OCR Clarifies HIPAA Rules Surrounding Vaccination Status

October 04, 2021 - The COVID-19 pandemic and vaccine rollout have brought HIPAA into the spotlight, but many Americans continue to misunderstand how HIPAA relates and does not relate to vaccination status. As a result, HHS’ Office for Civil Rights (OCR) recently released guidance clarifying what health information HIPAA protects and who it applies to.

HIPAA applies strictly to covered entities, defined as health plans, healthcare clearinghouses, and healthcare providers. OCR emphasized that despite common misconceptions, the HIPAA Privacy Rule does not prohibit any individual, business, or HIPAA covered entity from asking whether an individual has received a vaccine.

The rule also does not regulate a covered entity’s ability to request such information from patients and visitors. The rule simply regulates how and when covered entities and business associates are allowed to use and share the protected health information (PHI)that those covered entities create, maintain, receive, or transmit.

“Thus, the Privacy Rule does not prohibit a covered entity (e.g., a covered doctor, hospital, or health plan) or business associate from asking whether an individual (e.g., a patient or visitor) has received a particular vaccine, including COVID-19 vaccines, although it does regulate how and when a covered entity or its business associate may use or disclose information about an individual’s vaccination status,” OCR explained.

The HIPAA Privacy Rule does not apply when an employer, school, store, restaurant, or entertainment venue asks about one’s vaccination status. Individuals are allowed to ask other people, including their own healthcare providers, whether they are vaccinated.

Additionally, the rule does not apply to employment records, including records held by covered entities. Regulating what information can be requested as terms and conditions of employment is not in the scope of HIPAA.

“However, other federal or state laws do address terms and conditions of employment,” OCR clarified.  “For example, federal anti-discrimination laws do not prevent an employer from choosing to require that all employees physically entering the workplace be vaccinated against COVID-19 and provide documentation or other confirmation that they have met this requirement, subject to reasonable accommodation provisions and other equal employment opportunity considerations.”

Since the rule only applies to the covered entities themselves, an individual who discloses their vaccination status to anyone does not fall under HIPAA protection.

HIPAA does not prohibit a covered entity from requiring its employees to wear a mask, disclose whether they have received a COVID-19 vaccine, or provide vaccination documentation to their employer.

However, the rule generally does prohibit covered entities from disclosing a patient’s PHI unless the individual gives consent. The rule does allow covered entities to disclose PHI for certain purposes. For example, a covered pharmacy can tell a public health agency whether an individual has received a COVID-19 vaccine.

"We are issuing this guidance to help consumers, businesses, and health care entities understand when HIPAA applies to disclosures about COVID-19 vaccination status and to ensure that they have the information they need to make informed decisions about protecting themselves and others from COVID-19," Lisa Pino, OCR’s recently appointed director, explained in a press release.

The HIPAA Privacy Rule is complex, but it is not as broad as many people believe it to be. As a result, patients and providers must be aware of HIPAA’s function in the healthcare sector.