Despite two years of COVID and a year’s worth of vaccinations, there remains some confusion over the privacy of an employee’s vaccination status. As a healthcare employer, are you permitted to ask your employees if they’re vaccinated? Do you breach the Health Information Protection and Accountability Act (HIPAA) in doing so? The quick answers to those questions are: it’s OK for an employer to ask; and as long as the inquiry is made to the employee (and not to a third party or sought from medical records), the employer probably hasn’t violated HIPAA.
First, let’s address HIPAA applicability in general. As a healthcare attorney, HIPAA is an integral part of my “filter” in providing legal analysis. However, it surprises me when I hear people who work outside the healthcare arena claim HIPAA protection over all kinds of information – and most recently, their COVID-19 vaccination status. Those protections are from a much broader interpretation of the HIPAA protections than is actually provided. In a nutshell, HIPAA applies to health plans, healthcare clearinghouses, and healthcare providers (along with their business associates). Unless an employer falls into one of those categories, HIPAA does not play a role. Nevertheless, healthcare employers who have employees who are also patients, or employees who have provided Protected Health Information (PHI) to their employer cannot just shrug off their HIPAA obligations when it comes to vaccinations. PHI must always be safeguarded in accordance with the HIPAA Privacy Rule.
So, can you ask employees about their vaccination status? Yes. In the fall of 2021, CMS made it clear that HIPAA does not prohibit anyone (individuals, businesses, employers, etc.), including those governed by HIPAA, from asking whether an individual has received a COVID-19 (or any other) vaccine. And even more broadly, HIPAA is not violated if an employer requires an employee to notify other parties of their vaccination status.
HIPAA does not regulate the information that can be requested from employees as part of their employment. Employers can therefore inquire about an employee’s (or potential employee’s) vaccination status, and can make a business or hiring decision based on that information. Once that information is received by an employer, it must be safeguarded, and kept separately from the employee’s personnel files pursuant to the Americans with Disabilities Act (ADA), but it does not trigger HIPAA. Similarly, the EEOC has stated that asking employees about their vaccination status does not violate any federal anti-discrimination laws.
However, HIPAA is not totally eviscerated by the GMS guidance. While an employer can ask an employee about their vaccination status, the employer cannot ask the employee’s healthcare provider to disclose that information. Likewise, an employer cannot go into its own electronic health records to look for evidence of vaccination of one of its employees. Consent is generally required for those types of access and disclosure, absent the application of other laws.
Hopefully, the urgency of this disclosure issue under HIPAA will subside with the current reduction in new cases of COVID-19 and related hospitalizations. However, it does provide a good opportunity for a refresher over what is governed, and what is not, under HIPAA. Those premises will outlast the COVID-19 pandemic.