OCR Guidance Addresses HIPAA Privacy Rule’s Application to COVID­­­-19 Vaccination Inquiries

HHS’s Office for Civil Rights (OCR) has issued guidance on when the HIPAA privacy rule applies to disclosures and requests for information about whether a person has received a COVID-19 vaccine. The guidance indicates that the privacy rule does not prohibit any person or business (including a covered entity such as a health plan or its business associate) from asking whether an individual has received a COVID-19 vaccine. This means that the privacy rule does not apply when an individual is asked about their vaccination status by a school, employer, store, restaurant, entertainment venue, or another individual. Likewise, the privacy rule does not prohibit individuals from asking other individuals (e.g., doctors or service providers) about their vaccination status or from disclosing information about their own vaccination status. Addressing some common workplace scenarios, the guidance notes that because employment records are not subject to the privacy rule, the rule does not prohibit employers (including covered entities and business associates acting in their capacity as employers) from requiring workforce members to (1) disclose to the employer, clients, or other parties whether they have received a COVID-19 vaccine, or (2) sign a HIPAA authorization for a health care provider to disclose the workforce member’s vaccination record to the employer.

The guidance cautions, however, that federal and state employment laws must be considered in addition to HIPAA. These laws address the terms and conditions of employment—including any requirement that workforce members be vaccinated and provide documentation of their vaccination status—and impose confidentiality and other obligations on employers. (The EEOC has provided separate guidance on federal employment laws (see our Checkpoint article).) Moreover, if the entity receiving information about an individual’s vaccination is a covered entity or business associate not acting in its capacity as an employer, then HIPAA’s use and disclosure rules must be considered. Covered entities and business associates may disclose protected health information (PHI) without an individual’s authorization for payment and other specified purposes under the privacy rule (e.g., a physician is permitted to disclose an individual’s receipt of the COVID-19 vaccine to a health plan to receive payment for administration of the vaccine). In other circumstances, however, a covered entity or business associate would have to obtain the individual’s authorization before disclosing vaccination information, for example, to a sports arena, hotel, cruise ship, or airline—but individuals could choose to disclose their own vaccination status in these situations.

EBIA Comment: Although the guidance focuses on COVID-19, a footnote clarifies that the principles are applicable to all vaccinations. By emphasizing that the privacy rule applies only to health plans, health care clearinghouses, and certain health care providers (and, to some extent, their respective business associates), the guidance seems intended to dispel some common misconceptions about the privacy rule’s scope. While the privacy rule generally does not restrict employers’ ability to ask employees about their vaccination status, the federal and state laws mentioned in the guidance should be carefully considered. Also, employers should keep in mind that the privacy rule limits health plans’ disclosures of PHI, including vaccination information, without an individual’s authorization, and additional restrictions apply to disclosures from a health plan to the plan sponsor. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXIII.C (“Sharing PHI and Electronic PHI With Plan Sponsors”), XXIII.F (“Applying the HIPAA Privacy and Security Rules to Group Health Plans and Their Sponsors”), and XXVI (“Core Privacy Requirement #1: Use and Disclosure Rules”).

Contributing Editors: EBIA Staff.