The Department of Health and Human Services (“HHS”) issued guidance in the form of questions and answers addressing how the HIPAA Privacy Rule applies in regard to COVID-19 vaccinations. The guidance makes clear that HIPAA’s privacy rules are not an obstacle to an employer that would like to establish a vaccination requirement for its employees and customers.

Background

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) is a federal law that establishes national standards to protect sensitive patient health information, commonly referred to as “protected health information” or “PHI,” from being disclosed without the patient’s consent or knowledge. HIPAA has three main components:

1. the Privacy Rule which provides that PHI cannot be used or disclosed without authorization unless it is for treatment, payment or health care operations;

2. the Security Rule which ensures confidentiality, integrity and availability of all electronic PHI that is created, received, maintained or transmitted; and

3. Breach Notification Rule which requires notice when PHI is acquired, accessed, used or disclosed in a manner not permitted under the Privacy rule.

Many employers questioned whether the HIPAA Privacy Rule would limit the ability of an employer to have a mandatory COVID-19 vaccination policy with respect to its employees. The guidance makes clear that HIPAA’s Privacy Rule does not prevent an employer from putting forth such a policy.

The Guidance

The guidance restates an established HIPAA principle – that the Privacy Rule only applies to covered entities, including health plans, certain healthcare providers, healthcare clearinghouses and their business associates. While self- funded health plans generally operate through sponsoring employers, the guidance reiterates that the Privacy Rule does not apply to employers acting in their capacity as employers or employment records.

The HIPAA Privacy Rule does not prohibit any person (e.g., an individual or an entity such as a business), including HIPAA covered entities and business associates (which are functioning at such time in their role as an employer), from asking whether an individual has received a particular vaccine, including the COVID-19 vaccines.

HHS also explained that because HIPAA regulates the use and disclosure of PHI and not the ability to request information, the HIPAA Privacy Rule does not prohibit a covered entity from receiving COVID-19 vaccination information. However, after receipt of such information, an employer would likely have a duty to safeguard that information and keep it confidential.

The guidance also provides that an employer may require employees to disclose whether they have received a COVID-19 vaccine to the employer, clients or other parties. HHS observed that federal anti-discrimination laws do not prevent an employer from choosing to require that all employees physically entering the workplace be vaccinated against COVID-19 and provide documentation or other confirmation that they have met this requirement, subject to reasonable accommodation provisions, other equal employment opportunity considerations and conflicting state laws, as applicable. As stated before, once this information is collected, however, it must be kept confidential and stored separately from an employee’s personnel file.

The HIPAA rules generally do not regulate what information can be requested from employees as part of the terms and conditions of employment. The following examples from HHS make clear that HIPAA does not prohibit a covered entity or business associate from requiring or requesting each workforce member to:

• Provide documentation of their COVID-19 or flu vaccination to their current or prospective employer.

• Sign a HIPAA authorization for a covered health care provider to disclose the workforce member’s COVID-19 or varicella vaccination record to their employer.

• Wear a mask – while in the employer’s facility, on the employer’s property, or in the normal course of performing their duties at another location.

• Disclose whether they have received a COVID-19 vaccine in response to queries from current or prospective patients.

Finally, HHS provided that the HIPAA Privacy Rule generally does prohibit health care providers from disclosing an individual’s PHI, including whether they have received a COVID-19 vaccine, to the individual’s employer without consent from the individual, unless an exception applies. Exceptions could include disclosures made for treatment, payment or other health care operations.