What You Should Know
- The U.S. Department of Health & Human Services (HHS) has clarified that asking about an individual’s vaccination status is not a violation of HIPAA.
- The HIPAA Privacy Rule prohibits unauthorized disclosure of personal health information, but does not prohibit inquiries about such information.
It should be noted that other state or federal laws may impact whether individuals are required to disclose their vaccination status under certain circumstances.Since the arrival of the COVID-19 vaccines earlier this year, we have often fielded questions from business owners as to whether asking customers, clients, and employees about their vaccination status is in violation of health-related privacy regulations – specifically the Health Insurance Portability and Accountability Act, commonly known by the acronym HIPAA.
On September 30, 2021, the U.S. Department of Health & Human Services (HHS) clarified any misconceptions about the applicability of HIPAA to COVID-19 vaccination information. HHS announced that the HIPAA Privacy Rule does not prohibit any person, individual or entity, including HIPAA covered entities and business associates, from asking whether an individual has received a particular vaccine, including COVID-19 vaccines.
HHS states that the HIPAA Privacy Rule does not apply when an individual:
- Is asked about his/her vaccination status by a school, employer, store, restaurant, entertainment venue, or another individual
- Asks another individual, his/her doctor, or a service provider whether he/she is vaccinated
- Asks a company, such as a home health agency, whether its workforce members are vaccinated
In short, the HIPAA Privacy Rule prohibits unauthorized disclosure of personal health information (PHI), but it does not prohibit asking about PHI. Generally, the HIPAA Privacy Rule does not regulate what information can be requested from employees as part of the terms and conditions of employment an employer imposes on its workforce. The HHS further explains that the “Privacy Rule does not regulate the ability of covered entities and business associates to request information from patients or visitors.”
Rather, the HIPAA Privacy Rule “regulates how and when covered entities and business associates are permitted to use and disclose PHI (e.g., PHI about whether an individual has received a COVID-19 vaccine) that covered entities and business associates create, receive, maintain, or transmit.”
Thus, the Privacy Rule does not “prohibit a covered entity (e.g., a covered doctor, hospital, or health plan) or business associate from asking whether an individual (e.g., a patient or visitor) has received a particular vaccine, including a COVID-19 vaccine, although it does regulate how and when a covered entity or its business associate may use or disclose information about an individual’s vaccination status.”
It is important to note that other state or federal laws may apply and address whether individuals are required to disclose whether they have received a vaccine under certain circumstances.
HHS’ decision to publish this clarification is an indication that there remains much controversy and confusion over privacy issues as they pertain to the COVID-19 vaccine mandate. HHS’ clarification provides helpful guidance as both individuals and the business community continue to grapple with the practical effect of vaccination mandates as balanced against an individual’s privacy rights in the workplace and elsewhere.
Please contact the authors of this Alert, James A. Robertson and Ghatul Abdul, for additional information or to discuss your specific circumstances. Mr. Robertson is chair of the Healthcare Department, of which Ms. Abdul is a member.