OCR Issues Guidance on HIPAA, COVID-19 Vaccination and the Workplace

By: Margaret Young Levi

On September 30, 2021, the Office for Civil Rights (OCR) issued welcome guidance concerning when the Health Insurance Portability and Accountability Act of 1996 (HIPAA) applies to disclosures and requests for information about whether a person has received a COVID-19 vaccine—and when it does not apply.

The guidance aims to clear up misperceptions about who can ask questions about vaccination. In general, OCR reminds that HIPAA only applies to HIPAA covered entities, such as health care providers (physicians, hospitals, etc.) and health plans, and it does not apply to employers or employment records. The guidance addresses common workplace situations, provides helpful examples, and answers frequently asked questions for HIPAA covered entities, businesses, and the public.

HIPAA does not prohibit businesses, individuals, or HIPAA covered entities from asking whether their customers or clients have received a COVID-19 vaccine. HIPAA does not prohibit any person, whether an individual or a business or a HIPAA covered entity, from asking individuals whether they have received a COVID-19 vaccine. First, OCR makes it clear that HIPAA only applies to HIPAA covered entities, and it does not apply to other individuals or entities. Second, even though HIPAA regulates how and when HIPAA covered entities may use or share information about COVID-19 vaccinations, it does not limit the ability of covered entities to ask patients or visitors whether they have been vaccinated.

The guidance clarifies that HIPAA does not apply when an individual:

  • Is asked about their vaccination status by a school, employer, store, restaurant, entertainment venue, or another individual.
  • Asks another individual, their doctor, or a service provider whether they are vaccinated.
  • Asks a company, such as a home health agency, whether its workforce members are vaccinated.

HIPAA generally prohibits a physician from telling the individual’s employer or others whether an individual has received a COVID-19 vaccine. HIPAA prohibits covered entities from using or sharing an individual’s protected health information (PHI), such as whether they have received a COVID-19 vaccine, unless the individual authorizes the disclosure or it is permitted by HIPAA.

The guidance provides some scenarios where a covered entity is permitted under HIPAA to disclose information about COVID-19 vaccination without the patient’s authorization. For example:

  • A physician may disclose information relating to an individual’s vaccination to the individual’s health insurance in order to obtain payment for administering a COVID-19 vaccine.
  • A pharmacy may disclose information relating to an individual’s vaccination status to a public health authority, such as a state or local public health department.
  • A hospital may disclose information relating to an individual’s vaccination status to the individual’s employer in order to permit the employer to evaluate the spread of COVID-19 within the workforce or to determine whether the individual has a work-related illness, if the employer needs the findings in order to comply with its obligations under the legal authorities of the Occupational Safety and Health Administration (OSHA), the Mine Safety and Health Administration (MSHA), or similar state laws.

In other circumstances, HIPAA generally requires a covered entity to obtain an individual’s written authorization before disclosing information about vaccine status to, for example, a sports arena, hotel, cruise ship, or airline.

HIPAA does not prohibit an employer from requiring an employee to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties. HIPAA does not apply to employers and employment records. Consequently, HIPAA does not regulate what information employers can request from employees. Employers may require that all employees physically entering the workplace be vaccinated against COVID-19 and provide documentation that they have met this requirement without violating HIPAA. Employers may also require the employee to share this information with clients and others.  However, when requiring employees to obtain vaccinations and documentation of vaccination as a condition of employment, employers should ensure that these requirements comply with other federal or state laws, such as the Americans with Disabilities Act (ADA).

HIPAA does not prohibit a HIPAA covered entity from requiring members of its workforce to disclose to their employers or other parties whether they have received a COVID-19 vaccine. HIPAA does not apply to employers—including HIPAA covered entities in their role as employers—and  employment records. Similar to other employers, HIPAA covered entities may require their employees, volunteers, contractors and other members of their workforce to be vaccinated against COVID-19 and to disclose whether they have been vaccinated to their employer, other workforce members, patients, or members of the public.

OCR also sets the record straight that HIPAA does not prohibit a covered entity from requiring or requesting each member of the workforce to:

  • Provide documentation of their COVID-19 or flu vaccination to their current or prospective employer.
  • Sign a HIPAA authorization for a covered health care provider to disclose the workforce member’s COVID-19 or varicella vaccination record to their employer.
  • Wear a mask–while in the employer’s facility, on the employer’s property, or in the normal course of performing their duties at another location.
  • Disclose whether they have received a COVID-19 vaccine in response to queries from current or prospective patients.

As noted above, other federal and state laws, such as the ADA, may limit or affect the HIPAA covered entity’s use of this information.

HIPAA does not prevent individuals from choosing to disclose whether they have received a COVID-19 vaccine. HIPAA does not apply to individuals’ disclosures about their own health information. It applies only to HIPAA covered entities. Therefore, HIPAA does not apply when an individual tells another person, such as a colleague or business owner, about their own vaccination status.

This long-overdue guidance addresses the misunderstandings about the application of HIPAA to questions about COVID-19 vaccinations by employers, businesses and others.

HITECH Act Amendment: Using “Recognized Security Practices” May Lead to More Favorable HHS Review and Reduced Fines After Data Breach

by Margaret Young Levi and Kathie McDonald-McClure

Congress amended the Health Information Technology for Economic and Clinical Health Act (HITECH Act) on January 5, 2021.  This Amendment requires the U.S. Department of Health and Human Services (HHS) to favorably consider whether covered entities and business associates have implemented specific security measures when making decisions regarding penalties and audits under the Health Insurance Portability and Accountability Act (HIPAA). 

Specifically, the Amendment mandates HHS to “consider whether the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place” when HHS is making decisions to (1) decrease fines, (2) decrease the length and extent of an audit or terminate an audit, and (3) mitigate other remedies with respect to resolving potential violations of the HIPAA Security Rule. 

Continue reading

Audio-Video Conferencing Risks and Tips for Healthcare Providers

by Margaret Young Levi and Kathie McDonald-McClure

Federal and state governments have relaxed restrictions on telehealth to encourage and empower medical providers to serve patients at home during the novel coronavirus (COVID-19) national public health emergency (PHE). Both medical providers and patients have embraced this new way of connecting due to its convenience and, as a result, the expanded use of telehealth is likely here to stay.  The use of audio and video conferencing for patient care, while convenient, risks an unauthorized disclosure of sensitive information if it is used without due regard for whether the connections are secure. 

Following expansion by the U.S. Department of Human Health Services’ Office for Civil Rights (OCR) and the Centers for Medicare and Medicaid Services (CMS) of federal telehealth services and relaxation of certain requirements during the COVID-19 PHE, Kentucky Medicaid followed suit.  See our previous post about Kentucky Medicaid’s expansion of coverage for telehealth. 

OCR Relaxes HIPAA enforcement for telehealth during COVID-19 PHE.  OCR, the agency responsible for enforcement of HIPAA, issued guidance on its enforcement discretion with regard to certain telehealth practices under HIPAA.  This guidance makes it clear that OCR will not enforce penalties for the use of technology that is not HIPAA compliant, when used in the good faith provision of telehealth services.

Under this Notice, covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 PHE. 

Continue reading

Kentucky Medicaid Further Expands Telehealth Coverage

By Lindsay K. Scott

Following expansion by the Department of Human Health Services’ Office for Civil Rights (“OCR”) and the Centers for Medicare and Medicaid Services (“CMS”) of federal telehealth services and relaxation of certain requirements, Kentucky Medicaid is following suit.

On March 17, 2020, the Centers for Medicare and Medicaid Services published guidance expanding the use of telehealth and relaxing restrictions on its use. The Office for Civil Rights, the agency responsible for enforcement of HIPAA, followed up with guidance making it clear that it will not enforce penalties for the use of technology that is not HIPAA compliant, when used in the good faith provision of telehealth services:

Under this Notice, covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency.  Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.

Continue reading

HHS Office for Civil Rights Issues Telehealth HIPAA Guidance during COVID-19 Emergency

On March 17, 2020, the Office for Civil Rights (“OCR”), the agency within the Department of the United States Health & Human Services (“HHS”) responsible for enforcement of HIPAA, issued the following guidance: “Notification of Enforcement Discretion for telehealth remote communications during the COVID-19 nationwide public health emergency.” Pursuant to Telehealth regulatory waivers issued by the HHS Centers for Medicare & Medicaid Services (“CMS”) effective during the COVID-19 Public Health Emergency (“PHE”), providers can use telehealth at any location including in a patient’s home. As more fully explained in its Telehealth Fact Sheet March 17, 2020, HHS stated:

“The provider must use an interactive audio and video telecommunications system that permits real-time communication between the distant site and the patient at home. …  It is imperative during this public health emergency that patients avoid travel, when possible, to physicians’ offices, clinics, hospitals, or other health care facilities where they could risk their own or others’ exposure to further illness.” Continue reading