On September 30, 2021, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) released guidance clarifying how HIPAA applies to disclosures and requests for information regarding an individual’s COVID-19 vaccination status.
The guidance reminds the public that HIPAA privacy provisions apply only to covered entities (e.g., health plans, certain health care providers, and health care clearinghouses) and business associates. These provisions determine when covered entities and business associates are permitted to use and disclose protected health information (PHI) that covered entities and business associates create, receive, maintain, or transmit.
As such, HIPAA does not prohibit employers from asking whether employees have received a COVID-19 vaccine. In addition, HIPAA does not prevent individuals from disclosing whether they have received a COVID-19 vaccine, as HIPAA does not apply to individuals’ disclosures about their own health information. The guidance further provides that HIPAA does not prohibit an employer from requiring employees to disclose COVID-19 vaccination status as HIPAA generally does not regulate what information can be requested from employees per terms of employment. Importantly, though, other federal and state laws may require certain privacy compliance measures (e.g., requiring documentation be kept confidential).
Finally, HIPAA generally prohibits covered entities and business associates from using or disclosing an individual’s PHI, except when an individual authorizes such disclosure (or otherwise permitted by HIPAA), which can include information about whether the individual has received a COVID-19 vaccine.
This guidance serves as a reminder to employers regarding the applicability of HIPAA to certain disclosures related to COVID-19 vaccination status. Employers should be mindful that although HIPAA rules often do not apply to certain disclosures, other federal and state laws may be applicable.
Press Release »