OCR Speaks To HIPAA, COVID-19 Vaccinations, Privacy, And The Workplace – JD Supra

HomeCovid-19 VaccineOCR Speaks To HIPAA, COVID-19 Vaccinations, Privacy, And The Workplace – JD Supra
October 1, 2021

When use or disclosure of an individuals health information or medical records is at issue, the assumption seems to be, much more often than not, that the HIPAA privacy and security rules apply. This has certainly been the case during the COVID-19 pandemic. Of course, it is true that in most healthcare settings, HIPAA is the primary law governing the use and disclosure of individually identifiable health information. However, HIPAA is often incorrectly applied in workplace settings.

Today, in an effort to clarify some of these issues as they relate to COVID-19 vaccination data, the Office for Civil Rights (OCR), the agency responsible for enforcing the HIPAA privacy and security rules (the HIPAA rules), issued this guidance. We have summarized some of the key points below.

Do the HIPAA rules prohibit businesses or individuals from asking whether their customers or clients have received a COVID-19 vaccine?

The OCRs answer is clear No.

The HIPAA Privacy Rule does not prohibit any person (e.g., an individual or an entity such as a business), including HIPAA covered entities and business associates, from asking whether an individual has received a particular vaccine, including COVID-19 vaccines.

It is important to remember that the HIPAA rules apply only to covered entities and business associates. In general, covered entities include health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions. But, HIPAA does not apply to entities functioning in their role as employers or to employment records.

The OCR also reminds organizations that even if HIPAA applies, it regulates the use and disclosure of protected health information (PHI), not the ability to request information. Thus, the HIPAA rules do not prohibit a covered entity from receiving COVID-19 vaccination information about an individual. Of course, organizations that receive such information, including employers, still may have a duty to safeguard that information and keep it confidential.

Do the HIPAA rules prohibit an employer from requiring a workforce member to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties?

This is a popular question these days. The OCRs answer, No.

OCR reminds readers that the HIPAA rules do not apply to employment records:

including employment records held by covered entities or business associates in their capacity as employers.

The OCR also observed that:

federal anti-discrimination laws do not prevent an employer from choosing to require that all employees physically entering the workplace be vaccinated against COVID-19 and provide documentation or other confirmation that they have met this requirement, subject to reasonable accommodation provisions and other equal employment opportunity considerations.

But, again, once collected, vaccination information must be kept confidential and stored separately from the employees personnel files under Title I of the Americans with Disabilities Act (ADA).

Do the HIPAA rules prohibit a covered entity or business associate from requiring its workforce members to disclose to their employers or other parties whether the workforce members have received a COVID-19 vaccine?

Another popular question and, again, the OCRs answer is no.

The HIPAA rules generally do not regulate what information can be requested from employees as part of the terms and conditions of employment. The following examples from OCR make clear that HIPAA does not prohibit a covered entity or business associate from requiring or requesting each workforce member to:

Do the HIPAA rules prohibit a doctors office from disclosing an individuals PHI, including whether they have received a COVID-19 vaccine, to the individuals employer or other parties?

Here, the answer is generally, yes.The doctors office is a HIPAA covered entity and the HIPAA rules prohibit covered entities from using or disclosing an individuals (patients) PHI except with the individuals authorization, unless an exception applies. Exceptions include, for example, disclosures made for treatment, payment, or health care operations. Absent an exception, the doctors office will need a written authorization in order to disclosure the records.

Note, however, if the physician that owns the practice, while functioning as an employer, has COVID-19 vaccination information about an employee of the practice, the HIPAA rules generally would not apply to prohibit the physician from disclosing that information. But, other laws could apply, such as the ADA.

The OCR provides some additional examples:

Organizations across the country are struggling with COVID-19 related regulations and the impact on their operations screening requirements, vaccination mandates, how to incentivize vaccinations, responding to customer demands for vaccination status information about employees, maintaining adequate staffing levels, arranging for COVID-19 testing, etc. This OCR guidance should help to some degree by clarifying some questions regarding whether an often-cited set of rules the HIPAA rules apply to limit the use and disclosure of information necessary to carry out some of these activities. As explained above, the HIPAA rules often are not applicable.

Read more here:

OCR Speaks To HIPAA, COVID-19 Vaccinations, Privacy, And The Workplace - JD Supra

Related Posts
Tags: