Employees and employers frequently believe HIPAA comes into play when asking about an individual’s vaccination status. It almost always does not, according to Carly O. Machasic, JD, attorney with Clark Hill in Detroit.

Although some states are considering legislation designating vaccination status as a separate protected class, private employers generally are free to ask employees about their vaccination status without running afoul of HIPAA or federal employment laws. HHS guidance released earlier this year points out the HIPAA Privacy Rule regulates “how” and “when” certain entities covered by HIPAA are permitted to “use and disclose” an employee’s health information, not whether they can “request” it. The HHS guidance was intended “to help consumers, businesses, and healthcare entities understand when HIPAA applies to disclosures about COVID-19 vaccination status” and related issues.

A recurring theme throughout the pandemic is the surplus of misinformation, and the relationship between HIPAA and one’s COVID-19 vaccination status is no exception, says Stuart F. Miller, JD, shareholder with Munsch Hardt in Houston. As employers and places of business have begun asking employees and customers about their vaccination status, many claim HIPAA protects their personal vaccination information, arguing they are not required to disclose their vaccination status. Others claim the employees would be violating HIPAA by disclosing their vaccination history.

Miller believes the HHS guidance proves these claims are false. The HIPAA Privacy Rule applies to covered entities, such as healthcare providers, and (to a certain extent) their business associates. The rule is not about if covered entities can ask for this information; it regulates how that information is shared and stored.

“Generally, the privacy rule does not regulate what information can be requested from employees as part of the terms and conditions of employment that an employer may impose on its workforce. However, other federal or state laws do address terms and conditions of employment,” HHS explained in its guidance. “For example, federal antidiscrimination laws do not prevent an employer from choosing to require that all employees physically entering the workplace be vaccinated against COVID-19 and provide documentation or other confirmation that they have met this requirement, subject to reasonable accommodation provisions and other equal employment opportunity considerations. Documentation or other confirmation of vaccination, however, must be kept confidential and stored separately from the employee’s personnel files under Title I of the Americans with Disabilities Act.”

According to the HHS guidance, HIPAA does not prohibit a covered entity or business associate from requiring or requesting each employee to:

  • Provide documentation of their COVID-19 or flu vaccination to their current or prospective employer.
  • Sign a HIPAA authorization for a covered healthcare provider to disclose the employee’s COVID-19 vaccination record to their employer.
  • Wear a mask while in the employer’s facility, on the employer’s property, or in the normal course of performing their duties at another location.
  • Disclose whether they have received a COVID-19 vaccine in response to queries from current or prospective patients.

The privacy rule forbids covered entities from disclosing anyone’s protected health information (PHI), which includes vaccination status, without that person’s authorization. As HHS defines it, disclosing PHI “is limited to information that is reasonably necessary to accomplish the stated purpose of the disclosure.” The agency offers some examples of permitted PHI disclosures that are relevant to this issue:

A covered physician is permitted to disclose PHI regarding a vaccination to an individual’s health plan to obtain payment for the administration of a COVID-19 vaccine.

  • A covered pharmacy is permitted to disclose PHI relating to an individual’s vaccination status to a public health authority. 
  • A health plan is permitted to disclose an individual’s vaccination status when required to do so by law.
  • A covered nurse practitioner is permitted to provide PHI relating to an individual’s COVID-19 vaccination status to the individual. “A covered hospital is permitted to disclose PHI relating to an individual’s vaccination status to the individual’s employer so that the employer may conduct an evaluation relating to medical surveillance of the workplace (e.g., surveillance of the spread of COVID-19 within the workforce) or to evaluate whether the individual has a work-related illness,” HHS explained in its guidance. However, according to the agency, these conditions have to be met:
  • The covered hospital is providing the service to the individual at the request of his or her employer or as a member of the employer’s workforce.
  • The disclosed PHI consists of findings concerning work-related illness or workplace-related medical surveillance.
  • The employer needs the findings to comply with the Occupational Safety and Health Administration or state laws with a similar purpose.
  • The covered healthcare provider provides written notice to the individual that the PHI related to the medical surveillance of the workplace and work-related illnesses will be disclosed to the employer.