When use or disclosure of an individual’s health information or medical records is at issue, the assumption seems to be, much more often than not, that the HIPAA privacy and security rules apply. This has certainly been the case during the COVID-19 pandemic. Of course, it is true that in most healthcare settings, HIPAA is the primary law governing the use and disclosure of individually identifiable health information. However, HIPAA is often incorrectly applied in workplace settings.
Today, in an effort to clarify some of these issues as they relate to COVID-19 vaccination data, the Office for Civil Rights (OCR), the agency responsible for enforcing the HIPAA privacy and security rules (the “HIPAA rules”), issued this guidance. We have summarized some of the key points below.
Do the HIPAA rules prohibit businesses or individuals from asking whether their customers or clients have received a COVID-19 vaccine?
The OCR’s answer is clear – No.
The HIPAA Privacy Rule does not prohibit any person (e.g., an individual or an entity such as a business), including HIPAA covered entities and business associates, from asking whether an individual has received a particular vaccine, including COVID-19 vaccines.
It is important to remember that the HIPAA rules apply only to covered entities and business associates. In general, covered entities include health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions. But, HIPAA does not apply to entities functioning in their role as employers or to employment records.
The OCR also reminds organizations that even if HIPAA applies, it regulates the use and disclosure of protected health information (PHI), not the ability to request information. Thus, the HIPAA rules do not prohibit a covered entity from receiving COVID-19 vaccination information about an individual. Of course, organizations that receive such information, including employers, still may have a duty to safeguard that information and keep it confidential.
Do the HIPAA rules prohibit an employer from requiring a workforce member to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties?
This is a popular question these days. The OCR’s answer, “No.”
OCR reminds readers that the HIPAA rules do not apply to employment records:
including employment records held by covered entities or business associates in their capacity as employers.
The OCR also observed that:
federal anti-discrimination laws do not prevent an employer from choosing to require that all employees physically entering the workplace be vaccinated against COVID-19 and provide documentation or other confirmation that they have met this requirement, subject to reasonable accommodation provisions and other equal employment opportunity considerations.
But, again, once collected, vaccination information must be kept confidential and stored separately from the employee’s personnel files under Title I of the Americans with Disabilities Act (ADA). And, group health plans sponsored by employers are, in most cases, HIPAA covered entities. This means that COVID-19 vaccination information maintained in connection with those plans, such as claims information, would be PHI subject to the HIPAA rules.
Do the HIPAA rules prohibit a covered entity or business associate from requiring its workforce members to disclose to their employers or other parties whether the workforce members have received a COVID-19 vaccine?
Another popular question and, again, the OCR’s answer is no.
The HIPAA rules generally do not regulate what information can be requested from employees as part of the terms and conditions of employment. The following examples from OCR make clear that HIPAA does not prohibit a covered entity or business associate from requiring or requesting each workforce member to:
- Provide documentation of their COVID-19 or flu vaccination to their current or prospective employer.
- Sign a HIPAA authorization for a covered health care provider to disclose the workforce member’s COVID-19 or varicella vaccination record to their employer.
- Wear a mask–while in the employer’s facility, on the employer’s property, or in the normal course of performing their duties at another location.
- Disclose whether they have received a COVID-19 vaccine in response to queries from current or prospective patients.
Do the HIPAA rules prohibit a doctor’s office from disclosing an individual’s PHI, including whether they have received a COVID-19 vaccine, to the individual’s employer or other parties?
Here, the answer is generally, yes. The doctor’s office is a HIPAA covered entity and the HIPAA rules prohibit covered entities from using or disclosing an individual’s (patient’s) PHI except with the individual’s authorization, unless an exception applies. Exceptions include, for example, disclosures made for treatment, payment, or health care operations. Absent an exception, the doctor’s office will need a written authorization in order to disclosure the records.
Note, however, if the physician that owns the practice, while functioning as an employer, has COVID-19 vaccination information about an employee of the practice, the HIPAA rules generally would not apply to prohibit the physician from disclosing that information. But, other laws could apply, such as the ADA.
The OCR provides some additional examples:
- A covered physician is permitted to disclose PHI relating to an individual’s vaccination to the individual’s health plan as necessary to obtain payment for the administration of a COVID-19 vaccine.
- A covered hospital is permitted to disclose PHI relating to an individual’s vaccination status to the individual’s employer so that the employer may conduct an evaluation relating to medical surveillance of the workplace (e.g., surveillance of the spread of COVID-19 within the workforce) or to evaluate whether the individual has a work-related illness, provided all of the following conditions are met:
- The covered hospital is providing the health care service to the individual at the request of the individual’s employer or as a member of the employer’s workforce.
- The PHI that is disclosed consists of findings concerning work-related illness or workplace-related medical surveillance.
- The employer needs the findings in order to comply with its obligations under the legal authorities of the Occupational Safety and Health Administration (OSHA), the Mine Safety and Health Administration (MSHA), or state laws having a similar purpose
- The covered health care provider provides written notice to the individual that the PHI related to the medical surveillance of the workplace and work-related illnesses will be disclosed to the employer.
Organizations across the country are struggling with COVID-19 related regulations and the impact on their operations – screening requirements, vaccination mandates, how to incentivize vaccinations, responding to customer demands for vaccination status information about employees, maintaining adequate staffing levels, arranging for COVID-19 testing, etc. This OCR guidance should help to some degree by clarifying some questions regarding whether an often-cited set of rules – the HIPAA rules – apply to limit the use and disclosure of information necessary to carry out some of these activities. As explained above, the HIPAA rules often are not applicable.