclose such protected health information (PHI), including information about an individuals vaccination status to an employer or other business. For instance, a doctors office may not disclose an individuals PHI, including whether they have received a COVID-19 vaccine, to the individuals employer or other party unless it has the individuals authorization or as otherwise expressly permitted by the Privacy Rule. Similarly, the individuals authorization is required for the covered entity to disclose vaccination status for entertainment, leisure or travel purposes.

Even where authorized, the covered entity or business associate should only disclose the PHI that is reasonably necessary to accomplish the purpose of the disclosure, or where otherwise required by law. For example:

However, a covered entity hospital may disclose PHI related to an employees vaccination status to the employer for purposes of medical surveillance of the workplace or for evaluation of whether the individual has a work-related illness as long as (i) the hospital is providing the healthcare service to the individual at the employers request or as a member of the employers workforce; (ii) the PHI that is disclosed consists of findings concerning work-related illness or medical surveillance; (iii) the employer needs the findings to comply with the Occupational Safety and Health Administration (OSHA), the Mine Safety and Health Administration (MSHA) or state laws with similar purposes; and (iv) the provider provides written notice to the individual that the PHI will be disclosed to the employer.

Additionally, given that the Privacy Rule only applies to covered entities and their business associates, it does not impact an individuals decision on whether or not to disclose his or her vaccination status. Healthcare pundits have frequently noted a common misconception that HIPAA protects PHI, including an individuals vaccination status, from voluntary disclosure by the individual whose PHI is at issue.[2] As shown in the Guidance, this is not true. Notably, public figures who are asked about their vaccination status and decline to answer based upon what they identify as their HIPAA rights are, in fact, simply making a personal choice to not disclose their information. HIPAA does not prevent an individual from asking the question and it does not prevent an individual from answering the question in any way they choose.

As the OCR reminds the reader in the Guidance, the Guidance only sets forth the applicability of HIPAA to the scenarios described therein. Other state or federal laws and regulations may still apply to requests for, or the disclosure of, vaccination status. For example, under Title I of the Americans with Disabilities Act, employers that collect documentation regarding employee vaccination status must keep such documentation confidential and store it separately from the employees personnel files. State laws may have similar provisions which go above-and-beyond what may be required under State law.

We will continue to monitor and provide updates on any further guidance released in relation to COVID-19 vaccines and disclosure or requests for information requirements.

FOOTNOTES

[1] HIPAA, COVID-19 Vaccination, and the Workplace, Department of Health and Human Services, Office of Civil Rights (September 30, 2021) at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-covid-19-vaccination-workplace/index.html.

[2] Common Misconceptions About HIPAA and COVID-19 Vaccination Status; Asking someone about their COVID 19 vaccination status is not a HIPAA violation, despite prominent figures saying otherwise, by Jill McKeon, Xtelligent Healthcare Media (August 21, 2021) at https://healthitsecurity.com/news/common-misconceptions-about-hipaa-and-covid-19-vaccination-status.

Read more here:

HIPAA and COVID-19 Vaccination Status: The Office of Civil Rights Issues Workplace Guidance - JD Supra