The Office for Civil Rights (OCR) of the Department of Health & Human Services has published guidance on what inquiries and disclosures about COVID-19 vaccination status are permitted. The OCR notes that the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule applies only to covered entities and their business associates. (Covered entities are health plans, health care clearinghouses and health care providers that conduct electronic transactions, and business associates are entities that provide various management and related services for covered entities.).
The HIPAA Privacy Rule does not prohibit businesses or individuals from asking whether customers or clients have received a COVID-19 vaccine. This is the case even for businesses that are covered entities or business associates, because the HIPAA Privacy Rule applies to uses and disclosures of protected health information (PHI) by covered entities and business associates, not requests for information. HIPAA also does not prohibit an individual from disclosing whether the individual has been vaccinated.
The OCR points out that the HIPAA Privacy Rule does not apply to employment records (including records held by covered entities or business associates in their capacity as employers). HIPAA does not regulate what information can be requested from employees as a condition of employment. Therefore, employers (including covered entities and business associates) can require their employees to provide documentation of COVID-19 vaccination, to sign an authorization for the employee's health care provider to provide such documentation, to wear a mask while on the employer's premises or in the course of performing their duties, or to disclose whether the employee is vaccinated if a patient asks for that information. The OCR notes, however, that the Americans with Disabilities Act requires that documentation of vaccination, like other employee health information, must be kept confidential and stored separately from personnel files. The OCR also addressed questions relating to employee health services. Health care providers are permitted to disclose PHI relating to an individual's vaccination status to an employer in connection with medical surveillance of the workplace or to evaluate whether the individual has a work-related illness, but only if the health care provider is providing services to the individual at the request of the employer, the individual is notified that PHI related to medical surveillance and work-related illnesses will be disclosed to the employer, and certain other conditions apply.
It is necessary to distinguish between employment records and health records maintained by a health care provider in the course of treatment. The HIPAA Privacy Rule generally requires covered entities, including health care providers, to obtain the patient's authorization in order to disclose information (with certain exceptions, such as disclosures to public health authorities).