HIPAA has become a hot topic of conversation during the COVID-19 pandemic...
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) has become a hot topic of conversation during the COVID-19 pandemic. Given that there are many misconceptions, it is important for businesses to understand how HIPAA’s Privacy Rule works and what types of health information are protected.
HIPAA Privacy Rule
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information. It does not apply to all businesses, but only “covered entities,” such as health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. Accordingly, employers are not generally covered.
When it does apply, the HIPAA Privacy Rule requires appropriate safeguards to protect the privacy of “individually identifiable health information,” which is defined as information, including demographic data, that relates to:
the individual’s past, present or future physical or mental health or condition,
the provision of health care to the individual, or
the past, present, or future payment for the provision of health care to the individual.
Notably, the Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer.
The goal of HIPAA’s Privacy Rule is to establish limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Privacy Rule also gives patients certain rights over their health information, including rights to examine and to obtain a copy of their health records and to request corrections.
HIPAA and COVID-19 Vaccination
The Department of Health and Human Services’ Office for Civil Rights (OCR) recently issued new guidance regarding when and how HIPAA applies to uses and disclosures of COVID-19 vaccination-related information (Guidance). To start, the guidance addresses a common misconception about whether businesses can ask employees and customers about their vaccination status, clarifying that the HIPAA Privacy Rule does not prohibit businesses or individuals from asking whether their customers or clients have received a COVID-19 vaccine. As the guidance explains:
[T]he Privacy Rule does not regulatethe ability of covered entities and business associates to request information from patients or visitors. Rather, the Privacy Rule regulates how and when covered entities and business associates are permitted to use and disclose protected health information (PHI)(e.g., PHI about whether an individual has received a COVID-19 vaccine) that covered entities and business associates create, receive, maintain, or transmit. Thus, the Privacy Rule does not prohibit a covered entity (e.g., a covered doctor, hospital, or health plan) or business associate from asking whether an individual (e.g., a patient or visitor) has received a particular vaccine, including COVID-19 vaccines, although it does regulate how and when a covered entity or its business associate may use or disclose information about an individual’s vaccination status.
As further explained in the Guidance, the Privacy Rule also does not apply when an individual:
Is asked about their vaccination status by a school, employer, store, restaurant, entertainment venue, or another individual.
Asks another individual, their doctor, or a service provider whether they are vaccinated.
Asks a company, such as a home health agency, whether its workforce members are vaccinated.
The Guidance also addresses whether the Privacy Rule prevents an individual from disclosing whether that individual has been vaccinated against COVID-19 or any other disease. “The Privacy Rule does not apply to individuals’ disclosures about their own health information. It applies only to covered entities and, to some extent their business associates,” the Guidance states. “Therefore, the Privacy Rule does not apply when an individual tells another person, such as a colleague or business owner, about their own vaccination status.”
Another area where HIPAA-related COVID-19 vaccine questions arise is mandatory workplace disclosures. As set forth in the Guidance, the HIPAA Privacy Rule does not prohibit an employer from requiring a workforce member to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties, even if they are covered entities under the law.
“The Privacy Rule does not apply to employment records, including employment records held by covered entities and business associates acting in their capacity as employers,” OCR advises. “Thus, the Privacy Rule generally does not regulate what information can be requested from employees as part of the terms and conditions of employment that a covered entity or business associate may impose on its workforce, such as the ability of a covered entity or business associate to require its workforce members to provide documentation of their vaccination against COVID-19 or to disclose whether they have been vaccinated to their employer, other workforce members, patients, or members of the public.”
Additionally, the Guidance provides that the Privacy Rule does not prohibit a covered entity or business associate from requiring or requesting each workforce member to:
Provide documentation of their COVID-19 or flu vaccination to their current or prospective employer.
Sign a HIPAA authorization for a covered health care provider to disclose the workforce member’s COVID-19 or varicella vaccination record to their employer.
Wear a mask–while in the employer’s facility, on the employer’s property, or in the normal course of performing their duties at another location.
Disclose whether they have received a COVID-19 vaccine in response to queries from current or prospective patients.
Finally, the Guidance addresses situations where HIPAA does apply. Most notably, the Privacy Rule generally would prohibit a doctor’s office from disclosing an individual’s PHI, including whether they have received a COVID-19 vaccine, to the individual’s employer or other parties.
Key Takeaway
COVID-19 vaccination continues to be a controversial issue. For businesses, it is imperative to thoroughly understand your legal rights and obligations. To boost compliance and avoid unintended liability, it is always advisable to work with experienced counsel when drafting and implementing any COVID-19 policies, including those governing vaccination.
If you have questions, please contact us
If you have any questions or if you would like to discuss the matter further, please contact me, Jorge R. de Armas or the Scarinci Hollenbeck attorney with whom you work, at 201-896-4100.
Breach of Contract Explained: Types and Consequences
Breach of contract disputes are the most common type of business litigation. Therefore, nearly all New York and New Jersey businesses will likely have to deal with a contract dispute at least once. Understanding when to file a breach of contract lawsuit and how long you have to sue for breach of contract is essential […]
How to Dissolve a Corporation in New Jersey: A Step-by-Step Guide
Closing your business can be a difficult and challenging task. For corporations, the process includes formal approval of the dissolution, winding up operations, resolving tax liabilities, and filing all required paperwork. Whether you need to understand how to dissolve a corporation in New York or New Jersey, it’s imperative to take all of the proper […]
Gross Lease vs. Net Lease: Understanding the Key Differences
Commercial leases can take a variety of forms, which is often confusing for both landlords and tenants. Understanding the different types, especially the gross lease structure, is important when selecting the lease that best suits your needs. One key distinction between lease types is how rent is calculated and paid. This article addresses the two […]
What to Do If You Are Impacted by a Retailer Bankruptcy Part 2
Over the past year, brick-and-mortar stores have closed their doors at a record pace. Fluctuating consumer preferences, the rise of online shopping platforms, and ongoing economic uncertainty continue to put pressure on the retail industry. When a retailer seeks bankruptcy protection, a myriad of other businesses are often impacted. Whether you are a supplier, customer, […]
The Current Administration's Proposals for the Financial Services and Banking Industries Will Affect Your Business
Since his inauguration two months ago, Donald Trump’s administration and the Congress it controls have indicated important upcoming policy changes. These changes will impact financial services policies and priorities. The changes will particularly affect cryptocurrency, as well as banking rules and regulations. Key Regulatory Changes in Cryptocurrency For example, in the burgeoning cryptocurrency business environment, […]
Tips for Commercial Landlords Impacted by Wave of Retailer Bankruptcies Part 1
The retail sector has experienced a wave of bankruptcy filings over the last year. Brick-and-mortar businesses in financial distress include big-name brands like Big Lots, Party City, The Container Store, and Vitamin Shoppe. When large retailers seek bankruptcy protection, they are not the only businesses impacted. Landlords can be particularly hard hit. While commercial landlords […]
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.
Sign up to get the latest from our attorneys!
Explore What Matters Most to You.
Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.
Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.
Let`s get in touch!
Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!
