OCR Issues Guidance on HIPAA, COVID-19 Vaccination and the Workplace

By: Margaret Young Levi

On September 30, 2021, the Office for Civil Rights (OCR) issued welcome guidance concerning when the Health Insurance Portability and Accountability Act of 1996 (HIPAA) applies to disclosures and requests for information about whether a person has received a COVID-19 vaccine—and when it does not apply.

The guidance aims to clear up misperceptions about who can ask questions about vaccination. In general, OCR reminds that HIPAA only applies to HIPAA covered entities, such as health care providers (physicians, hospitals, etc.) and health plans, and it does not apply to employers or employment records. The guidance addresses common workplace situations, provides helpful examples, and answers frequently asked questions for HIPAA covered entities, businesses, and the public.

HIPAA does not prohibit businesses, individuals, or HIPAA covered entities from asking whether their customers or clients have received a COVID-19 vaccine. HIPAA does not prohibit any person, whether an individual or a business or a HIPAA covered entity, from asking individuals whether they have received a COVID-19 vaccine. First, OCR makes it clear that HIPAA only applies to HIPAA covered entities, and it does not apply to other individuals or entities. Second, even though HIPAA regulates how and when HIPAA covered entities may use or share information about COVID-19 vaccinations, it does not limit the ability of covered entities to ask patients or visitors whether they have been vaccinated.

The guidance clarifies that HIPAA does not apply when an individual:

  • Is asked about their vaccination status by a school, employer, store, restaurant, entertainment venue, or another individual.
  • Asks another individual, their doctor, or a service provider whether they are vaccinated.
  • Asks a company, such as a home health agency, whether its workforce members are vaccinated.

HIPAA generally prohibits a physician from telling the individual’s employer or others whether an individual has received a COVID-19 vaccine. HIPAA prohibits covered entities from using or sharing an individual’s protected health information (PHI), such as whether they have received a COVID-19 vaccine, unless the individual authorizes the disclosure or it is permitted by HIPAA.

The guidance provides some scenarios where a covered entity is permitted under HIPAA to disclose information about COVID-19 vaccination without the patient’s authorization. For example:

  • A physician may disclose information relating to an individual’s vaccination to the individual’s health insurance in order to obtain payment for administering a COVID-19 vaccine.
  • A pharmacy may disclose information relating to an individual’s vaccination status to a public health authority, such as a state or local public health department.
  • A hospital may disclose information relating to an individual’s vaccination status to the individual’s employer in order to permit the employer to evaluate the spread of COVID-19 within the workforce or to determine whether the individual has a work-related illness, if the employer needs the findings in order to comply with its obligations under the legal authorities of the Occupational Safety and Health Administration (OSHA), the Mine Safety and Health Administration (MSHA), or similar state laws.

In other circumstances, HIPAA generally requires a covered entity to obtain an individual’s written authorization before disclosing information about vaccine status to, for example, a sports arena, hotel, cruise ship, or airline.

HIPAA does not prohibit an employer from requiring an employee to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties. HIPAA does not apply to employers and employment records. Consequently, HIPAA does not regulate what information employers can request from employees. Employers may require that all employees physically entering the workplace be vaccinated against COVID-19 and provide documentation that they have met this requirement without violating HIPAA. Employers may also require the employee to share this information with clients and others.  However, when requiring employees to obtain vaccinations and documentation of vaccination as a condition of employment, employers should ensure that these requirements comply with other federal or state laws, such as the Americans with Disabilities Act (ADA).

HIPAA does not prohibit a HIPAA covered entity from requiring members of its workforce to disclose to their employers or other parties whether they have received a COVID-19 vaccine. HIPAA does not apply to employers—including HIPAA covered entities in their role as employers—and  employment records. Similar to other employers, HIPAA covered entities may require their employees, volunteers, contractors and other members of their workforce to be vaccinated against COVID-19 and to disclose whether they have been vaccinated to their employer, other workforce members, patients, or members of the public.

OCR also sets the record straight that HIPAA does not prohibit a covered entity from requiring or requesting each member of the workforce to:

  • Provide documentation of their COVID-19 or flu vaccination to their current or prospective employer.
  • Sign a HIPAA authorization for a covered health care provider to disclose the workforce member’s COVID-19 or varicella vaccination record to their employer.
  • Wear a mask–while in the employer’s facility, on the employer’s property, or in the normal course of performing their duties at another location.
  • Disclose whether they have received a COVID-19 vaccine in response to queries from current or prospective patients.

As noted above, other federal and state laws, such as the ADA, may limit or affect the HIPAA covered entity’s use of this information.

HIPAA does not prevent individuals from choosing to disclose whether they have received a COVID-19 vaccine. HIPAA does not apply to individuals’ disclosures about their own health information. It applies only to HIPAA covered entities. Therefore, HIPAA does not apply when an individual tells another person, such as a colleague or business owner, about their own vaccination status.

This long-overdue guidance addresses the misunderstandings about the application of HIPAA to questions about COVID-19 vaccinations by employers, businesses and others.