We Cannot Blame HIPAA For Everything
One thing we’ve learned in the course of the pandemic is, the American public is massively confused about what HIPAA is and isn’t. Some celebrities think that HIPAA means that reporters can’t ask them whether they have been vaccinated or that they would violate HIPAA by answering the question. We in the health care field know that HIPAA only applies to covered entities (health care providers and health plans) and their business associates. To clarify these issues for the broader public, the Office for Civil Rights (OCR) of the Department of Health & Human Services recently published guidance on what inquiries and disclosures about COVID-19 vaccination status are permitted.
The HIPAA Privacy Rule does not prohibit businesses or individuals from asking whether customers or clients have received a COVID-19 vaccine. This is true even for businesses that are covered entities or business associates because the HIPAA Privacy Rule applies to uses and disclosures of protected health information (PHI) by covered entities and business associates, not requests for information. HIPAA also does not prohibit an individual from disclosing whether the individual has been vaccinated.
The OCR points out that the HIPAA Privacy Rule does not apply to employment records (including records held by covered entities or business associates in their capacity as employers). HIPAA does not regulate what information can be requested from employees as a condition of employment. Therefore, employers (including hospitals, clinics and practices) can require their employees to provide documentation of COVID-19 vaccination, to sign an authorization for the employee’s health care provider to provide such documentation, to wear a mask while on the employer’s premises or in the course of performing their duties, or to disclose whether the employee is vaccinated if a patient asks for that information. The OCR notes, however, that the Americans with Disabilities Act requires that documentation of vaccination, like other employee health information, must be kept confidential and stored separately from personnel files.
The OCR also addressed questions relating to employee health services. Health care providers may disclose PHI relating to an individual’s vaccination status to an employer in connection with medical surveillance of the workplace or to evaluate whether the individual has a work-related illness, but only if the health care provider is providing services to the individual at the request of the employer, the individual is notified that PHI related to medical surveillance and work-related illnesses will be disclosed to the employer, and certain other conditions apply. Outside of these limited circumstances, the employee must consent to the health care provider providing information obtained in the course of treatment to the employer.
Contact Malecki Brooks Ford With Questions
For further information contact us, or reach out directly to Aileen Brooks or Patricia D. King.