OCR Issues Guidance on HIPAA, COVID-19 Vaccination and the Workplace

By: Margaret Young Levi

On September 30, 2021, the Office for Civil Rights (OCR) issued welcome guidance concerning when the Health Insurance Portability and Accountability Act of 1996 (HIPAA) applies to disclosures and requests for information about whether a person has received a COVID-19 vaccine—and when it does not apply.

The guidance aims to clear up misperceptions about who can ask questions about vaccination. In general, OCR reminds that HIPAA only applies to HIPAA covered entities, such as health care providers (physicians, hospitals, etc.) and health plans, and it does not apply to employers or employment records. The guidance addresses common workplace situations, provides helpful examples, and answers frequently asked questions for HIPAA covered entities, businesses, and the public.

HIPAA does not prohibit businesses, individuals, or HIPAA covered entities from asking whether their customers or clients have received a COVID-19 vaccine. HIPAA does not prohibit any person, whether an individual or a business or a HIPAA covered entity, from asking individuals whether they have received a COVID-19 vaccine. First, OCR makes it clear that HIPAA only applies to HIPAA covered entities, and it does not apply to other individuals or entities. Second, even though HIPAA regulates how and when HIPAA covered entities may use or share information about COVID-19 vaccinations, it does not limit the ability of covered entities to ask patients or visitors whether they have been vaccinated.

The guidance clarifies that HIPAA does not apply when an individual:

  • Is asked about their vaccination status by a school, employer, store, restaurant, entertainment venue, or another individual.
  • Asks another individual, their doctor, or a service provider whether they are vaccinated.
  • Asks a company, such as a home health agency, whether its workforce members are vaccinated.

HIPAA generally prohibits a physician from telling the individual’s employer or others whether an individual has received a COVID-19 vaccine. HIPAA prohibits covered entities from using or sharing an individual’s protected health information (PHI), such as whether they have received a COVID-19 vaccine, unless the individual authorizes the disclosure or it is permitted by HIPAA.

The guidance provides some scenarios where a covered entity is permitted under HIPAA to disclose information about COVID-19 vaccination without the patient’s authorization. For example:

  • A physician may disclose information relating to an individual’s vaccination to the individual’s health insurance in order to obtain payment for administering a COVID-19 vaccine.
  • A pharmacy may disclose information relating to an individual’s vaccination status to a public health authority, such as a state or local public health department.
  • A hospital may disclose information relating to an individual’s vaccination status to the individual’s employer in order to permit the employer to evaluate the spread of COVID-19 within the workforce or to determine whether the individual has a work-related illness, if the employer needs the findings in order to comply with its obligations under the legal authorities of the Occupational Safety and Health Administration (OSHA), the Mine Safety and Health Administration (MSHA), or similar state laws.

In other circumstances, HIPAA generally requires a covered entity to obtain an individual’s written authorization before disclosing information about vaccine status to, for example, a sports arena, hotel, cruise ship, or airline.

HIPAA does not prohibit an employer from requiring an employee to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties. HIPAA does not apply to employers and employment records. Consequently, HIPAA does not regulate what information employers can request from employees. Employers may require that all employees physically entering the workplace be vaccinated against COVID-19 and provide documentation that they have met this requirement without violating HIPAA. Employers may also require the employee to share this information with clients and others.  However, when requiring employees to obtain vaccinations and documentation of vaccination as a condition of employment, employers should ensure that these requirements comply with other federal or state laws, such as the Americans with Disabilities Act (ADA).

HIPAA does not prohibit a HIPAA covered entity from requiring members of its workforce to disclose to their employers or other parties whether they have received a COVID-19 vaccine. HIPAA does not apply to employers—including HIPAA covered entities in their role as employers—and  employment records. Similar to other employers, HIPAA covered entities may require their employees, volunteers, contractors and other members of their workforce to be vaccinated against COVID-19 and to disclose whether they have been vaccinated to their employer, other workforce members, patients, or members of the public.

OCR also sets the record straight that HIPAA does not prohibit a covered entity from requiring or requesting each member of the workforce to:

  • Provide documentation of their COVID-19 or flu vaccination to their current or prospective employer.
  • Sign a HIPAA authorization for a covered health care provider to disclose the workforce member’s COVID-19 or varicella vaccination record to their employer.
  • Wear a mask–while in the employer’s facility, on the employer’s property, or in the normal course of performing their duties at another location.
  • Disclose whether they have received a COVID-19 vaccine in response to queries from current or prospective patients.

As noted above, other federal and state laws, such as the ADA, may limit or affect the HIPAA covered entity’s use of this information.

HIPAA does not prevent individuals from choosing to disclose whether they have received a COVID-19 vaccine. HIPAA does not apply to individuals’ disclosures about their own health information. It applies only to HIPAA covered entities. Therefore, HIPAA does not apply when an individual tells another person, such as a colleague or business owner, about their own vaccination status.

This long-overdue guidance addresses the misunderstandings about the application of HIPAA to questions about COVID-19 vaccinations by employers, businesses and others.

Healthcare Privacy Practices Notice Must Include Nondiscrimination Notice

By Margaret Young Levi and Kathie McDonald-McClureprivacy policy

Among the many mandates of the Affordable Care Act (ACA) (a/k/a “Obama Care”) still in force today is Section 1557. Section 1557 prohibits discrimination on the basis of race, color, national origin, sex, age, or disability in certain health programs or activities. The U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) is the agency vested with responsibility for implementing and enforcing Section 1557. On May 16, 2016, OCR issued a Final Rule that requires entities covered by the ACA to notify beneficiaries, enrollees, applicants, or members of the public of Section 1557’s nondiscrimination prohibitions. This notice must be included in the entity’s “significant” publications and communications.

You might ask, “Why am I reading about this on a legal blog about privacy and security?”  This is because OCR determined that the Notice of Privacy Practices, which healthcare providers and health plans issue to patients and plan members, is a “significant” publication or communication. As a result, health care providers and health plans that are subject to both Section 1557 and the Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) must add the Section 1557 nondiscrimination notices and taglines to their Notice of Privacy Practices. Health plans should add such notices and taglines to their Summary of Benefits and Coverage as well.

Continue reading

Massive malicious email campaign spoofs Google Docs to hijack Gmail accounts

A massive email phishing campaign started Wednesday afternoon.  The email attacks target Google accounts but have spread to other email accounts as people have been tricked into clicking on the link in the email and have unwittingly supplied their Google account access credentials and access to their contacts.

The reports of the malicious emails are coming from people across a range of industries. The emails contain what looks like a link to a Google Docs and appears to come from someone you know. These emails, however, are malicious and are designed to trick the recipient in a way that allows the cybercriminal to hijack email accounts or infect the user’s computer.

If you receive an email with a link to Google Docs, BEWARE!  These emails are designed to look like they come from a trusted or known source.  Do not click on any links in emails that you were not expecting.

A screen shot of one of the Google Docs phishing emails is shown below. If you receive one of these emails, delete it ASAP.  If you use Gmail or Google Inbox, consider activating the 2-factor authentication feature to secure your account.

Several major news organizations and cable networks are reporting on this story.  For the most up-to-date news on this developing story, use your favorite internet search engine to search for “google phishing email scam”.

A sample Google Docs phishing email.  The form and style of the email may vary from this sample.Sample Google Docs Phishing Email

To read Google’s Gmail Help on phishing emails, use your preferred internet search engine and search for: “Google Help and how to avoid and report phishing emails”.

If you are attacked by malware or a phishing email that compromises your organization’s privacy and security, Wyatt’s experienced Data Security Incident Response Team is ready to help.

Can blockchain technology solve healthcare IT security and interoperability challenges?

On March 20-21, 2017, multiple healthcare technology companies came together in Washington, D.C. to host The Healthcare Blockchain Summit.  Blockchain, the technology that underpins bitcoin technology, keeps data secure in a “distributed, encrypted ledger” while allowing control over who can access that ledger.  This is the hottest technology being discussed today as a way to secure confidential or sensitive data.

The on-line technology publication, Wired, describes blockchain’s security method in a February 1, 2017 article as follows: “Rather than having one central administrator that acts as a gatekeeper to data—a list of digital transactions—there’s one shared ledger, but it’s spread across a Continue reading