On September 30th, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) released guidance regarding the Health Insurance Portability and Accountability Act (HIPAA) of 1996 Privacy Rule and its application to the workplace, specifically discussing the disclosure and request of COVID-19 vaccination status.
The Privacy Rule (45 CFR Parts 160 and 164) applies specifically to covered entities (CEs), such as health plans, health care clearinghouses, and health care providers who maintain or transmit individually identifiable health information, called “protected health information (PHI).” The Privacy Rule does not regulate a CE’s or its business associates’ (BA) ability to request the vaccination status of an individual, it regulates how the CE and BAs use and disclose the PHI obtained. The Rule expressly states that a member of the CE’s workforce is not considered a BA and the rule does not prohibit an employer from requesting the vaccination status of its employees, a patient, or a visitor and the Rule does not limit an individual from disclosing their own information to another person. In other words, even though a pharmacy is considered a CE and staff must abide by the Privacy Rule daily when utilizing and disclosing PHI, when the pharmacy is acting in its capacity as an employer the Rule does not regulate its ability to ask employees, customers, or patients about their vaccination status. The employee, customer, or patient might believe they do not have to share this information per HIPAA; however, that is not a valid assertion since HIPAA does not regulate or prohibit an individual from sharing their own information. Outside of HIPAA, there may be other applicable state or federal laws which could overlap HIPAA regulations – refer to your healthcare attorney for additional clarifications.
Additionally, the Privacy Rule does not dictate what information can be requested of its employees as a condition of employment. Even the federal equal employment opportunity laws do not prevent an employer from requiring staff to be vaccinated before entering the workplace, as long as reasonable accommodations are made per the Americans with Disabilities Act (ADA). If an employer maintains confirmation or proof of vaccination, the ADA requires those records be stored separately from the individual’s personnel file. Furthermore, an employer can require each member of its workforce to sign a HIPAA authorization to obtain proof of vaccination directly from a covered health care provider and an employer may require its workforce to disclose their vaccination status to a patient, if asked.
The Privacy Rule does prohibit a CE and their BAs from using or disclosing an individual’s medical records, including vaccination status, to an individual’s employer or other entity unless the individual approves the request in advance, or the release pertains to treatment, payment, or other healthcare operations (TPO). Unless the individual has restricted the release of their PHI, the pharmacy can share the individual’s vaccination status with entities such as the individual’s primary care provider, their insurance company, and the state immunization database without the patient’s consent. For disclosure to an entity outside TPO, patients must first approve the release of their protected information (including vaccination history). Be sure to keep all HIPAA-related documentation for a minimum of six years.
- PAAS Fraud, Waste and Abuse and HIPAA Compliance members, refer to section 10.5 of your Policy and Procedure Manual for additional information regarding the use and disclosure of PHI and Appendix B for the Request to Access or Release Protected Health Information form.
- Refer to the OCR’s guidance document for additional scenarios, including vaccine records maintained by schools, disclosure to public health authorities, and hospitals releasing PHI relating to an employee’s vaccination status (including documented side effects of the vaccine) to an employer.