QUESTION: We require employees to submit proof of a COVID-19 vaccination before returning to work in our office. May our Human Resources Department confirm employees’ eligibility to return by checking COVID-19 vaccination claims submitted to our group health plan?
ANSWER: The group health plan’s records generally should not be used to verify employees’ vaccination status for any employment-related purpose.
An employer’s group health plan is a HIPAA covered entity and, under HIPAA, is a separate legal entity from the employer. HIPAA applies to protected health information (PHI) that is created, maintained, received, or transmitted by your group health plan. Because the plan generally is required to cover COVID-19 vaccinations as preventive services, it is likely to have information about employees’ receipt of COVID-19 vaccinations, and this information is considered PHI.
PHI cannot be disclosed to a group health plan’s sponsor unless the privacy rule’s prerequisites for such disclosures have been met. Among other restrictions, the PHI generally may be disclosed only to employees performing administration functions for the plan. A firewall must be established between employees performing plan administration functions and all other employees, preventing PHI from being used or disclosed for employment-related purposes without the plan participant’s authorization. Confirming an employee’s eligibility to return to the office is an employment-related function, not a plan administration function, so your plan would not be permitted to disclose vaccination-related PHI to your Human Resources Department unless employees authorize the disclosure.
Employees (or other plan participants) cannot be required to sign authorizations allowing the employer to receive PHI from the group health plan as a condition of receiving group health plan benefits. So, rather than obtaining and retaining each employee’s authorization, a better approach to verifying employees’ vaccination status may be to have employees provide proof of vaccination directly to the Human Resources Department using the COVID-19 vaccination record card approved by the Centers for Disease Control and Prevention. Because this direct interaction between the employee and the Human Resources Department does not involve your group health plan, you avoid implicating the HIPAA privacy rule.
Other laws may apply when requiring employees to submit proof of vaccination, or when addressing other COVID-19 matters arising in the workplace. The EEOC has provided extensive guidance on COVID-19 issues under the Americans With Disabilities Act and other employment laws. These laws must be considered separately from HIPAA as they may impose requirements even in situations where HIPAA does not apply.
For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXII.A (“What Information Is Protected?”), XXII.B (“Which Entities Must Comply?”), and XXIII.C (“Sharing PHI and Electronic PHI With Plan Sponsors”). See also EBIA’s Group Health Plan Mandates manual at Section XVI (“COVID-19: Mandated Coverage and Other Requirements”). You may also be interested in our upcoming webinar “Learning the Ropes: An Introduction to HIPAA Privacy & Security” (live on 7/7/21).
Contributing Editors: EBIA Staff.