HHS recently issued guidance, in a Q&A format, to clarify when the HIPAA privacy rules apply to disclosures and requests for information about an individual’s COVID-19 vaccination status.
Among other questions, the guidance addresses whether HIPAA prohibits an employer from requiring its employees to disclose to the employer whether they have received a COVID-19 vaccination. In its answer, HHS confirms the important distinction under HIPAA between (i) an individual’s health information an employer receives in its capacity as the plan sponsor of its group health plan (generally, a “covered entity” under HIPAA), and (ii) individualized health information received by the employer in its capacity as an employer (i.e., as related to employment functions referred to by HIPAA as “employment records”). HHS confirmed that HIPAA does not apply to employment records and thus does not regulate the information, such as vaccination status, employers are permitted to request from employees as part of their terms and conditions of employment. The guidance notes, however, that other federal and/or state laws besides HIPAA may regulate such information requests.
Other scenarios addressed in the guidance are whether (i) HIPAA prohibits a doctor’s office from disclosing an individual’s COVID-19 vaccination status to the individual’s employer (in that capacity) without the individual’s authorization, and (ii) a doctor’s office is permitted to disclose HIPAA “protected health information” related to an individual’s COVID-19 vaccination to his or her health plan in order to obtain payment for administration of the vaccination.
The guidance is available here.