As we approach various deadlines for COVID-19 vaccine mandates, both in the private and the public sector, there appears to be confusion over when vaccine information may be shared with employers and what obligations employers have, if any, under The Health Information Portability and Accounting Act ("HIPAA") to protect such information once obtained. To address some of that confusion, the Health & Human Services Office for Civil Rights ("OCR") has issued guidance entitled "HIPAA, COVID-19 Vaccination, and the Workplace."
As an initial matter, please keep in mind that HIPAA only applies to certain "covered entities," namely healthcare providers, health plans, and healthcare clearinghouses. Thus, it does not apply to employers in general. However, the lines become somewhat blurred when you have an employer who is also a health care provider and who utilizes a self-insured group health plan. In such a scenario, protected health information ("PHI") in the hands of the healthcare provider relating to its patients is covered by HIPAA. PHI in the hands of the group health plan relating to its members is also covered by HIPAA. However, PHI in the hands of the employer relating to its employees (and obtained in the employer-employee context) is not covered by HIPAA.
Thus, when determining whether COVID-19 vaccine information is protected under HIPAA, one must look at the context in which the information was obtained--when acting as the provider (administering the vaccine), when acting as the health plan (paying for the vaccine), or when acting as the employer (determining compliance with vaccine mandates in the workplace). The latter is not regulated by HIPAA and is not subject to HIPAA requirements regarding the privacy and security of the information obtained.
Under any of these three scenarios, there is no prohibition under HIPAA against asking an individual about their health information. HIPAA does not regulate anyone's ability to request information from individuals--it merely regulates when that information can be used and disclosed once obtained by a covered entity. HIPAA also does not prevent an individual from volunteering or disclosing their own health information to any requesting party.
Further, HIPAA does not apply to employment records, including those held by covered entities when acting as the employer. Thus, HIPAA does not regulate what information can be shared, or can be required to be shared, by an employee with their employer. It also does not regulate what information can be requested by an employer as a condition of employment. Finally, HIPAA does not address how the information obtained in the employment context may be used and/or disclosed by the employer; provided, however, that other employment-related state and federal laws may address such issues.
Consequently, HIPAA would not prevent an employer from inquiring about the COVID-19 vaccination status of its workforce, or even requiring proof thereof to satisfy a vaccine mandate. HIPAA would also not regulate how the COVID-19 vaccination status was used and/or disclosed by the employer once obtained in the employment context. However, HIPAA would prevent a healthcare provider, a covered entity governed by HIPAA, from disclosing to an employer whether or not an employee/patient had been vaccinated without the employee's/patient's written authorization. Such authorization must be HIPAA-compliant.
The OCR guidance related to HIPAA and COVID-19 vaccination information in the workplace is available at https://www.hhs.gov/about/news/2021/09/30/ocr-issues-guidance-on-hipaa-covid-19-vaccinations-workplace.html.
Kelli Fleming is a Partner at Burr & Forman practicing exclusively in the firm's healthcare practice group. Kelli may be reached at (205) 458-5429 or kfleming@burr.com.
