There are many misconceptions on when the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule (“Privacy Rule” or “Rule”) applies in the employment setting, specifically, as it relates to inquiries regarding an employee’s vaccination status. The reality is that there are very few cases in which the Privacy Rule applies to employment records. In light of vaccine mandates which require employers to inquire about vaccination status, on September 30, 2021, the Department of Health and Human Services (HHS) published guidance, “HIPAA, COVID-19 Vaccination, and the Workplace.” The guidance details the ways in which HIPAA intersects with the workplace and other third-party inquiries regarding COVID-19 vaccinations.
What Is the Privacy Rule?
The Privacy Rule applies to the use and disclosure of protected health information (PHI) to covered entities and business associates. “Covered entities” include health plans, health care clearinghouses, health care providers that conduct standard electronic transactions and “business associates” are entities that perform certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.
How Does HIPAA Apply to Employment Records?
Generally, the Privacy Rule applies to the disclosures made by the employee’s health care provider, not questions the employer may ask. As such, items such as doctor’s notes or other health information needed to designate sick leave, workers’ compensation, wellness programs or health insurance does not fall under the Privacy Rule.
According to HHS, “the Privacy Rule does not protect your employment records, even if the information in those records is health related. In most cases, the Privacy Rule does not apply to the actions of an employer. For employees who work for a health plan or a covered health care provider, the Privacy Rule does not apply to their employment records, but the Rule does protect their medical or health plan records if they are a patient of the provider or a member of the health plan.”
What Are the Key Highlights of the Guidance?
The guidance affirms the Privacy Rule is not implicated or violated when an employer inquires whether their employees, customers or clients have received a COVID-19 vaccine. The Privacy Rule does not apply when an individual:
- Is asked about their vaccination status by a school, employer, store, restaurant, entertainment venue or another individual;
- Asks another individual, their doctor or a service provider whether they are vaccinated; or
- Asks a Company, such as a home health agency, whether its workforce members are vaccinated.
Furthermore, the Privacy Rule does not prohibit a covered entity or business associate from requiring or requesting that an employee:
- Provide documentation of their COVID-19 or flu vaccination to their current or prospective employer;
- Sign a HIPAA authorization for a covered health care provider to disclose the workforce member’s COVID-19 or varicella vaccination record to their employer;
- Wear a mask, while in the employer’s facility, on the employer’s property or in the normal course of performing their duties at another location; or
- Disclose whether they have received a COVID-19 vaccine in response to queries from current or prospective patients.
The guidance also notes that the Privacy Rule does not prohibit an individual from choosing to provide any of these individuals or entities with information regarding their vaccination status.
Further, the guidance reminds employers that documentation or other confirmation of vaccination must be kept confidential and stored separately from the employee’s personnel file under the Americans with Disabilities Act (ADA).
Next Steps for Employers
Employers are encouraged to review the guidance in its entirety as it also addresses some industry specific questions. Employers should also remain mindful of other federal or state laws that address whether an employer may require a workforce member to obtain any vaccinations as a condition of employment and provide documentation or other confirmation of vaccination.