Workplace guidance on HIPAA and vaccine status disclosures

The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued Q&A guidance to help clarify when a person’s vaccine status is covered by the Health Insurance Portability and Accountability Act (HIPAA) privacy rule. Although the Q&As focus on the COVID-19 vaccine, the information applies to all vaccines, regardless of the disease or condition being protected against or whether the vaccine has been fully approved or received an emergency use authorization.

The employment-related guidance is discussed below.

1. An employer may require its workers to disclose to their employer, its clients or other parties whether they have received a COVID-19 vaccine.

The HIPAA privacy rule applies only to HIPAA covered entities (health plans, healthcare clearinghouses and healthcare providers that conduct standard electronic transactions), and, in certain situations, to their business associates.

While in general, the privacy rule does not apply to information an employer may request from employees as a condition of employment, other federal or state laws do. For example, under federal anti-discrimination laws, an employer may require that all employees entering the workplace provide documented proof of COVID-19 vaccination, subject to reasonable accommodations and other equal employment opportunity provisions. Under the Americans with Disabilities Act, vaccine documentation must be kept confidential and stored separately from the employee’s personnel files. This guidance also applies to covered entities and business associates (see below).

2. A covered entity or business associate may require its workers to disclose to their employer or other parties whether they have received a COVID-19 vaccine.

Again, because the HIPAA privacy rule does not apply to employment records, generally, the rule does not regulate what employee information a covered entity or business associate can request as a condition of employment.

According to the Q&A guidance, a covered entity or business associate may require or request employees to:

• Provide documentation of their COVID-19 or flu vaccination to their current or prospective employer.
• Sign a HIPAA authorization for a covered healthcare provider to disclose the workforce member’s COVID-19 or varicella vaccination record to his or her employer.
• Wear a mask while in the employer’s facility, on the employer’s property or in the normal course of performing their duties at another location.
• Disclose whether they have received a COVID-19 vaccine in response to queries from current or prospective patients.
3. In general, a doctor’s office may not disclose to an employer or other parties an individual’s protected health information (PHI), including whether he or she has received a COVID-19 vaccine.

Under the HIPAA privacy rule, covered entities and their business associates may not use or disclose an individual’s PHI, including vaccine status, unless they obtain authorization from the individual or the privacy rule allows it. Only PHI that is reasonably necessary for a stated purpose may be disclosed.

The following are examples in the guidance of permissible vaccine status disclosures under the HIPAA privacy rule:

• A covered physician may disclose PHI on an individual’s vaccination to the individual’s health plan to obtain payment for administering a COVID-19 vaccine.
• A covered pharmacy may disclose PHI on an individual’s vaccination status (e.g., that an individual has received a COVID-19 vaccination, the vaccination date, the vaccine manufacturer) to a public health authority, such as a state or local public health agency.
• A health plan may disclose an individual’s vaccination status where required by law.
• A covered nurse practitioner may provide PHI relating to an individual’s COVID-19 vaccination status to that individual.
• A covered hospital may disclose PHI on an individual’s vaccination status to the individual’s employer so the employer may conduct an evaluation relating to medical surveillance of the workplace (e.g., surveillance of the spread of COVID-19 within the workforce) or to evaluate whether the individual has a work-related illness, if certain conditions are met.

If a covered entity wants to disclose an individual’s vaccine status in other circumstances (e.g., to a sports or entertainment event organizer, hotel, airline or car rental agency), the HIPAA privacy rule generally requires the individual’s written authorization.