New HIPAA Guidance from OCR on COVID-19 Vaccines and the Workplace

Steptoe & Johnson PLLC
The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) issued guidance regarding the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) privacy rule (the “Privacy Rule”) in the form of Q&A to assist covered entities in determining when it is appropriate to release or request protected health information (“PHI”) related to an individual’s COVID-19 vaccination status.
Specifically, OCR provided certain examples of instances in which a covered entity may permissibly disclose PHI, including, without limitation, the following:
  • A physician or health plan disclosure related to an individual’s vaccination status when required to do so by law.
  • A pharmacy disclosure related to an individual’s vaccination status to a public health authority (state or local public health agency).
  • A hospital disclosure related to an individual’s vaccination status to the individual’s employer so that an evaluation may be conducted relating to medical surveillance in the workplace if certain conditions are met.
Unless an exception applies, the Privacy Rule otherwise prohibits a covered entity from disclosing PHI. Accordingly, in instances in which an exception does not apply, a covered entity disclosure of PHI, including, without limitation, the vaccination status of an individual to a third party (e.g., sports arena, hotel, resort, cruise ship or airline) would require a valid HIPAA authorization or court order.
The OCR also confirmed that the Privacy Rule generally does not apply to a covered entity or business associate in their capacity as employers, which is consistent with the regulations and prior pronouncements. Therefore, according to the OCR, a covered entity or business associate is permitted to require or request its workforce members to:
  • Provide documentation of vaccination status.
  • Sign a HIPAA authorization to disclose an individual’s vaccine record to their employer.
  • Wear a mask.
  • Disclose to patients or future patients an employee’s vaccination status.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Steptoe & Johnson PLLC | Attorney Advertising

Written by:

Steptoe & Johnson PLLC

Steptoe & Johnson PLLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.