The federal Health & Human Services Office for Civil Rights (OCR) released guidance covering when the Health Insurance Portability and Accountability Act (HIPAA) applies to disclosures and information requests concerning whether someone has received a COVID-19 vaccine. The guidance describes circumstances when disclosure is allowed and when it is prohibited, including in employment circumstances.

Businesses and employee information. HIPAA does not block businesses or individuals from asking whether customers or clients have received the vaccine. HIPAA applies only to certain covered entities, including health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions, and, in some cases, to their business associates. Even with those entities, HIPAA does not regulate the ability of the entity to request information, but only regulates how the entity is permitted to use and disclose protected health information. The privacy rule (45 C.F.R. Part 160 and Subparts A and E of Part 164) does not apply when an individual is asked about vaccination status by an employer, school, store, restaurant, entertainment venue, or another individual. It is also inapplicable when an individual asks another person, their doctor, or a service provider if they are vaccinated, as well as when an individual asks a company, such as a home health agency, whether its employees are vaccinated.

The HIPAA privacy rule does not prohibit business customers or clients from disclosing their vaccination status.

An employer is permitted under HIPAA to require an employee to say if they have been vaccinated. The privacy rule does not apply to employment records. The privacy rule allows a covered entity to require its employees to disclose their vaccination status to employers or other parties. The privacy rule does not apply to employment records held by covered entities. A covered entity can require an employee to provide vaccination documentation, wear a mask, and disclose whether they have been vaccinated to patients who ask.

Health entity disclosures. HIPAA prohibits a doctor’s office from disclosing an individual’s vaccination status (or other protected health information, or PHI) to the individual’s employer or other parties, except where permitted by the privacy rule. A covered physician can disclose an individual’s vaccination information to the individual’s health plan if necessary to obtain payment for administering the vaccine. A covered pharmacy can disclose such information to a public health authority. A health plan can disclose information if required by law to do so. A nurse practitioner can disclose vaccination information about an individual to that individual. A covered hospital can disclose an individual’s vaccination information to the individual’s employer under certain conditions.

For additional guidance and to see HHS’ guidance on “HIPAA, COVID-19 Vaccination, and the Workplace", click here.