Department of Health discusses applicability of HIPAA to COVID-19 vaccination information

The Federal Department of Health and Human Services (HHS) has issued guidance on the applicability of HIPAA to COVID-19 vaccination information, directly addressing a number of misconceptions about when HIPAA regulates or no disclosure of an individual’s COVID-19 vaccination status. . Here are five key takeaways from orientation.

“The privacy rule does not prohibit any person (for example, an individual or entity such as a business), including HIPAA-covered entities and business associates, from inquiring whether an individual has received a particular vaccine. , including COVID-19 vaccines. “- HHS (Sep 30, 2021)

1. HIPAA only regulates Covered Entities and Business Partners.

The guidelines reiterate that HIPAA only applies to covered entities (health plans, health care providers that perform standard electronic transactions, and health care clearinghouses) and their associated providers. HIPAA does not generally apply to employers, restaurants, stores, schools, and places of entertainment. Additionally, HIPAA does not apply to the disclosure by individuals of their own immunization information.

2. HIPAA does not prohibit Covered Entities or Business Associates from asking questions about vaccinations.

HIPAA restricts how covered entities and business associates can use and disclose Protected Health Information (PHI) – HIPAA does not prohibit anyone from request if anyone has been vaccinated. For example, HIPAA does not prohibit a covered entity from asking if patients or visitors have been vaccinated against COVID-19. However, patient immunization information is PHI and HIPAA regulates how the covered entity uses and discloses this information once received.

3. HIPAA does not apply to employee information.

With regard to employers in particular, the guide notes that HIPAA does not apply to health information in employee records, even when the employer is a covered entity or business partner. This means that the employee vaccination records that an organization keeps as an employer are not regulated by HIPAA. HIPAA also does not apply to employees questioned about their own immunization status or who disclose their own immunization status. Although there may be other federal and state laws that are involved in these situations, HIPAA does not apply. For example, see the EEOC guidelines “What You Need to Know About COVID-19 and ADA, Rehabilitation Law and Other EEO Laws”.

4. Entities covered by HIPAA do not always need permission to disclose information about vaccination.

The general rule under HIPAA is that a covered entity needs the individual’s permission to use or disclose PHI, unless an exception applies. 45 CFR § 164.502 (a). The HHS guidelines summarize scenarios in which HIPAA allows a covered entity to disclose an individual’s immunization status without the individual’s permission, including, without limitation, (i) to a plan to health when necessary to obtain payment for immunization, (ii) to public health authorities, and (iii) when required by law.

Note, however, that such disclosures may be further restricted by applicable state law. The guidelines also state that the covered entity will generally need permission to disclose the person’s immunization status to entertainment venues, cruise ships, airlines and similar types of disclosures.

5. Healthcare providers in HIPAA-covered entities may disclose immunization information to employers without authorization only in specific circumstances.

Covered entities need permission to disclose immunization information to an individual’s employer, unless the disclosure meets all of the following conditions:

  1. The covered entity is a health care provider who provides health care to the person at the request of the employer to perform an assessment relating to the medical surveillance of the workplace (for example, monitoring the spread of COVID -19 within the workforce) or to assess whether the person suffers from a work-related illness or injury;

  2. RPS disclosed are the results of a work-related illness or injury or work-related medical surveillance;

  3. The employer needs the results to comply with their legal obligations under OSHA, the Mine Safety and Health Administration, or state laws with a similar purpose; and

  4. The Covered Entity has provided written notice to the Individual that PHI related to workplace health surveillance and work-related illnesses will be disclosed to the Employer through one of the HIPAA-authorized notification methods.

45 CFR § 164.512 (b) (1) (v). If any of these conditions are not met, covered entities will generally need the employee’s permission to disclose their immunization status to the employer. Additionally, as noted above, such disclosures may be further restricted by applicable state law.

For reference, the following table summarizes some of the examples provided by HHS in the guide:

Fact model

Does HIPAA apply?

Covered Entity or Business Associate Uses or Discloses Patient / Health Plan Member Vaccine Information


Covered entity or business associate asks if person has been vaccinated

No (although the use or disclosure of this information, whether the person is a patient or a plan member, is regulated by HIPAA)

Individual A asks individual B if individual B is vaccinated


Person discloses their own immunization status


A school, employer, store, restaurant or place of entertainment asks someone about their immunization status


The person asks their doctor if the doctor is vaccinated


An individual asks the company if its staff are vaccinated


Employer requires employee to provide vaccination documents


Source link

About Charles D. Goolsby

Check Also

Vietnam’s ‘mega’ company collapses after six months

Nguyen Vu Quoc Anh, CEO and legal representative of the HCMC-based company, signed the decision …

Leave a Reply

Your email address will not be published. Required fields are marked *