In response to numerous inquiries on the status of vaccination records and related information, the Health & Human Services (HHS) Office for Civil Rights (OCR) issued guidance entitled “HIPAA, COVID-19 Vaccination, and the Workplace” which includes FAQ’s to address questions about when and how the HIPAA Privacy Rules apply to COVID-19 vaccination-related information that may be requested and/or obtained by employers.

First and foremost the FAQ’s state that vaccination documentation that is provided by an employee to their employer is not HIPAA covered for purposes of medical privacy concerns. However, employers are still required to comply with federal anti-discrimination laws which do require that vaccination records themselves be protected as confidential medical information which must be maintained separately from the employee’s personnel files.

Second, it is important to note that the information set forth in the FAQs is applicable to all vaccinations, not just COVID-19 vaccination, and regardless of whether the vaccine has been fully approved or authorized via an emergency use authorization (EUA).

Certain of the FAQ’s which specifically address the workplace are summarized and set forth below.

1. Does the HIPAA Privacy Rule prohibit businesses or individuals from asking whether their customers or clients have received a COVID-19 vaccine?

No. The Privacy Rule does not prohibit any person or an entity (such as a business) from asking whether an individual has received a particular vaccine, including COVID-19 vaccines.

The Privacy Rule applies only to covered entities (e.g. health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions) and, to some extent, their business associates.

The Privacy Rule does not regulate the ability of covered entities and business associates to request information from patients or visitors.  Instead, the Privacy Rule regulates how and when covered entities and business associates are permitted to use and disclose protected health information (PHI) (e.g., PHI about whether an individual has received a COVID-19 vaccine) that covered entities and business associates create, receive, maintain, or transmit.

3. Does the HIPAA Privacy Rule prohibit an employer from requiring a workforce member to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties?

No. The Privacy Rule does not apply to employment records, including employment records held by covered entities or business associates in their capacity as employers.

Generally, the Privacy Rule does not regulate what information can be requested from employees as part of the terms and conditions of employment that an employer may impose on its workforce. However, other federal or state laws do address terms and conditions of employment. For example, federal anti-discrimination laws do not prevent an employer from choosing to require that all employees physically entering the workplace be vaccinated against COVID-19 and provide documentation or other confirmation that they have met this requirement, subject to reasonable accommodation provisions and other equal employment opportunity considerations.

Documentation or other confirmation of vaccination, however, must be kept confidential and stored separately from the employee’s personnel files under Title I of the Americans with Disabilities Act (ADA).

4. Does the HIPAA Privacy Rule prohibit a covered entity or business associate from requiring its workforce members to disclose to their employers or other parties whether the workforce members have received a COVID-19 vaccine?

No. The Privacy Rule generally does not regulate what information can be requested from employees as part of the terms and conditions of employment that a covered entity or business associate may impose on its workforce, such as the ability of a covered entity or business associate to require its workforce members to provide documentation of their vaccination against COVID-19 or to disclose whether they have been vaccinated to their employer, other workforce members, patients, or members of the public.

For example, the Privacy Rule does not prohibit a covered entity or business associate from requiring or requesting each workforce member to:

• Provide documentation of their COVID-19 or flu vaccination to their current or prospective employer.
• Sign a HIPAA authorization for a covered health care provider to disclose the workforce member’s COVID-19 or varicella vaccination record to their employer.
• Disclose whether they have received a COVID-19 vaccine in response to queries from current or prospective patients.

However, documentation or other confirmation of vaccination must be kept confidential and stored separately from the employee’s personnel files under the Americans with Disabilities Act (ADA).

The Privacy Rule does not prohibit an individual from choosing to provide anyone with information regarding their vaccination status.

For additional information on the Privacy Rule and its application, visit https://www.hhs.gov/hipaa/for-individuals/index.html.