The Department of Health and Human Services today announced workplace guidance on the Health Insurance Portability and Accountability Act’s applicability to disclosures and requests for information about whether a person has received a COVID-19 vaccine. According to HHS’ Office for Civil Rights, the HIPAA Privacy Rule applies only to covered entities, including health plans, health care clearinghouses, health care providers that conduct standard electronic transactions, and, to some extent, their business associates. It does not apply to employers or employment records.
The guidance outlines a series of scenarios outlining how the HIPAA privacy rule would or would not apply in different circumstances. For example, the HIPAA Privacy Rule does not prohibit a covered entity or business associate from requiring or requesting each workforce member to provide documentation of their COVID-19 or flu vaccination to their current or prospective employer. But the guidance explains that other federal or state laws may address whether an employer may require a workforce member to obtain any vaccinations as a condition of employment and provide documentation or other confirmation of vaccination.
It also notes that these laws may address how employers must treat medical information that they obtain from employees. For example, documentation or other confirmation of vaccination must be kept confidential and stored separately from the employee’s personnel files under Title I of the Americans with Disabilities Act.