HIPAA and Vaccine Mandates

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), through its Privacy and Security Rules, governs the permitted and required uses and disclosures of Protected Health Information (PHI) by Covered Entities (CE) and their Business Associates (BA).

A CE includes a medical plan (Plan); a Plan is a legal entity that permits the Plan Sponsor (i.e., Employer) access to PHI to perform services on behalf of the Plan (outlined in a plan document). Practically, an employer sponsors a Plan for the benefit of plan participants (i.e., employees).

HHS provided recent guidance regarding the interaction of HIPAA, the workplace, and COVID-19 vaccinations, let’s run down the highlights.

The Privacy Rule prohibits CEs and their BAs from using or disclosing a person’s PHI (i.e., vaccine status) except with that person’s authorization or as otherwise expressly permitted or required by the Rule.

The Privacy Rule:

  • does not prohibit any person, including HIPAA CEs and BAs, from asking whether an individual has received a particular vaccine, including COVID-19 vaccines.
  • does not prevent any person from disclosing whether another person has been vaccinated against COVID-19 or any other disease. Remember: the Rule applies to HIPAA CEs and to an extent, their BAs…not to any individual respecting their choice to disclose information.
  • does not apply to employment records, including those held by CEs or BAs in their capacity as employers.

This means that HIPAA doesn’t prevent a CE or BA from requiring or requesting each workforce member to provide vaccination documentation to their current or prospective employer; wear a mask while in the employer facility or property, or in the normal course of performing duties at another location; or to disclose whether they have received the CVOID-19 vaccination un response to inquires from current or prospective patients.

The HHS guidance provides several examples of how HIPAA does and does not apply in particular instances.

Don’t forget! HIPAA governs PHI use and disclosure by CEs and their BAs. Other federal and state laws address vaccinations in employment settings. Seek counsel and verify facts of the request, and which laws apply, before pursuing a course of action.

To learn more about HIPAA’s Privacy and Security Rules, check out The Dashboard’s Geek Out! Pages.

Leave a Reply

Your email address will not be published. Required fields are marked *