The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) issued guidance regarding the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) privacy rule (the “Privacy Rule”) in the form of Q&A to assist covered entities in determining when it is appropriate to release or request protected health information (“PHI”) related to an individual’s COVID-19 vaccination status.
Specifically, OCR provided certain examples of instances in which a covered entity may permissibly disclose PHI, including, without limitation, the following:
- A physician or health plan disclosure related to an individual’s vaccination status when required to do so by law.
- A pharmacy disclosure related to an individual’s vaccination status to a public health authority (state or local public health agency).
- A hospital disclosure related to an individual’s vaccination status to the individual’s employer so that an evaluation may be conducted relating to medical surveillance in the workplace if certain conditions are met.
Unless an exception applies, the Privacy Rule otherwise prohibits a covered entity from disclosing PHI. Accordingly, in instances in which an exception does not apply, a covered entity disclosure of PHI, including, without limitation, the vaccination status of an individual to a third party (e.g., sports arena, hotel, resort, cruise ship or airline) would require a valid HIPAA authorization or court order.
The OCR also confirmed that the Privacy Rule generally does not apply to a covered entity or business associate in their capacity as employers, which is consistent with the regulations and prior pronouncements. Therefore, according to the OCR, a covered entity or business associate is permitted to require or request its workforce members to:
- Provide documentation of vaccination status.
- Sign a HIPAA authorization to disclose an individual’s vaccine record to their employer.
- Wear a mask.
- Disclose to patients or future patients an employee’s vaccination status.
