HIPAA Privacy Rule Guidance Issued Regarding COVID-19 Vaccines

A list of frequently asked questions (FAQs) recently published by the Department of Health and Human Services addresses the application of HIPAA’s privacy rule to workplace COVID-19 disclosures.  HIPAA’s privacy rule generally prohibits a covered entity (i.e., health plans, health care clearinghouses, and health care providers) or business associate from disclosing protected health information without proper authorization.  Although a healthcare provider is generally prohibited from disclosing an individual’s vaccination status to an employer without proper authorization, the FAQs identify a number of situations where HIPAA’s privacy rule does not prohibit disclosure about an individual’s COVID-19 vaccination status.  For example, HIPAA’s privacy rule does not prohibit:

• A business from asking customers if they have been vaccinated.
• An employer from requiring its employees to disclose if they have been vaccinated.
• An individual asking a company whether its workforce has been vaccinated.
• An individual from disclosing their vaccination status to an employer or business.

HIPAA is often cited as a reason why health information such as an individual’s COVID-19 vaccination status may not be shared.  However, as illustrated in these FAQs, HIPAA’s privacy rules are generally limited to certain types of disclosures by certain types of entities.  (FAQs HIPAA, COVID-19 Vaccination, and the Workplace - September 30, 2021.)