By John H. Fisher II
October 18, 2021
The Office of Civil Rights (“OCR”), which is the federal agency that enforces the health care privacy rules under the Health Insurance Portability and Accountability Act (“HIPAA”), recently published guidance covering various health care privacy issues relating to COVID-19. The recently published guidance addresses a variety of HIPAA issues including whether a business or individual is prohibited from asking customers, clients, and employees about their vaccination status. The OCR attempts to clarify some of the misconceptions members of the public have about application of HIPAA rules to a variety of issues that have come front and center as a result of some of the disinformation that has been circulating among the public relating to COVID-19. Hopefully through this type of guidance some of the common misconceptions about the application (or non-applicability) of HIPAA can be clarified and finally put to rest.
Some of the coverage of the OCR guidance on “HIPAA, COVID-19 Vaccination, and the Workplace” is summarized here. You can view the guidance online at the above link.
Keep in mind the guidance only addresses the application of HIPAA to some of these common COVID-19 issues. It does not address any other potential legal or practical issues that might apply. It also does not cover the application of state health information privacy laws to these issues. In some instances state law might apply in addition to HIPAA.
1. Can a business ask a customer about their vaccination status?
The OCR rather clearly answers this question that we see coming up over and over again. The HIPAA regulations do not prohibit a business from asking its customers about their vaccination status. Period. Hard stop. There is nothing in HIPAA that prohibits a business from requiring its customers or employees to prove that they have received a COVID-19 vaccination. By now we have all probably heard claims that HIPAA prohibits others from asking about vaccination status. Confusion about the application of HIPAA can be quite understandable. Application of HIPAA can be complicated, particularly to someone who does not work in healthcare and has not received training on HIPAA issues. The OCR guidance should clear up this confusion.
According to the OCR guidance there are a couple of reasons why HIPAA does not prohibit businesses from asking customers about their vaccination status. First, the HIPAA privacy rules only apply to what is defined in the HIPAA regulations as “covered entities.” If a person or business is not a “covered entity,” HIPAA’s privacy restrictions do not apply to them at all. Covered entities are defined in HIPAA to only include health care providers, health plans, and health care clearing houses. A general commercial business is not a covered entity and HIPAA simply does not apply to them at all.
Even if a business is a “covered entity” (for example, if the business is a health care provider), the HIPAA privacy rules do not prohibit the covered entity from requesting information about vaccination status (or any other information for that matter) from its customers, patients, or visitors. That is simply not what HIPAA does. What HIPAA does regulate is how a covered entity handles personally identifiable health information that it receives. For example, HIPAA regulates whether and under what circumstances a health care provider can disclose protected health information once it receives that information. A health care provider that obtains vaccination status information from its patients has an obligation to protect that information from further disclosure; but even that obligation is not absolute and is subject to a variety of exceptions. Some of these exceptions require a written release from the patient but other exceptions do not. For example, a health care provider can normally disclose protected health information (including vaccination status) to other health care providers for purposes of treatment of the patient even without the patient’s written consent.
The bottom line is that HIPAA does not prohibit any business, regardless of whether that business is a covered entity, from asking a person about his/her vaccination status. However, if the requesting business is a “covered entity” HIPAA may regulate what the recipient of the information can do with the protected health information it receives. If the business is not a covered entity, HIPAA does not apply at all and even the subsequent release of the information does not violate HIPAA, but be wary of other legal implications beyond HIPAA such as confidentiality agreements and the laws of your state.
The recent OCR guidance illustrates other examples of situations in which HIPAA does not apply to requests for information about vaccination status. According to the OCR guidance, HIPAA does not apply to the following:
- Requests for information about vaccination status by a school, employer, store, restaurant, entertainment venue, or other individual.
- Requests to another individual or their doctor about whether the individual is vaccinated (although the doctor may not be able to answer due to HIPAA restrictions).
- Requests by a customer to a business, including a health care provider, regarding the vaccination status of the businesses staff or employees or whether the business requires its customers to be vaccinated or abide by other COVID-19 precautions such as masking requirements.
It is important to note that this analysis and the OCR guidance does not address whether the individual that is asked about their vaccination status is required to disclose the requested information. The OCR states that “other state or federal laws address whether individuals are required to disclose whether they have received a vaccine under certain circumstances.”
2. Disclosure of your own vaccination status.
The OCR guidance clarifies that nothing in HIPAA prohibits or restricts an individual from disclosing their own vaccination status. HIPAA simply does not apply in this manner. This issue might arise when a business asks a customer about their vaccination status and the customer cites HIPAA as a reason why the individual cannot answer. This is a red herring. HIPAA does not govern what information a patient may disclose about their own health status.
3. Disclosure of vaccine status by the business that receives the information.
Unless the recipient is a “covered entity,” HIPAA does not require a business to keep the information it receives from its customers confidential. Again, HIPAA only applies to “covered entities.”
Unless the business is a health care provider, a health plan, a health care clearinghouse, or, in some cases a “business associate” of a covered entity, there is no obligation under HIPAA for the recipient to protect the information it receives from disclosure. In other words, once that business receives an answer from an individual about their vaccination status it has no obligation to protect that information and can pass that information on to anyone they want. State laws and federal laws other than HIPAA could apply depending on the nature of the information that is received, but HIPAA does not apply.
The way that an individual can protect information about their vaccination status is to not give that information to the business to start with. That business would be within its rights to deny you access, but your information would not be subject to redisclosure.
4. Employer required disclosure of vaccination status.
Other laws could potentially apply, but HIPAA does not restrict an employer from asking its employees about their vaccination status or from requiring the employee to be vaccinated or comply with other transmission precautions as a condition of employment. A request for information by an employer does not involve HIPAA at all. That being said, the OCR guidance points out that other state and/or federal laws may apply to employer requests and other terms and conditions of employment. According to the OCR, federal antidiscrimination laws do not prevent an employer from requiring or asking its employees for supporting documentation. Other laws may apply to require reasonable accommodations in cases where a disability might impact the ability of the employee to comply. Additionally, federal law requires documentation of an employee’s vaccination status to be kept confidential and stored separately from the employee’s personnel file.
HIPAA does not, according to the OCR, apply to employment records including employment records of covered entities. This means the HIPAA privacy rule does not regulate what information an employer can request from its employees.
The OCR gives additional examples of what an employer is not restricted from requiring its workforce to provide including:
- Documentation of COVID-19 or flu vaccination.
- A signed authorization requiring the employee to disclose the employee’s vaccination status.
- Requiring adherence to precautions such as masking requirements.
- Requiring employees to disclose their vaccination status in response to queries from customers or patients.
5. Disclosure of vaccination status by your doctor.
Disclosure of COVID-19 information by your doctor is one area that is regulated by HIPAA. HIPAA applies to covered entities which includes an individual’s doctor. A doctor is prohibited under most common circumstances from using or disclosing a patient’s health information, including information about whether the patient has been vaccinated. This prohibition is subject to HIPAA exceptions. For example, a doctor can normally release this information to another treating health care provider for purposes of treatment. This information can also be disclosed with the patient’s written consent and release.
The OCR guidance contains much needed guidance about the application of the complex set of HIPAA regulations to the many questions that arise in connection with COVID-19 vaccinations. For more detail, consult the full OCR Guidance which includes a variety of additional examples as well as footnotes supporting the OCR’s guidance and conclusions.
The content in the following blog posts is based upon the state of the law at the time of its original publication. As legal developments change quickly, the content in these blog posts may not remain accurate as laws change over time. None of the information contained in these publications is intended as legal advice or opinion relative to specific matters, facts, situations, or issues. You should not act upon the information in these blog posts without discussing your specific situation with legal counsel.
© 2021 Ruder Ware, L.L.S.C. Accurate reproduction with acknowledgment granted. All rights reserved.