OCR Issues Guidance on HIPAA and COVID-19 Vaccination Status Disclosures
The Department of Health and Human Services’ Office for Civil Rights has issued guidance to educate the public on how the Health Insurance Portability and Accountability Act (HIPAA) Rules apply to disclosures of COVID-19 vaccination status information and requests from individuals about whether a person has been vaccinated against COVID-19.
In the guidance, OCR confirmed that HIPAA only applies to HIPAA-regulated entities. HIPAA regulated entities are healthcare providers, health plans, and healthcare clearinghouses that conduct standard electronic transactions, and business associates of those entities that require access to or encounter protected health information (PHI). OCR reminded the public that the HIPAA Privacy Rule does not apply to employers or employment records. That includes information collected or stored by HIPAA-regulated entities in their capacity as an employer.
OCR explained how HIPAA applies to COVID-19 vaccination information in certain situations through a website Q&A and states:
- The HIPAA Privacy Rule does not prohibit businesses or individuals from asking whether their customers or clients have received a COVID-19 vaccine. Individuals who work at a HIPAA covered entity or business associate are not prohibited from asking if an individual has received a vaccine.
- The HIPAA Privacy Rule does not prevent customers or clients of a business from disclosing whether they have received a COVID-19 vaccine.
- The HIPAA Privacy Rule does not prohibit an employer from requiring a workforce member to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties.
- The HIPAA Privacy Rule does not prohibit a covered entity or business associate from requiring its workforce members to disclose to their employers or other parties whether the workforce members have received a COVID-19 vaccine.
OCR has confirmed that, generally, the HIPAA Privacy Rule prohibits a doctor’s office from disclosing an individual’s PHI, including COVID-19 vaccination information, to the individual’s employer or other parties. Such disclosures are possible if consistent with other laws and applicable ethical standards, such as a disclosure to a health plan to obtain payment for administering the vaccine and disclosures of such information to public health authorities.
OCR explained that there are circumstances when a HIPAA-covered hospital is permitted to disclose PHI relating to an individual’s vaccination status to the individual’s employer.
This is only possible to allow the employer, “to conduct an evaluation relating to medical surveillance of the workplace (e.g., surveillance of the spread of COVID-19 within the workforce) or to evaluate whether the individual has a work-related illness.” In such cases, disclosures are only permitted if all the following conditions are met:
- The covered hospital is providing the health care service to the individual at the request of the individual’s employer or as a member of the employer’s workforce.
- The PHI that is disclosed consists of findings concerning work-related illness or workplace-related medical surveillance.
- The employer needs the findings in order to comply with its obligations under the legal authorities of the Occupational Safety and Health Administration (OSHA), the Mine Safety and Health Administration (MSHA), or state laws having a similar purpose.
- The covered health care provider provides written notice to the individual that the PHI related to the medical surveillance of the workplace and work-related illnesses will be disclosed to the employer.
“We are issuing this guidance to help consumers, businesses, and health care entities understand when HIPAA applies to disclosures about COVID-19 vaccination status and to ensure that they have the information they need to make informed decisions about protecting themselves and others from COVID-19,” said OCR Director Lisa Pino.