Impact of the HIPAA Privacy Rule on COVID-19 Vaccine Inquiries

On Sept. 30, 2021, the Department of Health and Human Services (HHS) issued frequently asked questions (FAQs) on the application of the Health Insurance Privacy and Accountability Act (HIPAA) Privacy Rule on COVID-19 vaccination and the workplace.

Overview of the FAQ Guidance

The FAQs provide that the HIPAA Privacy Rule does not prohibit any person (an individual or an entity, such as a business)—including HIPAA-covered entities and business associates—from asking whether an individual has received a COVID-19 vaccine. Rather, the Privacy Rule regulates how and when a covered entity or its business associate may use or disclose protected health information (PHI), including information about an individual’s vaccination status.

In addition, the Privacy Rule does not prevent any individual from disclosing whether he or she has been vaccinated against COVID-19 or any other disease. The Privacy Rule does not apply to individuals’ disclosures about their own health information.

The Privacy Rule also does not prohibit an employer from requiring an employee to disclose whether they have received a COVID-19 vaccine to the employer, clients or other parties. The Privacy Rule does not apply to employment records and does not regulate what information can be requested from employees as part of the terms and conditions of employment. However, documentation or other confirmation of vaccination must be kept confidential and stored separately from the employee’s personnel files under Title I of the Americans with Disabilities Act (ADA).

In addition, other federal or state laws do address terms and conditions of employment. Similarly, other state or federal laws address whether individuals are required to disclose whether they have received a vaccine under certain circumstances.

HIGHLIGHTS

  • The HIPAA Privacy Rule does not prohibit any person or entity from asking whether an individual has received a COVID-19 vaccine.
  • The Privacy Rule also does not prevent an individual from disclosing whether he or she has been vaccinated against COVID-19.
  • However, the Privacy Rule generally does prohibit a doctor’s office from disclosing whether an individual has received a COVID-19 vaccine to the individual’s employer or others.

The HIPAA Privacy Rule does not prohibit an employer from requiring employees to disclose whether they have received a COVID-19 vaccine.

Download PDF