“Doesn’t that violate HIPAA?” This is a question we hear regularly from employers, businesses and individuals who are concerned that asking someone for their COVID-19 vaccination status could raise issues under the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule. The answer is no – it is not a problem to ask and it is not a problem to require disclosure of COVID-19 vaccinated status. This is fairly clear on the face of the regulations themselves. While vaccination information is classified as health information that is generally covered by the HIPAA Privacy Rule, HIPAA generally only provides protections with respect to disclosures by covered entities (such as health care providers and health plans) and their business associates. HIPAA therefore does not apply to most employers, and does not apply when an individual employee discloses to their employer information about the employee’s own health status, including COVID-19 vaccination status.
The Department of Health and Human Services (“HHS”) has recently provided further reassurance regarding the inapplicability of HIPAA with respect to certain information about vaccination status in the form of lengthy FAQs posted to their website on September 30, 2021.
Most importantly, HHS confirmed that HIPAA’s Privacy Rule does not apply when an individual is asked about their COVID-19 vaccination status by their employer (or a store, restaurant, entertainment venue, or another individual). The FAQs also confirm that the HIPAA Privacy Rule does not prohibit an employer from requiring its workforce members to disclose whether they have received a COVID-19 vaccination, whether to the employer, to clients, or to other parties.
HIPAA does include restrictions on the use and disclosure of protected health information by covered entities and their business associates (and disclosure of an individual’s vaccinated status would fall within those restrictions). The FAQs, however, outline certain circumstances under which a covered entity or business associate may disclose vaccine information consistent with HIPAA’s Privacy Rule. For example, a physician may disclose COVID-19 vaccination status to a health plan for payment purposes, as required by law, or pursuant to the individual’s written authorization.
Notably, the U.S. Equal Employment Opportunity Commission (EEOC)’s Technical Assistance Questions and Answers (updated October 13, 2021), titled “What You Should Know About COVID-19 and the ADA, the Rehabilitation Act, and Other EEO Laws” also makes clear that employers are permitted to ask employees for information about their COVID-19 vaccination status. The EEOC, however, has clarified that information regarding an employee’s COVID-19 vaccination status constitutes confidential medical information under the Americans with Disabilities Act (“ADA”). Therefore, although employers may require employees to provide documentation or other confirmation of vaccination, this information, like all medical information, must be kept confidential and stored separately from the employee’s personnel files under the ADA.