HIPAA: Top 5 Takeaways as HHS Addresses Misconceptions on Applicability to COVID-19 Vaccination Information

04 October 2021 Health Care Law Today Blog
Authors: Jennifer J. Hennessy Jennifer L. Urban Samuel D. Goldstick

The federal Department of Health and Human Services (HHS) issued guidance on the applicability of HIPAA to COVID-19 vaccination information, directly addressing a number of misconceptions about when HIPAA does, or does not, regulate disclosures of an individual’s COVID-19 vaccination status. Here are five key takeaways from the guidance.

"The Privacy Rule does not prohibit any person (e.g., an individual or an entity such as a business), including HIPAA covered entities and business associates, from asking whether an individual has received a particular vaccine, including COVID-19 vaccines.” – HHS (Sep 30, 2021)

1. HIPAA only regulates covered entities and business associates. The guidance serves as a reminder that HIPAA applies only to covered entities (health plans, health care providers that conduct electronic standard transactions, and health care clearinghouses) and their business associate vendors. HIPAA generally does not apply to employers, restaurants, stores, schools, and entertainment venues. Further, HIPAA does not apply to individuals’ disclosure of their own vaccination information.

2. HIPAA does not prohibit covered entities or business associates from asking about vaccinations. HIPAA restricts how covered entities and business associates can use and disclose protected health information (PHI)—HIPAA does not prohibit anyone from asking whether someone has received a vaccination. For example, HIPAA does not prohibit a covered entity from asking whether patients or visitors have been vaccinated against COVID-19. However, patients’ vaccination information is PHI and HIPAA regulates how the covered entity further uses and discloses that information once received.

3. HIPAA does not apply to employee information. With regard to employers in particular, the guidance notes that HIPAA does not apply to health information in employee files, even where the employer is a covered entity or business associate. That means vaccination records of employees that an organization maintains as an employer are not regulated by HIPAA. HIPAA also does not apply to employees being asked about, or disclosing, their own vaccination status. While there may be other federal and state laws that are implicated in these situations, HIPAA does not apply. For example, see EEOC guidance “What You Should Know About COVID-19 and the ADA, the Rehabilitation Act, and Other EEO Laws.”

4. HIPAA covered entities do not always need authorization to disclose vaccination information. The general rule under HIPAA is that a covered entity needs the individual’s authorization to use or disclose PHI, unless an exception applies. 45 C.F.R. § 164.502(a). The HHS guidance summarizes the scenarios where HIPAA permits a covered entity to disclose an individual’s vaccination status without the individual’s authorization, including, without limitation, (i) to a health plan when necessary to obtain payment for the vaccination, (ii) to public health authorities, and (iii) where required by law.

Note that these disclosures may be further restricted by applicable state law, however. The guidance also notes that the covered entity will generally need authorization to disclose the individual’s vaccination status to entertainment venues, cruise ships, airlines, and similar types of disclosures.

5. HIPAA covered entity health care providers can disclose vaccination information to employers without authorization only in specific circumstances. Covered entities need authorization to disclose vaccination information to an individual’s employer unless the disclosure fits into all of the following conditions:

  1. The covered entity is a health care provider who provides health care to the individual at the request of the employer to conduct an evaluation relating to medical surveillance of the workplace (e.g., surveillance of the spread of COVID-19 within the workforce) or to evaluate whether the individual has a work-related illness or injury;
  2. The PHI disclosed is the findings concerning a work-related illness or injury or workplace-related medical surveillance;
  3. The employer needs the findings to comply with its legal obligations under OSHA, the Mine Safety and Health Administration , or state laws having a similar purpose; and
  4. The covered entity has provided written notice to the individual that the PHI related to the medical surveillance of the workplace and work-related illnesses will be disclosed to the employer by one of the notice methods permitted by HIPAA.

45 C.F.R. § 164.512(b)(1)(v). If any of these conditions are not met, covered entities generally will need the employee’s authorization to disclose vaccination status to the employer. In addition, as noted above, these disclosures may be further restricted by applicable state law.

For reference, the following table summarizes some of the examples that HHS provided in the guidance:

Fact Pattern Does HIPAA apply?
 Covered entity or business associate uses or discloses patients’/health plan members’ vaccine information  Yes
 Covered entity or business associate asks if individual has been vaccinated  No (although uses or disclosures of that information, if the individual is a patient or plan member, is regulated by HIPAA)
 Individual A asks Individual B if Individual B is vaccinated  No
 Individual discloses individual’s own vaccination status  No
 School, employer, store, restaurant, or entertainment venue asks an individual about that individual’s vaccination status  No
 Individual asks their doctor if the doctor is vaccinated  No
 Individual asks company if its workforce is vaccinated  No
 Employer requires employee to provide documentation of vaccination  No

Foley is here to help you address the short- and long-term impacts in the wake of regulatory changes. We have the resources to help you navigate these and other important legal considerations related to business operations and industry-specific issues. Please reach out to the authors, your Foley relationship partner, or to our Health Care Practice Group with any questions.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Related Services