Close this search box.

Health and Human Services Released HIPAA Guidance Addressing Applicability of Privacy Rule to COVID-19 Vaccination Status Requests

The federal Department of Health and Human Services (HHS) Office of Civil Rights recently issued guidance on whether the Health Insurance Portability and Accountability Act (HIPAA) applies to COVID-19 vaccination information and regulates disclosures of an individual’s COVID-19 vaccination status that touches specifically on employers and employees.

By way of background the HIPAA Privacy Rule (Privacy Rule) creates national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures of such information without patient authorization.

The Privacy Rule does not prohibit any person (i.e., an individual or an entity such as a business) or HIPAA covered entities and business associates from asking whether an individual has received a particular vaccine, including COVID-19 vaccines. The Privacy Rule does not apply when an individual is asked about his/her/their vaccination status by a school, employer, store, restaurant, entertainment venue, or another individual.

The Privacy Rule applies only to covered entities (health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions) and, to some extent, their business associates (such as health care claims processing services, medical transcriptionists, and accounting firms that have access to protected health information). The Privacy Rule does not apply to employment records, including employment records held by covered entities or business associates in their capacity as employers. Generally, the Privacy Rule does not regulate what information an employer can request from, or impose on, its employees as part of the terms and conditions of employment. Thus, a covered entity or business associate may require its workforce members to provide documentation of their vaccination against COVID-19 or to disclose whether they have been vaccinated to their employer, other workforce members, patients, or members of the public.

For example, the Privacy Rule does not prohibit a covered entity or business associate from requiring or requesting its workforce members to:

  • Provide documentation of their COVID-19 or flu vaccinations to their current or prospective employer;

  • Sign a HIPAA authorization for a covered health care provider to disclose the workforce member’s COVID-19 or varicella vaccination record to their employer;

  • Wear a mask while in the employer’s facility, on the employer’s property, or in the normal course of performing their duties at another location; and

  • Disclose whether they have received a COVID-19 vaccine in response to queries from current or prospective patients.

Notwithstanding this, employers should be mindful that federal antidiscrimination laws, such as the Americans with Disabilities Act (ADA), do not prevent employers from requiring all employees physically entering the workplace to be vaccinated against COVID-19 and provide documentation or other confirmation that they meet this requirement, subject to reasonable accommodation provisions and other equal employment opportunity considerations. However, under the ADA, an employer must keep all documentation regarding vaccinations in a confidential file and stored separately from the employee’s personnel file.

This summary is for informational purposes only and is not intended to constitute legal advice. This information should not be reused without permission.