Fisher Phillips

“Are you fully vaccinated?” This seems to have become a million-dollar question that employers want to pose to their workers, but confusion abounds regarding the legal contours of this deceptively dangerous question. Many employers continue to wonder about the legal implications of asking an employee’s vaccination status. While the EEOC has confirmed that you can lawfully ask employees their vaccination status without violating federal anti-discrimination laws (provided the question is limited to a yes-or-no response), what about other privacy laws? Specifically, what about the often-misunderstood HIPAA, seemingly cited by anyone who disagrees with any sort of COVID-19 safety protocols? This Insight will untangle the myths from reality and provide employers with practical – and legally correct – guidance on this subject.

What is HIPAA?

HIPAA has unfortunately entered popular culture in recent times thanks to misguided individuals believing the law somehow creates a magic shield exempting them from complying with many pandemic-related requirements. Most recently, many employees have incorrectly cited “HIPPA” (as commonly misspelled on the internet) as grounds for withholding their vaccine status from their employers. But what is HIPAA, and does it really prevent you from asking employees and workplace visitors about whether they have been vaccinated against COVID-19?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), was enacted on August 21, 1996. Sections 261 through 264 required the Secretary of the Department of Health and Human Services (HHS) to publicize standards for the electronic exchange, privacy and security of health information. The HHS issued what became known as the “Privacy Rule” to implement this requirement. The Privacy Rule addresses the use and disclosure of individually identifiable health information, which is referred to as “protected health information” (or PHI) by organizations that are subject to the Privacy Rule. Those organizations, which fit into only three categories, are referred to as “covered entities.”

Thankfully, confirming what we have been advising for many months now, the HHS recently issued guidance putting many HIPAA-related pandemic misconceptions to rest. This Insight provides additional information about this issue and what it means for you in the face of on-going COVID-19 vaccine issues.

Who Does HIPAA Apply to?

Perhaps the most common misconception about HIPAA is that it applies to all businesses and employers. It does not. The Privacy Rule governs only “covered entities”:

  • health plans;
  • health care clearinghouses; and
  • health care providers that conduct standard electronic transactions (and to some extent to certain business associates of covered entities).

If you do not fall into one of these categories, HIPAA does not apply to you at all. And even if you do fall into one of these categories, the Privacy Rule does not apply to employment records, including employment records held by covered entities or business associates “in their capacity as employers.”

What Does the HIPAA Privacy Rule Protect?

The Privacy Rule regulates how and when covered entities are permitted to use and disclose PHI that covered entities create, receive, maintain, or transmit. The rule does not prohibit an employer or business, including HIPAA covered entities, from asking whether an individual has received a particular vaccine, including COVID-19 vaccines. The rule does regulate, however, how and when a covered entity may use or disclose information about an individual’s vaccination status.

Since most employers are not covered entities under HIPAA, the Privacy Rule does not regulate whether you can ask about an individual’s vaccination status or how you can use or disclose that information once you have it.

But Isn’t COVID-19 Vaccination Status Confidential Medical Information?

Yes. Documentation or other information regarding an individual’s vaccination status is confidential medical information under the Americans with Disabilities Act (ADA) and some state privacy laws. This means that you must treat this information as confidential and store it separately from the employee’s personnel file.

The federal requirement to treat vaccination status as confidential information does not, however, prevent employers or businesses from asking their employees or their visitors whether they have been vaccinated against COVID-19. Note that some states, such as Montana, have enacted legislation restricting employers from asking employees and/or visitors about their vaccination status. The EEOC has also published helpful information about this subject.

Bottom Line: Can We Ask Whether Employees and Customers Are Vaccinated?

Yes, HIPAA does not prevent employers and businesses from asking their employees and visitors whether they have been vaccinated against COVID-19 and for proof of such vaccination. Once you have the information, it must be treated as confidential, meaning that it is not shared with others except under limited circumstances and as noted, is not even kept in an employee’s personnel file. 

In the absence of state or local laws to the contrary, businesses can ask visitors to show proof of vaccination upon entering their facility without having to store the information at all. You should, however, consult your attorney regarding any state-specific constraints before acting in this manner.