Scarinci Hollenbeck, LLC, LLCScarinci Hollenbeck, LLC, LLC

Firm Insights

Debunking Widespread Misconceptions About HIPAA and COVID-19

Author: Scarinci Hollenbeck, LLC

Date: November 8, 2021

Key Contacts

Back

HIPAA has become a hot topic of conversation during the COVID-19 pandemic...

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) has become a hot topic of conversation during the COVID-19 pandemic. Given that there are many misconceptions, it is important for businesses to understand how HIPAA’s Privacy Rule works and what types of health information are protected.

HIPAA Privacy Rule

The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information. It does not apply to all businesses, but only “covered entities,” such as health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. Accordingly, employers are not generally covered.

When it does apply, the HIPAA Privacy Rule requires appropriate safeguards to protect the privacy of “individually identifiable health information,” which is defined as information, including demographic data, that relates to:

  • the individual’s past, present or future physical or mental health or condition,
  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual.

Notably, the Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer.

The goal of HIPAA’s Privacy Rule is to establish limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Privacy Rule also gives patients certain rights over their health information, including rights to examine and to obtain a copy of their health records and to request corrections.

HIPAA and COVID-19 Vaccination

The Department of Health and Human Services’ Office for Civil Rights (OCR) recently issued new guidance regarding when and how HIPAA applies to uses and disclosures of COVID-19 vaccination-related information (Guidance). To start, the guidance addresses a common misconception about whether businesses can ask employees and customers about their vaccination status, clarifying that the HIPAA Privacy Rule does not prohibit businesses or individuals from asking whether their customers or clients have received a COVID-19 vaccine. As the guidance explains:

[T]he Privacy Rule does not regulate the ability of covered entities and business associates to request information from patients or visitors. Rather, the Privacy Rule regulates how and when covered entities and business associates are permitted to use and disclose protected health information (PHI) (e.g., PHI about whether an individual has received a COVID-19 vaccine) that covered entities and business associates create, receive, maintain, or transmit. Thus, the Privacy Rule does not prohibit a covered entity (e.g., a covered doctor, hospital, or health plan) or business associate from asking whether an individual (e.g., a patient or visitor) has received a particular vaccine, including COVID-19 vaccines, although it does regulate how and when a covered entity or its business associate may use or disclose information about an individual’s vaccination status.

As further explained in the Guidance, the Privacy Rule also does not apply when an individual:

  • Is asked about their vaccination status by a school, employer, store, restaurant, entertainment venue, or another individual.
  • Asks another individual, their doctor, or a service provider whether they are vaccinated.
  • Asks a company, such as a home health agency, whether its workforce members are vaccinated.

The Guidance also addresses whether the Privacy Rule prevents an individual from disclosing whether that individual has been vaccinated against COVID-19 or any other disease. “The Privacy Rule does not apply to individuals’ disclosures about their own health information. It applies only to covered entities and, to some extent their business associates,” the Guidance states. “Therefore, the Privacy Rule does not apply when an individual tells another person, such as a colleague or business owner, about their own vaccination status.”

Another area where HIPAA-related COVID-19 vaccine questions arise is mandatory workplace disclosures. As set forth in the Guidance, the HIPAA Privacy Rule does not prohibit an employer from requiring a workforce member to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties, even if they are covered entities under the law.

“The Privacy Rule does not apply to employment records, including employment records held by covered entities and business associates acting in their capacity as employers,” OCR advises. “Thus, the Privacy Rule generally does not regulate what information can be requested from employees as part of the terms and conditions of employment that a covered entity or business associate may impose on its workforce, such as the ability of a covered entity or business associate to require its workforce members to provide documentation of their vaccination against COVID-19 or to disclose whether they have been vaccinated to their employer, other workforce members, patients, or members of the public.”

Additionally, the Guidance provides that the Privacy Rule does not prohibit a covered entity or business associate from requiring or requesting each workforce member to:

  • Provide documentation of their COVID-19 or flu vaccination to their current or prospective employer.
  • Sign a HIPAA authorization for a covered health care provider to disclose the workforce member’s COVID-19 or varicella vaccination record to their employer.
  • Wear a mask–while in the employer’s facility, on the employer’s property, or in the normal course of performing their duties at another location.
  • Disclose whether they have received a COVID-19 vaccine in response to queries from current or prospective patients.

Finally, the Guidance addresses situations where HIPAA does apply. Most notably, the Privacy Rule generally would prohibit a doctor’s office from disclosing an individual’s PHI, including whether they have received a COVID-19 vaccine, to the individual’s employer or other parties.

Key Takeaway

COVID-19 vaccination continues to be a controversial issue. For businesses, it is imperative to thoroughly understand your legal rights and obligations. To boost compliance and avoid unintended liability, it is always advisable to work with experienced counsel when drafting and implementing any COVID-19 policies, including those governing vaccination.

If you have questions, please contact us

If you have any questions or if you would like to discuss the matter further, please contact me, Jorge R. de Armas or the Scarinci Hollenbeck attorney with whom you work, at 201-896-4100.

No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.

Scarinci Hollenbeck, LLC, LLC

Related Posts

See all
Corporate Transactions: Best Practices for Successful Deals post image

Corporate Transactions: Best Practices for Successful Deals

Corporate transactions can have significant implications for a corporation and its stakeholders. For deals to be successful, companies must act strategically to maximize value and minimize risk. It is also important to fully understand the legal and financial ramifications of corporate transactions, both in the near and long term. Understanding Corporate Transactions The term “corporate […]

Author: Dan Brecher

Link to post with title - "Corporate Transactions: Best Practices for Successful Deals"
How to Conduct a Fair and Legal Employee Termination in 2025 post image

How to Conduct a Fair and Legal Employee Termination in 2025

Ongoing economic uncertainty is forcing many companies to make tough decisions, which includes lowering staff levels. The legal landscape on both the state and federal level also continues to evolve, especially with significant changes to the priorities of the Equal Employment Opportunity Commission (“EEOC”) under the Trump Administration. Terminating an employee is one of the […]

Author: Angela A. Turiano

Link to post with title - "How to Conduct a Fair and Legal Employee Termination in 2025"
Admin Dissolution for Annual Report: What You Need to Know post image

Admin Dissolution for Annual Report: What You Need to Know

While filing annual reports may seem like a nuisance, failing to do so can have significant ramifications. These include fines, reputational harm, and interruption of your business operations. In basic terms, “admin dissolution for annual report” means that a company is dissolved by the government. This happens because it failed to submit its annual report […]

Author: Dan Brecher

Link to post with title - "Admin Dissolution for Annual Report: What You Need to Know"
What Is Antitrust Litigation Law? post image

What Is Antitrust Litigation Law?

Antitrust laws are designed to ensure that businesses compete fairly. There are three federal antitrust laws that businesses must navigate. These include the Sherman Act, the Federal Trade Commission Act, and the Clayton Act. States also have their own antitrust regimes. These may vary from federal regulations. Understanding antitrust litigation helps businesses navigate these complex […]

Author: Robert E. Levy

Link to post with title - "What Is Antitrust Litigation Law?"
Dissolving Your Business: Essential Legal Steps to Protect Your Interests post image

Dissolving Your Business: Essential Legal Steps to Protect Your Interests

If you’re considering closing your business, it’s crucial to understand that simply shutting your doors does not end your legal obligations. Unless you formally dissolve your business, it continues to exist in the eyes of the law—leaving you exposed to ongoing liabilities such as taxes, compliance violations, and potential lawsuits. Dissolving a business can seem […]

Author: Christopher D. Warren

Link to post with title - "Dissolving Your Business: Essential Legal Steps to Protect Your Interests"
The Role of Corporate Restructuring in Mergers & Acquisitions post image

The Role of Corporate Restructuring in Mergers & Acquisitions

Contrary to what many people think, corporate restructuring isn’t all doom and gloom. Revamping a company’s organizational structure, corporate hierarchy, or operations procedures can help keep your business competitive. This is particularly true during challenging times. Corporate restructuring plays a critical role in modern business strategy. It helps companies adapt quickly to market changes. Following […]

Author: Dan Brecher

Link to post with title - "The Role of Corporate Restructuring in Mergers & Acquisitions"

No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.

Sign up to get the latest from our attorneys!

Explore What Matters Most to You.

Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.

Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.

Let`s get in touch!

* The use of the Internet or this form for communication with the firm or any individual member of the firm does not establish an attorney-client relationship. Confidential or time-sensitive information should not be sent through this form.

Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!