Many employers and employees alike believe that the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA) protects the employee’s vaccination information. It does not. In fact, the Privacy Rule does not apply to employee medical information in the employment context, as the U.S. Department of Health and Human Services recently explained in its Guidance, HIPAA, COVID-19 Vaccination, and the Workplace. Other laws, however, protect the confidentiality of employee medical information.
HHS confirms that HIPAA’s Privacy Rule only controls the disclosure of an individual’s Protected Health Information (PHI) by health plans, health care providers and certain business associates. The Privacy Rule does NOT apply to an individual’s own disclosure of their health information – including vaccination status. And it does NOT apply to employment records. As HHS states, “[T]he Privacy Rule does not regulate what information can be requested from employees as part of the terms and conditions of employment that an employer may impose on its workforce.”
As HHS notes, other federal and state laws apply to the employment relationship. HHS provides the pointed example that federal antidiscrimination laws do not prevent employers from requiring all employees to be vaccinated and to require proof of vaccination, subject to reasonable accommodation and equal opportunity considerations (as asserted by the EEOC in its COVID Guidance). It also reiterates that the confirmation of vaccination must be kept confidential and stored separately from the employee’s personnel file, in accordance with the Americans with Disabilities Act (which governs the use and handling of employee medical information).
HIPAA’s Privacy Rule does permit health plans, providers, and business associates to disclose PHI (like vaccination status) directly to an employer with the employee’s authorization. And it specifically permits health care providers with a relationship with the employer to disclose PHI relating to an individual’s vaccination status to the employer without the employee’s authorization for two specific reasons: (1) so the employer may conduct an evaluation relating to medical surveillance of the workplace (e.g., surveillance of the spread of COVID-19 within the workforce) or (2) to evaluate whether the individual has a work-related illness. In order to do so, however, HHS states that the following conditions must be met:
- The health care provider is providing the health care service to the individual at the request of the individual’s employer or as a member of the employer’s workforce.
- The PHI that is disclosed consists of findings concerning work-related illness or workplace-related medical surveillance.
- The employer needs the findings in order to comply with its obligations under the legal authorities of the Occupational Safety and Health Administration (OSHA), the Mine Safety and Health Administration (MSHA), or state laws having a similar purpose (e.g., under OSHA’s recordkeeping requirements, worker side effects from vaccination constitute a “recordable illness,” and thus, employers are responsible for recording such side effects in certain circumstances).
- The health care provider provides written notice to the individual that the PHI related to the medical surveillance of the workplace and work-related illnesses will be disclosed to the employer. (This can be accomplished by providing the individual with a copy of the notice at the time the health care is provided, or by posting the notice in a prominent place at the location where the health care is provided if the health care is being provided on the work site of the employer.)
Bottom line – HIPAA does not apply to an employer’s requirement that an employee provide their vaccination status and proof of vaccination. The employer can require employees to be vaccinated and to submit proof of vaccination, absent a legally required reasonable accommodation for medical or religious reasons. The employer, however, must treat the vaccination information and proof as confidential medical information, and any documentation must be retained in a separate confidential medical file (not the employee’s personnel file).