HIPAA privacy rules do not prevent employers and businesses from asking employees and visitors about their COVID-19 vaccination status, the government recently reiterated.

In guidance issued on September 30, 2021, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) again explained that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule does not apply in most instances in which individuals are asked whether they have received a COVID-19 vaccine or to provide evidence of vaccination. The OCR also reminds organizations that if HIPAA does apply, it regulates the use and disclosure of protected health information, and not the ability to request information from its employees.

The guidance poses a number of common questions, all of which are answered in the negative:

  • “Does the HIPAA Privacy Rule prohibit businesses or individuals from asking whether their customers or clients have received a COVID-19 vaccine?” “No.”
  • “Does the HIPAA Privacy Rule prevent customers or clients of a business from disclosing whether they have received a COVID-19 vaccine?” “No.”
  • “Does the HIPAA Privacy Rule prohibit an employer from requiring a workforce member to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties?” “No.”

The guidance reminds everyone that the HIPAA Privacy Rule only regulates the usage of protected health information by “covered entities” and their business associates, and only health care providers, health care clearing houses, and health plans are “covered entities.” Those entities cannot provide vaccination information to third parties who are not covered entities without an appropriate HIPAA authorization or as otherwise permitted under HIPAA. However, employers or businesses interacting with their customers or visitors are not covered entities and are not restricted by the HIPAA Privacy Rule.

The guidance clarifies that even covered entities can request COVID-19 information from their workforce members when the covered entities, such as hospitals, are acting in their capacities as employers. Covered entities can require their workforce members to provide proof of vaccination, sign a HIPAA authorization about vaccination status, wear a mask, or reply to inquiries from patients about vaccination status.

The guidance notes that the Americans With Disabilities Act (ADA) does require employers to keep documentation or other confirmation of vaccination confidential and stored separately from the employee’s personnel files. The relief from HIPAA privacy restrictions for employers does not extend to ADA compliance. Moreover, group health plans sponsored by employers are often HIPAA-covered entities, which means that COVID-19 vaccination information that employers receive through a group health plan constitutes protected health information subject to HIPAA rules. However, notably, information an employer learns from sources other than the group health plan (such as the methods discussed above) is not protected by HIPAA.