The truth about HIPAA privacy laws and vaccine inquiries

© Can Stock Photo / artursfot

HIPAA privacy rules do not prevent employers and businesses from asking employees and visitors about their COVID-19 vaccination status, the government recently reiterated.

In guidance issued Sept. 30, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) explained that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule does not apply in most instances in which individuals are asked whether they have received a COVID-19 vaccine or to provide evidence of vaccination. The OCR also reminds organizations that if HIPAA does apply, it regulates the use and disclosure of protected health information, and not the ability to request information from its employees.

The guidance poses some common questions, to which all answers are negative:

This guidance is a reminder that the HIPAA Privacy Rule only regulates the usage of protected health information by “covered entities” and their business associates; only health care providers, health care clearing houses and health plans qualify as covered entities. Those entities cannot provide vaccination information to third parties who are not covered entities without an appropriate HIPAA authorization, or as otherwise permitted under HIPAA.

However, employers or businesses interacting with their customers or visitors are not covered entities and are not restricted by the HIPAA Privacy Rule.

The guidance clarifies that even covered entities, such as hospitals, are acting in their capacities as employers and can request COVID-19 information from their workforce members. Covered entities can require their workforce members to provide proof of vaccination, sign a HIPAA authorization about vaccination status, wear a mask or reply to inquiries from patients about vaccination status.

The guidance notes that the Americans With Disabilities Act (ADA) does require employers to keep documentation or other confirmation of vaccination confidential and stored separately from the employee’s personnel files. The relief from HIPAA privacy restrictions for employers does not extend to ADA compliance.

Moreover, group health plans sponsored by employers are often HIPAA-covered entities, which means that COVID-19 vaccination information that employers receive through a group health plan constitutes protected health information subject to HIPAA rules. However, notably, information an employer learns from sources other than the group health plan, such as the methods discussed above, is not protected by HIPAA.

Kathy Conklin, member at McGlinchey, advises employers nationwide on employment law compliance and employee benefits matters. Charles Stoecker, associate at McGlinchey, represents employers in a range of employment matters, including cases brought under the Americans with Disabilities Act. 

Auto Finance Summit, the premier industry event, returns October 27-29 in Las Vegas. The Summit continues to bring together the best and brightest in the industry year after year for unparalleled networking and professional education. To learn more about the 2021 event and register, visit 

Exit mobile version