New Guidance on the Impact of HIPAA on COVID-19 in the Workplace

Bond Schoeneck & King PLLC

Bond Schoeneck & King PLLC

On Sept. 30, 2021, the Department of Health and Human Services published guidance, “HIPAA, COVID-19 Vaccination, and the Workplace,” (the Guidance) that details the ways in which the Health Insurance Portability and Accountability Act (HIPAA) intersects with workplace and other third-party inquiries regarding COVID-19 vaccinations. 

The HIPAA Privacy Rule, at issue here, applies the use and disclosure of protected health information (PHI) to covered entities and business associates. “Covered entities” include health plans, health care clearinghouses, health care providers that conduct standard electronic transactions and “business associates” are entities that perform certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.

Per the Guidance, the Privacy Rule is not implicated by a business inquiring whether their employees, customers or clients have received a COVID-19 vaccine. Additionally, the Privacy Rule does not apply when an individual (1) is asked about their vaccination status by a school, employer, store, restaurant, entertainment venue or another individual; (2) asks another individual, their doctor or a service provider whether they are vaccinated; or (3) asks a company, such as a home health agency, whether its workforce members are vaccinated.

Moreover, the Privacy Rule is not violated when an employer requires an employee to disclose whether they have received the COVID-19 vaccine. Generally, the Privacy rule does not apply to employment records, including employment records held by covered entities or business associates, and does not regulate what information can be requested from employees as part of the terms and conditions of employment that an employer may impose on its workforce. Furthermore, the Privacy Rule does not prohibit a covered entity or business associate from requiring or requesting that a workforce member (1) provide documentation of their COVID-19 or flu vaccination to their current or prospective employer; (2) sign a HIPAA authorization for a covered health care provider to disclose the workforce member’s COVID-19 or varicella vaccination record to their employer; or (3) wear a mask – while in the employer’s facility, on the employer’s property or in the normal course of performing their duties at another location.

The Guidance also notes that the Privacy Rule is not implicated when an employee discloses their own vaccination status, there is additional information contained within the Guidance for specific covered entities regarding when they may disclose vaccination information without patient consent. Finally, the Guidance reminds employers that documentation or other confirmation of vaccination, to the extent is received by an employer, must be kept confidential and stored separately from the employee’s personnel files under Title I of the Americans with Disabilities Act (ADA). 

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bond Schoeneck & King PLLC | Attorney Advertising

Written by:

Bond Schoeneck & King PLLC

Bond Schoeneck & King PLLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.