Compliance Alert: HHS Issues FAQ Regarding Vaccines and HIPPA Privacy
October 18, 2021
On September 30, the Department of Health and Human Services (HHS) issued a set of frequently asked questions (“the FAQ”) addressing common issues and misconceptions related to employee vaccines and HIPAA privacy requirements (“the Privacy Rule”).
In a series of 5 questions and answers, the FAQ clarifies:
- The entities to which the Privacy Rule applies (covered entities, and to some extent, business associates);
- The difference between information that is considered protected health information (PHI) and other types of information (e.g., employment information); and
- How covered entities are permitted to use and disclose PHI under the Privacy Rule.
The FAQ begins by emphasizing that the Privacy Rule regulates “covered entities,” which include health plans (including employer-sponsored health plans), providers, health care clearinghouses, and to some extent, business associates. The Privacy Rule does not regulate employers, and it does not regulate individuals.
Second, the FAQ clarifies that no entity (whether a covered entity or not) is prohibited from asking about another person’s vaccination status. Therefore, employers may request this information from employees, and providers or other covered entities may request this information from individuals. The Privacy Rule does become implicated once a covered entity (e.g., a provider or a health plan) knows a person’s vaccination status. At this point, that information is considered PHI and the provider or health plan is bound by the Privacy Rule’s requirements with respect to how it may use or disclose that information. (With limited exceptions, a covered entity may only use or disclose an individual’s PHI for purposes of treatment, payment, or health care operations unless it first obtains written authorization.)
Below are examples of situations the FAQ outlines where a request for an individual’s vaccine status does not implicate the Privacy Rule:
- An individual is asked by a school, employer, store, restaurant, entertainment venue, or other individual about their vaccination status;
- An individual asks another individual, their doctor, or a service provider whether they are vaccinated;
- An individual asks a company (e.g., a home health agency) whether its workforce members are vaccinated.
Note that in each of these examples, other federal or state laws may come into play. The point of the FAQ is that the Privacy Rule does not apply.
The FAQ also emphasizes that because the Privacy Rule does not regulate individuals, an individual is never prohibited from disclosing to another person or entity information about the individual’s vaccination status. In other words, nothing prevents an individual from voluntarily sharing whether they have been vaccinated.
Moreover, because the Privacy Rule does not regulate employers, it does not generally prevent employers from asking their workforce for information (or requiring the provision of information), including health information, that is needed as part of the terms of condition of employment. This includes:
- Requesting or requiring existing or prospective employees to provide documentation of their COVID-19 or flu vaccination;
- Requesting or requiring existing or prospective employees to sign a HIPAA authorization for a provider to disclose the individual’s vaccination record to their employer;
- Requiring employees to wear a mask while in the employer’s facility, on the employer’s property, or in the normal course of performing their duties at another location; and/or
- Requiring employees to disclose whether they have received a COVID-19 vaccine in response to queries from current or prospective patients.
Again, note that in each of these examples, other federal or state laws may come into play with respect to what information an employer can request, how the employer must maintain it, and what the employer is able to do with that information. The point of the FAQ is that the Privacy Rule does not apply.
Finally, the FAQ emphasizes that once a covered entity (e.g., a provider or a health plan) has information regarding an individual’s vaccination status, that information is considered PHI and the covered entity may only use or disclose that information as permitted by the Privacy Rule or pursuant to written authorization from the individual who is the subject of the PHI. Generally, the Privacy Rule permits covered entities to use and disclose PHI for purposes of treatment, payment, and health care operations; for certain public policy-related purposes; and as required by law. Covered entities may also disclose PHI to the individual who is the subject of the PHI. For employer-sponsored health plans, this means that PHI may generally only be used or disclosed for purposes of plan administration (e.g., claims payment or utilization/case management) unless a legal or public policy exception applies or unless the disclosure is being made to the individual who is the subject of the PHI. PHI may not be used for any employment-related purposes. Therefore, while an employer may gather vaccination information directly from employees for employment-related purposes (in which case the information is not PHI), an employer would not be permitted to gather information from its health plan records and then use this information (which is PHI) for non-health plan purposes, such as hiring or termination.
While every effort has been taken in compiling this information to ensure that its contents are totally accurate, neither the publisher nor the author can accept liability for any inaccuracies or changed circumstances of any information herein or for the consequences of any reliance placed upon it. This publication is distributed on the understanding that the publisher is not engaged in rendering legal, accounting or other professional advice or services. Readers should always seek professional advice before entering into any commitments.
 The FAQ provides an example of a situation where a hospital may disclose vaccine information to employers, so long as certain conditions are met, in order for the employer can comply with requirements of the Occupational Safety and Health Administration (OSHA), the Mine Safety and Health Administration (MHSA), or state law to conduct an evaluation relating to medical surveillance of the workplace (e.g., surveillance of the spread of COVID-19 within the workforce) or to evaluate whether the individual has a work-related illness.