Office for Civil Rights releases guidance to help public understand when Privacy Rule applies
The Health Insurance Portability and Accountability Act does not prohibit any businesses and individuals, including HIPAA-covered entities such as certain health care providers, from asking if someone is vaccinated against COVID-19, according to the U.S. Department of Health and Human Services' Office for Civil Rights.
The Office for Civil Rights issued guidance Sept. 30 to help the public understand when the HIPAA Privacy Rule applies to disclosures and requests for information about whether a person has received a COVID-19 vaccine.
The Privacy Rule only applies to HIPAA-covered entities, including health plans, health care clearinghouses and health care providers that conduct standard electronic transactions, and in some cases, their business associates. It regulates how and when they are permitted to use and disclose protected health information, including vaccination status, but not their ability to request that information from patients and visitors.
The Privacy Rule does not apply to employers and employment records, including records held by covered entities in their capacity as employers, and it does not prohibit an employer from requiring employees to disclose whether they are vaccinated against COVID-19, provide documentation of their vaccination and sign a HIPAA authorization for a health care provider to disclose their vaccination record to the employer.
However, the guidance points out that other federal and state laws, such as federal anti-discrimination laws, do address terms and conditions of employment. These may require that employee vaccination information be kept confidential but "do not prevent an employer from choosing to require that all employees physically entering the workplace be vaccinated against COVID-19 and provide documentation or other confirmation that they have met this requirement, subject to reasonable accommodation provisions and other equal employment opportunity considerations," according to the guidance.
In general, HIPAA does not permit health care providers to disclose a patient's vaccination status to employers or other parties except with the individual's authorization or as otherwise permitted or required by the Privacy Rule.
"We are issuing this guidance to help consumers, businesses, and health care entities understand when HIPAA applies to disclosures about COVID-19 vaccination status and to ensure that they have the information they need to make informed decisions about protecting themselves and others from COVID-19," Office for Civil Rights Director Lisa Pino said in a news release.