HIPAA has become a hot topic of conversation during the COVID-19 pandemic...
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) has become a hot topic of conversation during the COVID-19 pandemic. Given that there are many misconceptions, it is important for businesses to understand how HIPAA’s Privacy Rule works and what types of health information are protected.
HIPAA Privacy Rule
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information. It does not apply to all businesses, but only “covered entities,” such as health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. Accordingly, employers are not generally covered.
When it does apply, the HIPAA Privacy Rule requires appropriate safeguards to protect the privacy of “individually identifiable health information,” which is defined as information, including demographic data, that relates to:
the individual’s past, present or future physical or mental health or condition,
the provision of health care to the individual, or
the past, present, or future payment for the provision of health care to the individual.
Notably, the Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer.
The goal of HIPAA’s Privacy Rule is to establish limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Privacy Rule also gives patients certain rights over their health information, including rights to examine and to obtain a copy of their health records and to request corrections.
HIPAA and COVID-19 Vaccination
The Department of Health and Human Services’ Office for Civil Rights (OCR) recently issued new guidance regarding when and how HIPAA applies to uses and disclosures of COVID-19 vaccination-related information (Guidance). To start, the guidance addresses a common misconception about whether businesses can ask employees and customers about their vaccination status, clarifying that the HIPAA Privacy Rule does not prohibit businesses or individuals from asking whether their customers or clients have received a COVID-19 vaccine. As the guidance explains:
[T]he Privacy Rule does not regulatethe ability of covered entities and business associates to request information from patients or visitors. Rather, the Privacy Rule regulates how and when covered entities and business associates are permitted to use and disclose protected health information (PHI)(e.g., PHI about whether an individual has received a COVID-19 vaccine) that covered entities and business associates create, receive, maintain, or transmit. Thus, the Privacy Rule does not prohibit a covered entity (e.g., a covered doctor, hospital, or health plan) or business associate from asking whether an individual (e.g., a patient or visitor) has received a particular vaccine, including COVID-19 vaccines, although it does regulate how and when a covered entity or its business associate may use or disclose information about an individual’s vaccination status.
As further explained in the Guidance, the Privacy Rule also does not apply when an individual:
Is asked about their vaccination status by a school, employer, store, restaurant, entertainment venue, or another individual.
Asks another individual, their doctor, or a service provider whether they are vaccinated.
Asks a company, such as a home health agency, whether its workforce members are vaccinated.
The Guidance also addresses whether the Privacy Rule prevents an individual from disclosing whether that individual has been vaccinated against COVID-19 or any other disease. “The Privacy Rule does not apply to individuals’ disclosures about their own health information. It applies only to covered entities and, to some extent their business associates,” the Guidance states. “Therefore, the Privacy Rule does not apply when an individual tells another person, such as a colleague or business owner, about their own vaccination status.”
Another area where HIPAA-related COVID-19 vaccine questions arise is mandatory workplace disclosures. As set forth in the Guidance, the HIPAA Privacy Rule does not prohibit an employer from requiring a workforce member to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties, even if they are covered entities under the law.
“The Privacy Rule does not apply to employment records, including employment records held by covered entities and business associates acting in their capacity as employers,” OCR advises. “Thus, the Privacy Rule generally does not regulate what information can be requested from employees as part of the terms and conditions of employment that a covered entity or business associate may impose on its workforce, such as the ability of a covered entity or business associate to require its workforce members to provide documentation of their vaccination against COVID-19 or to disclose whether they have been vaccinated to their employer, other workforce members, patients, or members of the public.”
Additionally, the Guidance provides that the Privacy Rule does not prohibit a covered entity or business associate from requiring or requesting each workforce member to:
Provide documentation of their COVID-19 or flu vaccination to their current or prospective employer.
Sign a HIPAA authorization for a covered health care provider to disclose the workforce member’s COVID-19 or varicella vaccination record to their employer.
Wear a mask–while in the employer’s facility, on the employer’s property, or in the normal course of performing their duties at another location.
Disclose whether they have received a COVID-19 vaccine in response to queries from current or prospective patients.
Finally, the Guidance addresses situations where HIPAA does apply. Most notably, the Privacy Rule generally would prohibit a doctor’s office from disclosing an individual’s PHI, including whether they have received a COVID-19 vaccine, to the individual’s employer or other parties.
Key Takeaway
COVID-19 vaccination continues to be a controversial issue. For businesses, it is imperative to thoroughly understand your legal rights and obligations. To boost compliance and avoid unintended liability, it is always advisable to work with experienced counsel when drafting and implementing any COVID-19 policies, including those governing vaccination.
If you have questions, please contact us
If you have any questions or if you would like to discuss the matter further, please contact me, Jorge R. de Armas or the Scarinci Hollenbeck attorney with whom you work, at 201-896-4100.
Corporate Consolidation and Antitrust Issues in Mergers
Corporate consolidation involves two or more businesses merging to become a single larger entity. The result is often a stronger and more competitive company that can better navigate today’s competitive marketplace. What Is Corporate Consolidation? Corporate consolidation closely resembles a basic merger transaction. The primary difference is that a consolidation creates an entirely new business […]
Business law plays a critical role in nearly every aspect of running a successful enterprise, from negotiating a commercial lease to drafting employee policies to fulfilling corporate disclosure obligations. Understanding what is business law and your legal obligations can help your business run smoothly and build productive relationships with clients, business partners, regulators, and others. […]
Corporate Transactions: Best Practices for Successful Deals
Corporate transactions can have significant implications for a corporation and its stakeholders. For deals to be successful, companies must act strategically to maximize value and minimize risk. It is also important to fully understand the legal and financial ramifications of corporate transactions, both in the near and long term. Understanding Corporate Transactions The term “corporate […]
How to Conduct a Fair and Legal Employee Termination in 2025
Ongoing economic uncertainty is forcing many companies to make tough decisions, which includes lowering staff levels. The legal landscape on both the state and federal level also continues to evolve, especially with significant changes to the priorities of the Equal Employment Opportunity Commission (“EEOC”) under the Trump Administration. Terminating an employee is one of the […]
Admin Dissolution for Annual Report: What You Need to Know
While filing annual reports may seem like a nuisance, failing to do so can have significant ramifications. These include fines, reputational harm, and interruption of your business operations. In basic terms, “admin dissolution for annual report” means that a company is dissolved by the government. This happens because it failed to submit its annual report […]
Antitrust laws are designed to ensure that businesses compete fairly. There are three federal antitrust laws that businesses must navigate. These include the Sherman Act, the Federal Trade Commission Act, and the Clayton Act. States also have their own antitrust regimes. These may vary from federal regulations. Understanding antitrust litigation helps businesses navigate these complex […]
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.
Sign up to get the latest from our attorneys!
Explore What Matters Most to You.
Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.
Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.
Let`s get in touch!
Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!
