The Department of Health and Human Services (“HHS”) issued guidance in the form of questions and answers addressing how the HIPAA Privacy Rule applies in regard to COVID-19 vaccinations. The guidance makes clear that HIPAA’s privacy rules are not an obstacle to an employer that would like to establish a vaccination requirement for its employees and customers.
The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) is a federal law that establishes national standards to protect sensitive patient health information, commonly referred to as “protected health information” or “PHI,” from being disclosed without the patient’s consent or knowledge. HIPAA has three main components:
Many employers questioned whether the HIPAA Privacy Rule would limit the ability of an employer to have a mandatory COVID-19 vaccination policy with respect to its employees. The guidance makes clear that HIPAA’s Privacy Rule does not prevent an employer from putting forth such a policy.
The guidance restates an established HIPAA principle – that the Privacy Rule only applies to covered entities, including health plans, certain healthcare providers, healthcare clearinghouses and their business associates. While self-funded health plans generally operate through sponsoring employers, the guidance reiterates that the Privacy Rule does not apply to employers acting in their capacity as employers or employment records.
The HIPAA Privacy Rule does not prohibit any person (e.g., an individual or an entity such as a business), including HIPAA covered entities and business associates (which are functioning at such time in their role as an employer), from asking whether an individual has received a particular vaccine, including the COVID-19 vaccines.
HHS also explained that because HIPAA regulates the use and disclosure of PHI and not the ability to request information, the HIPAA Privacy Rule does not prohibit a covered entity from receiving COVID-19 vaccination information. However, after receipt of such information, an employer would likely have a duty to safeguard that information and keep it confidential.
The guidance also provides that an employer may require employees to disclose whether they have received a COVID-19 vaccine to the employer, clients or other parties. HHS observed that federal anti-discrimination laws do not prevent an employer from choosing to require that all employees physically entering the workplace be vaccinated against COVID-19 and provide documentation or other confirmation that they have met this requirement, subject to reasonable accommodation provisions, other equal employment opportunity considerations and conflicting state laws, as applicable. As stated before, once this information is collected, however, it must be kept confidential and stored separately from an employee’s personnel file.
The HIPAA rules generally do not regulate what information can be requested from employees as part of the terms and conditions of employment. The following examples from HHS make clear that HIPAA does not prohibit a covered entity or business associate from requiring or requesting each workforce member to:
Finally, HHS provided that the HIPAA Privacy Rule generally does prohibit health care providers from disclosing an individual’s PHI, including whether they have received a COVID-19 vaccine, to the individual’s employer without consent from the individual, unless an exception applies. Exceptions could include disclosures made for treatment, payment or other health care operations.
Our Advisors offer in-depth analysis and are ready to help you successfully navigate employee benefits and health insurance.