The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued Q&A guidance to help clarify when a person’s vaccine status is covered by the Health Insurance Portability and Accountability Act (HIPAA) privacy rule. Although the Q&As focus on the COVID-19 vaccine, the information applies to all vaccines, regardless of the disease or condition being protected against or whether the vaccine has been fully approved or received an emergency use authorization.
The employment-related guidance is discussed below.
The HIPAA privacy rule applies only to HIPAA covered entities (health plans, healthcare clearinghouses and healthcare providers that conduct standard electronic transactions), and, in certain situations, to their business associates.
While in general, the privacy rule does not apply to information an employer may request from employees as a condition of employment, other federal or state laws do. For example, under federal anti-discrimination laws, an employer may require that all employees entering the workplace provide documented proof of COVID-19 vaccination, subject to reasonable accommodations and other equal employment opportunity provisions. Under the Americans with Disabilities Act, vaccine documentation must be kept confidential and stored separately from the employee’s personnel files. This guidance also applies to covered entities and business associates (see below).
Again, because the HIPAA privacy rule does not apply to employment records, generally, the rule does not regulate what employee information a covered entity or business associate can request as a condition of employment.
According to the Q&A guidance, a covered entity or business associate may require or request employees to:
Under the HIPAA privacy rule, covered entities and their business associates may not use or disclose an individual’s PHI, including vaccine status, unless they obtain authorization from the individual or the privacy rule allows it. Only PHI that is reasonably necessary for a stated purpose may be disclosed.
The following are examples in the guidance of permissible vaccine status disclosures under the HIPAA privacy rule:
If a covered entity wants to disclose an individual’s vaccine status in other circumstances (e.g., to a sports or entertainment event organizer, hotel, airline or car rental agency), the HIPAA privacy rule generally requires the individual’s written authorization.
Title | File Type | File Size |
---|---|---|
Insider October 2021 | .3 MB |