In the United States, HIPAA compliance rules restrict uses and disclosures of healthcare data, but there has been considerable confusion about HIPAA and COVID-19 vaccination status disclosures amongst the public, and even members of Congress.
The U.S. Department of Health and Human Services’ Office for Civil Rights, the main enforcer of HIPAA, has now released guidance on HIPAA and COVID-19 vaccination status disclosures to help clear up confusion about when HIPAA applies and which disclosures are restricted by the HIPAA Privacy Rule.
Much of the confusion about HIPAA and COVID-19 vaccination status information is due to the fact that an individual’s vaccination status is classed as protected health information (PHI) under HIPAA and is therefore covered by the HIPAA Privacy Rule. The HIPAA Privacy Rule restricts uses and disclosures of PHI to those related to treatment, payment, or healthcare operations, unless prior authorization is given by a patient.
While vaccination status information is PHI when collected, used, or disclosed by a HIPAA-regulated entity, it is not classed as PHI – and is therefore not subject to HIPAA protections – if collected, used, or disclosed by a non-HIPAA-regulated entity.
OCR confirmed in the guidance that HIPAA only applies to HIPAA-covered entities (healthcare providers, health plans, and healthcare clearinghouses) that conduct standard electronic transactions, along with certain business associates of those entities – i.e., those that are provided with PHI in order to provide services or products to HIPAA-covered entities.
So, in answer to the question, “Does the HIPAA Privacy Rule prohibit businesses or individuals from asking whether their customers or clients have received a COVID-19 vaccine?” the answer is no. That is because the HIPAA Privacy Rule does not apply to businesses or individuals that are not HIPAA-covered entities or business associates of HIPAA-covered entities. Even if they are covered by the HIPAA Privacy Rule, OCR says the HIPAA Privacy Rule “does not regulate the ability of covered entities and business associates to request information from patients or visitors.”
Another commonly asked question is “Does the HIPAA Privacy Rule prevent customers or clients of a business from disclosing whether they have received a COVID-19 vaccine?” Again, the answer is no. The HIPAA Privacy Rule does not prevent any individual from disclosing if they have been vaccinated against COVID-19 or any other disease.
The introduction of vaccine mandates by employers has been criticized by some employees, a percentage of whom have incorrectly claimed doing so is a HIPAA violation. In answer to the question, “Does the HIPAA Privacy Rule prohibit an employer from requiring a workforce member to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties?” the answer is no. Again, HIPAA only applies to certain entities, and even if HIPAA does apply, OCR made it clear that HIPAA does not cover employers or employment records, even when those records are maintained by a HIPAA-covered entity.
Concern has been raised about whether a doctor’s office is permitted to disclose COVID-19 vaccination status information to an individual’s employer. In this case, HIPAA does apply and, generally, this disclosure is not permitted. “The Privacy Rule prohibits covered entities and their business associates from using or disclosing an individual’s PHI (e.g., information about whether the individual has received a vaccine, such as a COVID-19 vaccine; the individual’s medical history or demographic information) except with the individual’s authorization or as otherwise expressly permitted or required by the Privacy Rule,” explained OCR in the guidance.
OCR guidance on HIPAA and COVID-19 vaccination status disclosures can be found on this link.