With the nation’s ongoing focus on COVID-19 vaccinations, you may be hearing information—and misinformation—about your obligations under HIPAA, the federal Health Information Portability and Accountability Act. In this segment of Myth Busters, we address some common misconceptions about HIPAA and its applicability to employers and employee health information.
Myth: My employees do not have to provide their COVID-19 vaccination status or proof of vaccination status because that information is protected by HIPAA.
Truth: Employers may require an employee to provide their COVID-19 vaccination status and present proof of vaccination, such as a vaccine card, because HIPAA does not apply to these inquiries.
HIPAA governs the use and disclosure of protected health information (PHI) held by certain “covered entities” in the health care space, including health plans, health care clearinghouses, and health care providers that conduct certain health care transactions electronically, as well as some “business associates” of those covered entities. For instance, when a physician submits electronically a medical claim to a patient’s health plan for payment, HIPAA is triggered because the physician is a covered entity disclosing a patient’s protected health information. In general, however, most employers outside of the health care industry are not covered entities or business associates and are therefore not subject to HIPAA.
Nonetheless, employers should remain mindful of other state and federal laws that might apply when an employee discloses their vaccination status. For example, if an employee reveals that they are unvaccinated, an employer generally should not ask why, as it may elicit information about an employee’s disability or medical conditions in violation of the Americans with Disabilities Act (ADA). However, if the employee is subject to an employer-imposed or state or federal vaccination requirement, it may be necessary to explore the basis for the employee being unvaccinated to determine whether a reasonable accommodation to vaccination is necessary and possible.
Myth: My organization is a healthcare entity/provider, so HIPAA applies to all employee medical information collected by my organization.
Truth: While HIPAA will apply to your organization in its role as a healthcare provider, it will not apply to your organization when acting in its capacity as an employer. For example, if an employee has disclosed disability-related information for purposes of pursuing a reasonable accommodation or medical information relevant to a request for leave under the Family and Medical Leave Act (FMLA), that information would not be considered PHI that is subject to HIPAA protections. In addition, the U.S. Department of Health and Human Services (HHS) has recently confirmed that the HIPAA Privacy Rule does not prohibit a covered entity (e.g., a covered doctor, hospital, or health plan) or business associate from asking whether an individual (e.g., a patient or visitor) has received a particular vaccine, including COVID-19 vaccines, although it does regulate how and when a covered entity or its business associate may use or disclose information about an individual’s vaccination status.
However, HIPAA would apply to other employee medical information collected by the organization in its capacity as a healthcare provider. For instance, if a hospital employee becomes a patient of that hospital, HIPAA would apply to the employee’s patient records, but not their employment records.
Myth: I can disclose an employee’s vaccine status to other employees or customers because HIPAA does not apply to my organization.
Truth: Not so fast—even if an employer is not subject to HIPAA, other laws limit disclosure of an employee’s health information. For example, the ADA requires employers to treat as a confidential medical record any medical information obtained through an employer’s disability-related inquiry, an employment-related medical examination (including from voluntary wellness programs), or by voluntary disclosure of the employee. Employers may only share the medical information in limited circumstances, such as to managers or supervisors who need to know an employee’s work restrictions and accommodations. Similarly, the FMLA requires employers to keep medical records and information private. If an employee needs leave for a serious medical condition or other qualifying reason, including one related to COVID-19 or vaccination, the employers should keep that information confidential consistent with FMLA obligations.
Employers also need to be mindful of other state-specific privacy laws that might apply to protect personal information held by an employer from improper disclosure, theft, and/or misuse. Absent notification to and consent by an employee, disclosure of an employee’s vaccination status to third parties likely will constitute an unauthorized disclosure or breach under applicable state privacy laws. Nearly every state requires employers to notify employees when there has been an unauthorized disclosure of certain defined categories of personal information, including Social Security numbers. Recently, several states have expanded those laws to cover the disclosure of employee medical information. For example, the Maryland Personal Information Protection Act (PIPA) was amended effective January 1, 2018, to require businesses to “implement and maintain reasonable security procedures and practices” to protect against the unauthorized disclosure of employee “personal information,” including health information. Finally, recently implemented privacy laws may mandate notice in some form.
Accordingly, an employer generally should not disclose an employee’s vaccination status—or any other employee health information—to other employees or a customer. In addition, employers should keep confidential all employee health information and store such information in a secure manner separately from the employee’s personnel file.