HIPAA has become a hot topic of conversation during the COVID-19 pandemic...
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) has become a hot topic of conversation during the COVID-19 pandemic. Given that there are many misconceptions, it is important for businesses to understand how HIPAA’s Privacy Rule works and what types of health information are protected.
HIPAA Privacy Rule
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information. It does not apply to all businesses, but only “covered entities,” such as health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. Accordingly, employers are not generally covered.
When it does apply, the HIPAA Privacy Rule requires appropriate safeguards to protect the privacy of “individually identifiable health information,” which is defined as information, including demographic data, that relates to:
the individual’s past, present or future physical or mental health or condition,
the provision of health care to the individual, or
the past, present, or future payment for the provision of health care to the individual.
Notably, the Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer.
The goal of HIPAA’s Privacy Rule is to establish limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Privacy Rule also gives patients certain rights over their health information, including rights to examine and to obtain a copy of their health records and to request corrections.
HIPAA and COVID-19 Vaccination
The Department of Health and Human Services’ Office for Civil Rights (OCR) recently issued new guidance regarding when and how HIPAA applies to uses and disclosures of COVID-19 vaccination-related information (Guidance). To start, the guidance addresses a common misconception about whether businesses can ask employees and customers about their vaccination status, clarifying that the HIPAA Privacy Rule does not prohibit businesses or individuals from asking whether their customers or clients have received a COVID-19 vaccine. As the guidance explains:
[T]he Privacy Rule does not regulatethe ability of covered entities and business associates to request information from patients or visitors. Rather, the Privacy Rule regulates how and when covered entities and business associates are permitted to use and disclose protected health information (PHI)(e.g., PHI about whether an individual has received a COVID-19 vaccine) that covered entities and business associates create, receive, maintain, or transmit. Thus, the Privacy Rule does not prohibit a covered entity (e.g., a covered doctor, hospital, or health plan) or business associate from asking whether an individual (e.g., a patient or visitor) has received a particular vaccine, including COVID-19 vaccines, although it does regulate how and when a covered entity or its business associate may use or disclose information about an individual’s vaccination status.
As further explained in the Guidance, the Privacy Rule also does not apply when an individual:
Is asked about their vaccination status by a school, employer, store, restaurant, entertainment venue, or another individual.
Asks another individual, their doctor, or a service provider whether they are vaccinated.
Asks a company, such as a home health agency, whether its workforce members are vaccinated.
The Guidance also addresses whether the Privacy Rule prevents an individual from disclosing whether that individual has been vaccinated against COVID-19 or any other disease. “The Privacy Rule does not apply to individuals’ disclosures about their own health information. It applies only to covered entities and, to some extent their business associates,” the Guidance states. “Therefore, the Privacy Rule does not apply when an individual tells another person, such as a colleague or business owner, about their own vaccination status.”
Another area where HIPAA-related COVID-19 vaccine questions arise is mandatory workplace disclosures. As set forth in the Guidance, the HIPAA Privacy Rule does not prohibit an employer from requiring a workforce member to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties, even if they are covered entities under the law.
“The Privacy Rule does not apply to employment records, including employment records held by covered entities and business associates acting in their capacity as employers,” OCR advises. “Thus, the Privacy Rule generally does not regulate what information can be requested from employees as part of the terms and conditions of employment that a covered entity or business associate may impose on its workforce, such as the ability of a covered entity or business associate to require its workforce members to provide documentation of their vaccination against COVID-19 or to disclose whether they have been vaccinated to their employer, other workforce members, patients, or members of the public.”
Additionally, the Guidance provides that the Privacy Rule does not prohibit a covered entity or business associate from requiring or requesting each workforce member to:
Provide documentation of their COVID-19 or flu vaccination to their current or prospective employer.
Sign a HIPAA authorization for a covered health care provider to disclose the workforce member’s COVID-19 or varicella vaccination record to their employer.
Wear a mask–while in the employer’s facility, on the employer’s property, or in the normal course of performing their duties at another location.
Disclose whether they have received a COVID-19 vaccine in response to queries from current or prospective patients.
Finally, the Guidance addresses situations where HIPAA does apply. Most notably, the Privacy Rule generally would prohibit a doctor’s office from disclosing an individual’s PHI, including whether they have received a COVID-19 vaccine, to the individual’s employer or other parties.
Key Takeaway
COVID-19 vaccination continues to be a controversial issue. For businesses, it is imperative to thoroughly understand your legal rights and obligations. To boost compliance and avoid unintended liability, it is always advisable to work with experienced counsel when drafting and implementing any COVID-19 policies, including those governing vaccination.
If you have questions, please contact us
If you have any questions or if you would like to discuss the matter further, please contact me, Jorge R. de Armas or the Scarinci Hollenbeck attorney with whom you work, at 201-896-4100.
Understanding the Importance of a Non-Contingent Offer
Making a non-contingent offer can dramatically increase your chances of securing a real estate transaction, particularly in competitive markets like New York City. However, buyers should understand that waiving contingencies, including those related to financing, or appraisals, also comes with significant risks. Determining your best strategy requires careful analysis of the property, the market, and […]
Fred D. Zemel Appointed Chair of Strategic Planning at Scarinci & Hollenbeck, LLC
Business Transactional Attorney Zemel to Spearhead Strategic Initiatives for Continued Growth and Innovation Little Falls, NJ – February 21, 2025 – Scarinci & Hollenbeck, LLC is pleased to announce that Partner Fred D. Zemel has been named Chair of the firm’s Strategic Planning Committee. In this role, Mr. Zemel will lead the committee in identifying, […]
Novation Agreement Process: Step-by-Step Guide for Businesses
Big changes sometimes occur during the life cycle of a contract. Cancelling a contract outright can be bad for your reputation and your bottom line. Businesses need to know how to best address a change in circumstances, while also protecting their legal rights. One option is to transfer the “benefits and the burdens” of a […]
What Is a Trade Secret? Key Elements and Legal Protections Explained
What is a trade secret and why you you protect them? Technology has made trade secret theft even easier and more prevalent. In fact, businesses lose billions of dollars every year due to trade secret theft committed by employees, competitors, and even foreign governments. But what is a trade secret? And how do you protect […]
What Is Title Insurance? Safeguarding Against Title Defects
If you are considering the purchase of a property, you may wonder — what is title insurance, do I need it, and why do I need it? Even seasoned property owners may question if the added expense and extra paperwork is really necessary, especially considering that people and entities insured by title insurance make fewer […]
Commercial Zoning: What Every Business Owner Needs to Know
If you operate a business, you need to understand how commercial zoning rules may impact you. For instance, zoning regulations can determine how you can develop a property and what type of activities your business can conduct. To ensure that you aren’t taken by surprise, it is always a good idea to consult with experienced […]
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.
Sign up to get the latest from our attorneys!
Explore What Matters Most to You.
Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.
Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.
Debunking Widespread Misconceptions About HIPAA and COVID-19
Author: Scarinci Hollenbeck, LLC
HIPAA has become a hot topic of conversation during the COVID-19 pandemic...
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) has become a hot topic of conversation during the COVID-19 pandemic. Given that there are many misconceptions, it is important for businesses to understand how HIPAA’s Privacy Rule works and what types of health information are protected.
HIPAA Privacy Rule
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information. It does not apply to all businesses, but only “covered entities,” such as health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. Accordingly, employers are not generally covered.
When it does apply, the HIPAA Privacy Rule requires appropriate safeguards to protect the privacy of “individually identifiable health information,” which is defined as information, including demographic data, that relates to:
the individual’s past, present or future physical or mental health or condition,
the provision of health care to the individual, or
the past, present, or future payment for the provision of health care to the individual.
Notably, the Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer.
The goal of HIPAA’s Privacy Rule is to establish limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Privacy Rule also gives patients certain rights over their health information, including rights to examine and to obtain a copy of their health records and to request corrections.
HIPAA and COVID-19 Vaccination
The Department of Health and Human Services’ Office for Civil Rights (OCR) recently issued new guidance regarding when and how HIPAA applies to uses and disclosures of COVID-19 vaccination-related information (Guidance). To start, the guidance addresses a common misconception about whether businesses can ask employees and customers about their vaccination status, clarifying that the HIPAA Privacy Rule does not prohibit businesses or individuals from asking whether their customers or clients have received a COVID-19 vaccine. As the guidance explains:
[T]he Privacy Rule does not regulatethe ability of covered entities and business associates to request information from patients or visitors. Rather, the Privacy Rule regulates how and when covered entities and business associates are permitted to use and disclose protected health information (PHI)(e.g., PHI about whether an individual has received a COVID-19 vaccine) that covered entities and business associates create, receive, maintain, or transmit. Thus, the Privacy Rule does not prohibit a covered entity (e.g., a covered doctor, hospital, or health plan) or business associate from asking whether an individual (e.g., a patient or visitor) has received a particular vaccine, including COVID-19 vaccines, although it does regulate how and when a covered entity or its business associate may use or disclose information about an individual’s vaccination status.
As further explained in the Guidance, the Privacy Rule also does not apply when an individual:
Is asked about their vaccination status by a school, employer, store, restaurant, entertainment venue, or another individual.
Asks another individual, their doctor, or a service provider whether they are vaccinated.
Asks a company, such as a home health agency, whether its workforce members are vaccinated.
The Guidance also addresses whether the Privacy Rule prevents an individual from disclosing whether that individual has been vaccinated against COVID-19 or any other disease. “The Privacy Rule does not apply to individuals’ disclosures about their own health information. It applies only to covered entities and, to some extent their business associates,” the Guidance states. “Therefore, the Privacy Rule does not apply when an individual tells another person, such as a colleague or business owner, about their own vaccination status.”
Another area where HIPAA-related COVID-19 vaccine questions arise is mandatory workplace disclosures. As set forth in the Guidance, the HIPAA Privacy Rule does not prohibit an employer from requiring a workforce member to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties, even if they are covered entities under the law.
“The Privacy Rule does not apply to employment records, including employment records held by covered entities and business associates acting in their capacity as employers,” OCR advises. “Thus, the Privacy Rule generally does not regulate what information can be requested from employees as part of the terms and conditions of employment that a covered entity or business associate may impose on its workforce, such as the ability of a covered entity or business associate to require its workforce members to provide documentation of their vaccination against COVID-19 or to disclose whether they have been vaccinated to their employer, other workforce members, patients, or members of the public.”
Additionally, the Guidance provides that the Privacy Rule does not prohibit a covered entity or business associate from requiring or requesting each workforce member to:
Provide documentation of their COVID-19 or flu vaccination to their current or prospective employer.
Sign a HIPAA authorization for a covered health care provider to disclose the workforce member’s COVID-19 or varicella vaccination record to their employer.
Wear a mask–while in the employer’s facility, on the employer’s property, or in the normal course of performing their duties at another location.
Disclose whether they have received a COVID-19 vaccine in response to queries from current or prospective patients.
Finally, the Guidance addresses situations where HIPAA does apply. Most notably, the Privacy Rule generally would prohibit a doctor’s office from disclosing an individual’s PHI, including whether they have received a COVID-19 vaccine, to the individual’s employer or other parties.
Key Takeaway
COVID-19 vaccination continues to be a controversial issue. For businesses, it is imperative to thoroughly understand your legal rights and obligations. To boost compliance and avoid unintended liability, it is always advisable to work with experienced counsel when drafting and implementing any COVID-19 policies, including those governing vaccination.
If you have questions, please contact us
If you have any questions or if you would like to discuss the matter further, please contact me, Jorge R. de Armas or the Scarinci Hollenbeck attorney with whom you work, at 201-896-4100.
Let`s get in touch!
Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!
