When use or disclosure of an individual’s health information or medical records is at issue, the assumption seems to be, much more often than not, that the HIPAA privacy and security rules apply. This has certainly been the case during the COVID-19 pandemic. Of course, it is true that in most healthcare settings, HIPAA is the primary law governing the use and disclosure of individually identifiable health information. However, HIPAA is often incorrectly applied in workplace settings.

Today, in an effort to clarify some of these issues as they relate to COVID-19 vaccination data, the Office for Civil Rights (OCR), the agency responsible for enforcing the HIPAA privacy and security rules (the “HIPAA rules”), issued this guidance. We have summarized some of the key points below.

Do the HIPAA rules prohibit businesses or individuals from asking whether their customers or clients have received a COVID-19 vaccine?

The OCR’s answer is clear – No.

The HIPAA Privacy Rule does not prohibit any person (e.g., an individual or an entity such as a business), including HIPAA covered entities and business associates, from asking whether an individual has received a particular vaccine, including COVID-19 vaccines.

It is important to remember that the HIPAA rules apply only to covered entities and business associates. In general, covered entities include health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions. But, HIPAA does not apply to entities functioning in their role as employers or to employment records.

The OCR also reminds organizations that even if HIPAA applies, it regulates the use and disclosure of protected health information (PHI), not the ability to request information. Thus, the HIPAA rules do not prohibit a covered entity from receiving COVID-19 vaccination information about an individual. Of course, organizations that receive such information, including employers, still may have a duty to safeguard that information and keep it confidential.

Do the HIPAA rules prohibit an employer from requiring a workforce member to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties?

This is a popular question these days. The OCR’s answer, “No.”

OCR reminds readers that the HIPAA rules do not apply to employment records:

including employment records held by covered entities or business associates in their capacity as employers.

The OCR also observed that:

federal anti-discrimination laws do not prevent an employer from choosing to require that all employees physically entering the workplace be vaccinated against COVID-19 and provide documentation or other confirmation that they have met this requirement, subject to reasonable accommodation provisions and other equal employment opportunity considerations.

But, again, once collected, vaccination information must be kept confidential and stored separately from the employee’s personnel files under Title I of the Americans with Disabilities Act (ADA). And, group health plans sponsored by employers are, in most cases, HIPAA covered entities. This means that COVID-19 vaccination information maintained in connection with those plans, such as claims information, would be PHI subject to the HIPAA rules.

Do the HIPAA rules prohibit a covered entity or business associate from requiring its workforce members to disclose to their employers or other parties whether the workforce members have received a COVID-19 vaccine?

Another popular question and, again, the OCR’s answer is no.

The HIPAA rules generally do not regulate what information can be requested from employees as part of the terms and conditions of employment. The following examples from OCR make clear that HIPAA does not prohibit a covered entity or business associate from requiring or requesting each workforce member to:

  • Provide documentation of their COVID-19 or flu vaccination to their current or prospective employer.
  • Sign a HIPAA authorization for a covered health care provider to disclose the workforce member’s COVID-19 or varicella vaccination record to their employer.
  • Wear a mask–while in the employer’s facility, on the employer’s property, or in the normal course of performing their duties at another location.
  • Disclose whether they have received a COVID-19 vaccine in response to queries from current or prospective patients.

Do the HIPAA rules prohibit a doctor’s office from disclosing an individual’s PHI, including whether they have received a COVID-19 vaccine, to the individual’s employer or other parties?

Here, the answer is generally, yes. The doctor’s office is a HIPAA covered entity and the HIPAA rules prohibit covered entities from using or disclosing an individual’s (patient’s) PHI except with the individual’s authorization, unless an exception applies. Exceptions include, for example, disclosures made for treatment, payment, or health care operations. Absent an exception, the doctor’s office will need a written authorization in order to disclosure the records.

Note, however, if the physician that owns the practice, while functioning as an employer, has COVID-19 vaccination information about an employee of the practice, the HIPAA rules generally would not apply to prohibit the physician from disclosing that information. But, other laws could apply, such as the ADA.

The OCR provides some additional examples:

  • A covered physician is permitted to disclose PHI relating to an individual’s vaccination to the individual’s health plan as necessary to obtain payment for the administration of a COVID-19 vaccine.
  • A covered hospital is permitted to disclose PHI relating to an individual’s vaccination status to the individual’s employer so that the employer may conduct an evaluation relating to medical surveillance of the workplace (e.g., surveillance of the spread of COVID-19 within the workforce) or to evaluate whether the individual has a work-related illness, provided all of the following conditions are met:
    • The covered hospital is providing the health care service to the individual at the request of the individual’s employer or as a member of the employer’s workforce.
    • The PHI that is disclosed consists of findings concerning work-related illness or workplace-related medical surveillance.
    • The employer needs the findings in order to comply with its obligations under the legal authorities of the Occupational Safety and Health Administration (OSHA), the Mine Safety and Health Administration (MSHA), or state laws having a similar purpose
    • The covered health care provider provides written notice to the individual that the PHI related to the medical surveillance of the workplace and work-related illnesses will be disclosed to the employer.

Organizations across the country are struggling with COVID-19 related regulations and the impact on their operations – screening requirements, vaccination mandates, how to incentivize vaccinations, responding to customer demands for vaccination status information about employees, maintaining adequate staffing levels, arranging for COVID-19 testing, etc. This OCR guidance should help to some degree by clarifying some questions regarding whether an often-cited set of rules – the HIPAA rules – apply to limit the use and disclosure of information necessary to carry out some of these activities. As explained above, the HIPAA rules often are not applicable.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Joseph J. Lazzarotti Joseph J. Lazzarotti

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP)…

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and management of data, as well as the impact and regulation of social media. He also counsels companies on compliance, fiduciary, taxation, and administrative matters with respect to employee benefit plans.

Privacy and cybersecurity experience – Joe counsels multinational, national and regional companies in all industries on the broad array of laws, regulations, best practices, and preventive safeguards. The following are examples of areas of focus in his practice:

  • Advising health care providers, business associates, and group health plan sponsors concerning HIPAA/HITECH compliance, including risk assessments, policies and procedures, incident response plan development, vendor assessment and management programs, and training.
  • Coached hundreds of companies through the investigation, remediation, notification, and overall response to data breaches of all kinds – PHI, PII, payment card, etc.
  • Helping organizations address questions about the application, implementation, and overall compliance with European Union’s General Data Protection Regulation (GDPR) and, in particular, its implications in the U.S., together with preparing for the California Consumer Privacy Act.
  • Working with organizations to develop and implement video, audio, and data-driven monitoring and surveillance programs. For instance, in the transportation and related industries, Joe has worked with numerous clients on fleet management programs involving the use of telematics, dash-cams, event data recorders (EDR), and related technologies. He also has advised many clients in the use of biometrics including with regard to consent, data security, and retention issues under BIPA and other laws.
  • Assisting clients with growing state data security mandates to safeguard personal information, including steering clients through detailed risk assessments and converting those assessments into practical “best practice” risk management solutions, including written information security programs (WISPs). Related work includes compliance advice concerning FTC Act, Regulation S-P, GLBA, and New York Reg. 500.
  • Advising clients about best practices for electronic communications, including in social media, as well as when communicating under a “bring your own device” (BYOD) or “company owned personally enabled device” (COPE) environment.
  • Conducting various levels of privacy and data security training for executives and employees
  • Supports organizations through mergers, acquisitions, and reorganizations with regard to the handling of employee and customer data, and the safeguarding of that data during the transaction.
  • Representing organizations in matters involving inquiries into privacy and data security compliance before federal and state agencies including the HHS Office of Civil Rights, Federal Trade Commission, and various state Attorneys General.

Benefits counseling experience – Joe’s work in the benefits counseling area covers many areas of employee benefits law. Below are some examples of that work:

  • As part of the Firm’s Health Care Reform Team, he advises employers and plan sponsors regarding the establishment, administration and operation of fully insured and self-funded health and welfare plans to comply with ERISA, IRC, ACA/PPACA, HIPAA, COBRA, ADA, GINA, and other related laws.
  • Guiding clients through the selection of plan service providers, along with negotiating service agreements with vendors to address plan compliance and operations, while leveraging data security experience to ensure plan data is safeguarded.
  • Counsels plan sponsors on day-to-day compliance and administrative issues affecting plans.
  • Assists in the design and drafting of benefit plan documents, including severance and fringe benefit plans.
  • Advises plan sponsors concerning employee benefit plan operation, administration and correcting errors in operation.

Joe speaks and writes regularly on current employee benefits and data privacy and cybersecurity topics and his work has been published in leading business and legal journals and media outlets, such as The Washington Post, Inside Counsel, Bloomberg, The National Law Journal, Financial Times, Business Insurance, HR Magazine and NPR, as well as the ABA Journal, The American Lawyer, Law360, Bender’s Labor and Employment Bulletin, the Australian Privacy Law Bulletin and the Privacy, and Data Security Law Journal.

Joe served as a judicial law clerk for the Honorable Laura Denvir Stith on the Missouri Court of Appeals.