October 12, 2021

Vaccination Information and HIPAA in the Workplace

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) has been a source of workplace confusion since it was signed into law by  President Bill Clinton on August 21, 1996.[i] What is HIPAA and how does it apply in a workplace setting are among the most asked questions.

HIPAA is a federal law that protects a patient’s sensitive health information from being disclosed without their consent or knowledge. The U.S Department of Health and Human Services (HHS) created the HIPAA Privacy Rule as a means of implementing specific protection requirements of HIPAA. These privacy requirements address the disclosure and use of an individual’s health information by those entities subject to HIPAA rules.

One of the major goals of the HIPAA Privacy Rule is to ensure individual health information is protected while allowing necessary information to be disclosed in an effort to promote quality health care for the individual and at the same time protect the health and well-being of all citizens. The confusion – from a workplace perspective – stems from a general misunderstanding of the types of individuals and organizations subject to the HIPAA Privacy Rule.

Who is considered a “covered entity” under the HIPAA Privacy Rule?
The following are the types of individuals and organizations considered to be a “covered entity” under the HIPAA Privacy Rule:

  • Healthcare Providers: This includes any healthcare provider who electronically submits health information in connection with certain transactions (e.g., claims, benefit eligibility inquiries, referral authorizations).
  • Healthcare Clearinghouses: These are entities that process nonstandard information received from third parties into standard format or data content, or vice versa.
  • Health Plans: These are entities that provide or pay the cost of medical care. This can include employer-sponsored group health plans but does not include group plans with fewer than 50 participants administered and maintained solely by the employer.
  • Business Associates: These include a person or organization (not a member of a covered entity’s workforce) who uses or discloses individually identifiable health information as a means of performing or providing functions, activities, or services for a covered entity (e.g., claims processing, data analysis, utilization review and billing).

If your workplace does not fall into one of the above categories, the HIPAA Privacy Rule requirements do not apply.

Other Applicable Privacy Regulations
While a specific workplace may not qualify as a “covered entity” for the purposes of HIPAA Privacy Rule requirements, other federal, state or local privacy laws may apply. For example, California’s labor laws require an employer to maintain the confidentiality of employee medical documents and information (e.g., records relating to workers’ compensation claims, health insurance claims, and disability or medical leaves).

HIPAA, COVID-19 and Vaccination Information
The onset of COVID-19, coupled with a subsequent rise in employer mandated vaccination requirements, has brought the issue of medical privacy and existing confusion associated with HIPAA Privacy Rule requirements to the forefront of nearly every workplace in America. So much so, that HHS recently updated its HIPAA COVID-19 guidance to provide additional clarification.[ii]  A few key points are outlined below.

Inquiries About Vaccination Status
Nothing prevents a covered or exempt entity from asking whether a customer, client, or employee has received a COVID-19 vaccination. As discussed here, a business may lawfully require workers to be vaccinated as a condition of coming into the workplace. Naturally, this allows an employer to question its employees about their vaccination status. Since HIPAA applies only to covered entities and does not regulate what a covered entity requests from patients or visitors (only what information is collected, stored, and discriminated) even a covered entity may ask about an individual’s vaccination status.

Specifically, the HIPAA guidance notes that the HIPAA Privacy Rule does not apply when an individual: 1) is asked about vaccination status by an employer or another individual; 2) asks another individual about their vaccination status; or 3) asks a company whether its workforce is vaccinated.

Because HHS does not have the statutory authority to regulate employers,[iii] the HIPAA Privacy Rule does not apply to employment records nor does it regulate what protected health information can be requested by an employer. Again, while HIPAA may not apply, other state or local laws may impact what information an employer can request and how that requested information must be maintained.

Inquiry Limits
There are HIPAA Privacy Rule limits that impact the exchange of vaccination-related information between an employee’s healthcare provider and the employer. As a rule, a doctor’s office is prohibited from disclosing an individual’s personal health information (HIPAA Privacy Rule limitations) directly to an employer. This prohibition includes disclosure of an individual’s vaccination status. A covered entity can only disclose an individual’s vaccination status under the following conditions:

  • Using an employee signed HIPAA compliance authorization form presented to the employer; or
  • For medical surveillance, if certain, specific requirements are met.

Members with questions about privacy protection or managing employee records should contact Western Growers.

[i] Information provided by U.S Center for Disease Control and Prevention.

[ii] HHS released its updated guidance information on September 30, 2021.

[iii] 45 CFR 160.103; 65 FR 82426, 82592 (December 28, 2000); 67 FR 53182, 53192 (August 14, 2002).