Despite HHS’s recent guidance on COVID-19 vaccine status and the workplace, some people seem to refuse to accept that HIPAA says what it says — and doesn’t say what it doesn’t say. Yes, as we all know, there are multiple laws and factors that can come into play, but if the question is “What does HIPAA” require or “What does HIPAA permit,” then the answer is not quite as complicated.
One of my go-to HIPAA experts is Texas attorney Jeff Drummond, who has blogged about HHS’s recent guidance. Jeff writes, in part:
HIPAA only applies to covered entities (and their business associates), and only applies to PHI. Is the entity a covered entity, and is the information PHI? Unless both answers are “yes,” then HIPAA does not apply. Simple as that.
Read his full blog post here.
So even if the entity is a covered entity, it’s employees are employees, and their information as employees is not “protected health information.” So yes, a covered entity can require its employees to be vaccinated or tested regularly. And yes, an otherwise covered entity can require its employees to permit the practice to tell patients or potential patients that all employees are vaccinated or tested, etc. Other laws may apply, but in terms of what the HIPAA Privacy Rule says, HHS writes:
Does the HIPAA Privacy Rule prohibit a covered entity or business associate from requiring its workforce members to disclose to their employers or other parties whether the workforce members have received a COVID-19 vaccine?
No. The Privacy Rule does not apply to employment records, including employment records held by covered entities19 and business associates20 acting in their capacity as employers.21 Thus, the Privacy Rule generally does not regulate what information can be requested from employees as part of the terms and conditions of employment that a covered entity or business associate may impose on its workforce,22 such as the ability of a covered entity or business associate23 to require its workforce members to provide documentation of their vaccination against COVID-19 or to disclose whether they have been vaccinated to their employer, other workforce members, patients, or members of the public.
For example, the Privacy Rule does not prohibit a covered entity or business associate from requiring or requesting each workforce member to:
- Provide documentation of their COVID-19 or flu vaccination to their current or prospective employer.
- Sign a HIPAA authorization for a covered health care provider to disclose the workforce member’s COVID-19 or varicella vaccination record to their employer.24
- Wear a mask–while in the employer’s facility, on the employer’s property, or in the normal course of performing their duties at another location.
- Disclose whether they have received a COVID-19 vaccine in response to queries from current or prospective patients.
Other federal or state laws address whether an employer may require a workforce member to obtain any vaccinations as a condition of employment and provide documentation or other confirmation of vaccination. These laws also address how employers must treat medical information that they obtain from employees. For example, documentation or other confirmation of vaccination must be kept confidential and stored separately from the employee’s personnel files under Title I of the Americans with Disabilities Act (ADA).