HHS Clarifies That Inquiries About COVID-19 Vaccination Status Are Not a Violation of Privacy Rights Under HIPAA

James Robertson
Greenbaum, Rowe, Smith & Davis LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Since the arrival of the COVID-19 vaccines earlier this year, we have often fielded questions from business owners as to whether asking customers, clients, and employees about their vaccination status is in violation of health-related privacy regulations – specifically the Health Insurance Portability and Accountability Act, commonly known by the acronym HIPAA.

On September 30, 2021, the U.S. Department of Health & Human Services (HHS) clarified any misconceptions about the applicability of HIPAA to COVID-19 vaccination information. HHS announced that the HIPAA Privacy Rule does not prohibit any person, individual or entity, including HIPAA covered entities and business associates, from asking whether an individual has received a particular vaccine, including COVID-19 vaccines.

HHS states that the HIPAA Privacy Rule does not apply when an individual:

  • Is asked about his/her vaccination status by a school, employer, store, restaurant, entertainment venue, or another individual
  • Asks another individual, his/her doctor, or a service provider whether he/she is vaccinated
  • Asks a company, such as a home health agency, whether its workforce members are vaccinated

In short, the HIPAA Privacy Rule prohibits unauthorized disclosure of personal health information (PHI), but it does not prohibit asking about PHI. Generally, the HIPAA Privacy Rule does not regulate what information can be requested from employees as part of the terms and conditions of employment an employer imposes on its workforce. The HHS further explains that the “Privacy Rule does not regulate the ability of covered entities and business associates to request information from patients or visitors.”

Rather, the HIPAA Privacy Rule “regulates how and when covered entities and business associates are permitted to use and disclose PHI (e.g., PHI about whether an individual has received a COVID-19 vaccine) that covered entities and business associates create, receive, maintain, or transmit.”

Thus, the Privacy Rule does not “prohibit a covered entity (e.g., a covered doctor, hospital, or health plan) or business associate from asking whether an individual (e.g., a patient or visitor) has received a particular vaccine, including a COVID-19 vaccine, although it does regulate how and when a covered entity or its business associate may use or disclose information about an individual’s vaccination status.”

It is important to note that other state or federal laws may apply and address whether individuals are required to disclose whether they have received a vaccine under certain circumstances.

HHS’ decision to publish this clarification is an indication that there remains much controversy and confusion over privacy issues as they pertain to the COVID-19 vaccine mandate. HHS’ clarification provides helpful guidance as both individuals and the business community continue to grapple with the practical effect of vaccination mandates as balanced against an individual’s privacy rights in the workplace and elsewhere.

Written by:

Greenbaum, Rowe, Smith & Davis LLP
Greenbaum, Rowe, Smith & Davis LLP
Contact
more
less

Greenbaum, Rowe, Smith & Davis LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide