The federal Department of Health and Human Services (HHS) issued guidance on the applicability of HIPAA to COVID-19 vaccination information, directly addressing a number of misconceptions about when HIPAA does, or does not, regulate disclosures of an individual’s COVID-19 vaccination status. Here are five key takeaways from the guidance.

“The Privacy Rule does not prohibit any person (e.g., an individual or an entity such as a business), including HIPAA covered entities and business associates, from asking whether an individual has received a particular vaccine, including COVID-19 vaccines.” – HHS (Sep 30, 2021)

1. HIPAA only regulates covered entities and business associates. The guidance serves as a reminder that HIPAA applies only to covered entities (health plans, health care providers that conduct electronic standard transactions, and health care clearinghouses) and their business associate vendors. HIPAA generally does not apply to employers, restaurants, stores, schools, and entertainment venues. Further, HIPAA does not apply to individuals’ disclosure of their own vaccination information.

2. HIPAA does not prohibit covered entities or business associates from asking about vaccinations. HIPAA restricts how covered entities and business associates can use and disclose protected health information (PHI)—HIPAA does not prohibit anyone from asking whether someone has received a vaccination. For example, HIPAA does not prohibit a covered entity from asking whether patients or visitors have been vaccinated against COVID-19. However, patients’ vaccination information is PHI and HIPAA regulates how the covered entity further uses and discloses that information once received.

3. HIPAA does not apply to employee information. With regard to employers in particular, the guidance notes that HIPAA does not apply to health information in employee files, even where the employer is a covered entity or business associate. That means vaccination records of employees that an organization maintains as an employer are not regulated by HIPAA. HIPAA also does not apply to employees being asked about, or disclosing, their own vaccination status. While there may be other federal and state laws that are implicated in these situations, HIPAA does not apply. For example, see EEOC guidance “What You Should Know About COVID-19 and the ADA, the Rehabilitation Act, and Other EEO Laws.”

4. HIPAA covered entities do not always need authorization to disclose vaccination information. The general rule under HIPAA is that a covered entity needs the individual’s authorization to use or disclose PHI, unless an exception applies. 45 C.F.R. § 164.502(a). The HHS guidance summarizes the scenarios where HIPAA permits a covered entity to disclose an individual’s vaccination status without the individual’s authorization, including, without limitation, (i) to a health plan when necessary to obtain payment for the vaccination, (ii) to public health authorities, and (iii) where required by law.

Note that these disclosures may be further restricted by applicable state law, however. The guidance also notes that the covered entity will generally need authorization to disclose the individual’s vaccination status to entertainment venues, cruise ships, airlines, and similar types of disclosures.

5. HIPAA covered entity health care providers can disclose vaccination information to employers without authorization only in specific circumstances. Covered entities need authorization to disclose vaccination information to an individual’s employer unless the disclosure fits into all of the following conditions:

  1. The covered entity is a health care provider who provides health care to the individual at the request of the employer to conduct an evaluation relating to medical surveillance of the workplace (e.g., surveillance of the spread of COVID-19 within the workforce) or to evaluate whether the individual has a work-related illness or injury;
  2. The PHI disclosed is the findings concerning a work-related illness or injury or workplace-related medical surveillance;
  3. The employer needs the findings to comply with its legal obligations under OSHA, the Mine Safety and Health Administration , or state laws having a similar purpose; and
  4. The covered entity has provided written notice to the individual that the PHI related to the medical surveillance of the workplace and work-related illnesses will be disclosed to the employer by one of the notice methods permitted by HIPAA.

45 C.F.R. § 164.512(b)(1)(v). If any of these conditions are not met, covered entities generally will need the employee’s authorization to disclose vaccination status to the employer. In addition, as noted above, these disclosures may be further restricted by applicable state law.

For reference, the following table summarizes some of the examples that HHS provided in the guidance:

Fact Pattern Does HIPAA apply?
 Covered entity or business associate uses or discloses patients’/health plan members’ vaccine information  Yes
 Covered entity or business associate asks if individual has been vaccinated  No (although uses or disclosures of that information, if the individual is a patient or plan member, is regulated by HIPAA)
 Individual A asks Individual B if Individual B is vaccinated  No
 Individual discloses individual’s own vaccination status  No
 School, employer, store, restaurant, or entertainment venue asks an individual about that individual’s vaccination status  No
 Individual asks their doctor if the doctor is vaccinated  No
 Individual asks company if its workforce is vaccinated  No
 Employer requires employee to provide documentation of vaccination  No

Foley is here to help you address the short- and long-term impacts in the wake of regulatory changes. We have the resources to help you navigate these and other important legal considerations related to business operations and industry-specific issues. Please reach out to the authors, your Foley relationship partner, or to our Health Care Practice Group with any questions.