Federal Privacy Laws and the COVID Vaccine

Requests for vaccine status have begun to take place all over our nation. Examples include employers, venues such as museums and theaters.

Most Americans have heard of HIPAA – the federal Health Insurance Portability and Accountability Act – which is designed to protect patients’ right to have their health information kept private, among other things. But you may not know who it applies to and what it forbids or allows, especially in regard to vaccination against COVID-19.

Sometimes it can be confusing to know when HIPAA applies and when it doesn’t. This blog will help break down if and when HIPAA affects your privacy related to vaccination.

Hot topic

Requests for vaccine status have begun to take place all over our nation. Examples include employers, venues such as museums and theaters, and individuals looking to hire service providers. This is a highly contentious topic in America right now, with some states forbidding “vaccine passports” and other states encouraging them. For this blog, I’m only looking at what HIPAA allows and forbids. Resolving any potential conflicts between HIPAA and state law is way beyond my pay grade!

A key thing to remember about HIPAA

HIPAA applies to healthcare providers such as doctors, hospitals and healthcare workers. It does NOT apply to employers or employee records. That fact can become confusing if your employer is a healthcare provider. Thinking in terms of “employee records” versus “health records” is helpful in figuring out where HIPAA applies and where it doesn’t.

So, under HIPAA, can a concert venue or my employer ask for my vaccine status?

The short answer is yes. HIPAA does NOT prohibit a business or individual from asking, “Are you vaccinated?” Here’s why:

1. HIPAA only governs certain healthcare entities, so it wouldn’t apply to a venue or restaurant at all.
2. HIPAA limits what information healthcare providers can RELEASE about you. It does not limit what information businesses or individual can REQUEST about you.

So, as far as HIPAA is concerned, a movie theater or restaurant can ask you if you’ve been vaccinated. Your employer can ask you if you’ve been vaccinated. But if they ask your doctor if you’ve been vaccinated, she usually can’t tell them.

Remember, we’re only talking about HIPAA here. State law may impose different limits.

Digging into the nitty gritty details

The federal Department of Health and Human Services (HHS) recently published some guidance around how HIPAA governs (or doesn’t govern in many cases) when the “are you vaccinated?” question can be asked.

HIPAA does NOT prevent an employer from requiring an employee to disclose their vaccination status to customers or clients. For example, HIPAA would allow your employer to require you to wear a sticker on your ID badge that says whether you’ve been vaccinated or not.

HIPAA DOES prevent a health care provider from disclosing vaccination status to a patient’s employer without the patient’s consent. For example, if your boss secretly asks your doctor if you’ve been vaccinated, your doctor can’t tell him. However, there are a few exceptions. In the words of HHS:

• “A covered hospital is permitted to disclose PHI (Protected Health Information) relating to an individual’s vaccination status to the individual’s employer so that the employer may conduct an evaluation relating to medical surveillance of the workplace (e.g., surveillance of the spread of COVID-19 within the workforce) or to evaluate whether the individual has a work-related illness, 35, 36, and all of the following conditions are met:
• The covered hospital is providing the health care service to the individual at the request of the individual’s employer or as a member of the employer’s workforce. 37
• The PHI that is disclosed consists of findings concerning work-related illness or workplace-related medical surveillance.
• The employer needs the findings in order to comply with its obligations under the legal authorities of the Occupational Safety and Health Administration (OSHA), the Mine Safety and Health Administration (MSHA), or state laws having a similar purpose (e.g., under OSHA’s recordkeeping requirements, worker side effects from vaccination constitute a “recordable illness,” and thus, employers are responsible for recording such side effects in certain circumstances 38, 39, 40
• The covered health care provider provides written notice to the individual that the PHI related to the medical surveillance of the workplace and work-related illnesses will be disclosed to the employer. (This can be accomplished by providing the individual with a copy of the notice at the time the health care is provided, or by posting the notice in a prominent place at the location where the health care is provided if the health care is being provided on the work site of the employer.) 41”

Some good examples can be found on the HHS website.

In addition, HHS states:

“The Privacy Rule does not apply when an individual:

• Is asked about their vaccination status by a school 9, employer, store, restaurant, entertainment venue, or another individual.
• Asks another individual, their doctor, or a service provider whether they are vaccinated.
• Asks a company, such as a home health agency, whether its workforce members are vaccinated. Other state or federal laws address whether individuals are required to disclose whether they have received a vaccine under certain circumstances.”

I hope this brings a little more clarity to an often confusing and contentious question. Get more details at HIPAA and COVID-19 | HHS.gov