HIPAA Guidance Regarding COVID-19 Vaccination Status in the Workplace

On September 30^th, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) released guidance regarding the Health Insurance Portability and Accountability Act (HIPAA) of 1996 Privacy Rule and its application to the workplace, specifically discussing the disclosure and request of COVID-19 vaccination status.

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

The Privacy Rule (45 CFR Parts 160 and 164) applies specifically to covered entities (CEs), such as health plans, health care clearinghouses, and health care providers who maintain or transmit individually identifiable health information, called “protected health information (PHI).” The Privacy Rule does not regulate a CE’s or its business associates’ (BA) ability to request the vaccination status of an individual, it regulates how the CE and BAs use and disclose the PHI obtained. The Rule expressly states that a member of the CE’s workforce is not considered a BA and the rule does not prohibit an employer from requesting the vaccination status of its employees, a patient, or a visitor and the Rule does not limit an individual from disclosing their own information to another person. In other words, even though a pharmacy is considered a CE and staff must abide by the Privacy Rule daily when utilizing and disclosing PHI, when the pharmacy is acting in its capacity as an employer the Rule does not regulate its ability to ask employees, customers, or patients about their vaccination status. The employee, customer, or patient might believe they do not have to share this information per HIPAA; however, that is not a valid assertion since HIPAA does not regulate or prohibit an individual from sharing their own information. Outside of HIPAA, there may be other applicable state or federal laws which could overlap HIPAA regulations – refer to your healthcare attorney for additional clarifications.

Additionally, the Privacy Rule does not dictate what information can be requested of its employees as a condition of employment. Even the federal equal employment opportunity laws do not prevent an employer from requiring staff to be vaccinated before entering the workplace, as long as reasonable accommodations are made per the Americans with Disabilities Act (ADA). If an employer maintains confirmation or proof of vaccination, the ADA requires those records be stored separately from the individual’s personnel file. Furthermore, an employer can require each member of its workforce to sign a HIPAA authorization to obtain proof of vaccination directly from a covered health care provider and an employer may require its workforce to disclose their vaccination status to a patient, if asked.

The Privacy Rule does prohibit a CE and their BAs from using or disclosing an individual’s medical records, including vaccination status, to an individual’s employer or other entity unless the individual approves the request in advance, or the release pertains to treatment, payment, or other healthcare operations (TPO). Unless the individual has restricted the release of their PHI, the pharmacy can share the individual’s vaccination status with entities such as the individual’s primary care provider, their insurance company, and the state immunization database without the patient’s consent. For disclosure to an entity outside TPO, patients must first approve the release of their protected information (including vaccination history). Be sure to keep all HIPAA-related documentation for a minimum of six years.

PAAS Tips:

PAAS Fraud, Waste and Abuse and HIPAA Compliance members, refer to section 10.5 of your Policy and Procedure Manual for additional information regarding the use and disclosure of PHI and Appendix B for the Request to Access or Release Protected Health Information form.
Refer to the OCR’s guidance document for additional scenarios, including vaccine records maintained by schools, disclosure to public health authorities, and hospitals releasing PHI relating to an employee’s vaccination status (including documented side effects of the vaccine) to an employer.

Author
Recent Posts

Sara Hathaway, PharmD

Analyst at PAAS National^®

After graduating from UW-Madison's School of Pharmacy with my PharmD, I spent my first eight years at an independent pharmacy dividing my time between both retail and long-term care. I fell in love with the independent pharmacy world and joined the PAAS team to help independents not only survive, but thrive.

I enjoy assisting pharmacy staff both pre- and post-audit and enjoy providing them with knowledge and tools to decrease audit risk going forward. I write articles for Third-Party Newsline each month and answer member questions daily. I look forward to building professional relationships with each of our members and assisting you with your next audit.

Latest posts by Sara Hathaway, PharmD (see all)

Numerous Sumatriptan Formulations Cause Headaches for Pharmacies, & Potential Recoupments - April 14, 2024
Be on the Lookout for Eye Drops Requiring Extra Billing Consideration - March 16, 2024
Employer Pays $4.75 Million after Employee Stole, then Sold, Protected Health Information - March 5, 2024