HIPAA has become a hot topic of conversation during the COVID-19 pandemic...
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) has become a hot topic of conversation during the COVID-19 pandemic. Given that there are many misconceptions, it is important for businesses to understand how HIPAA’s Privacy Rule works and what types of health information are protected.
HIPAA Privacy Rule
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information. It does not apply to all businesses, but only “covered entities,” such as health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. Accordingly, employers are not generally covered.
When it does apply, the HIPAA Privacy Rule requires appropriate safeguards to protect the privacy of “individually identifiable health information,” which is defined as information, including demographic data, that relates to:
the individual’s past, present or future physical or mental health or condition,
the provision of health care to the individual, or
the past, present, or future payment for the provision of health care to the individual.
Notably, the Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer.
The goal of HIPAA’s Privacy Rule is to establish limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Privacy Rule also gives patients certain rights over their health information, including rights to examine and to obtain a copy of their health records and to request corrections.
HIPAA and COVID-19 Vaccination
The Department of Health and Human Services’ Office for Civil Rights (OCR) recently issued new guidance regarding when and how HIPAA applies to uses and disclosures of COVID-19 vaccination-related information (Guidance). To start, the guidance addresses a common misconception about whether businesses can ask employees and customers about their vaccination status, clarifying that the HIPAA Privacy Rule does not prohibit businesses or individuals from asking whether their customers or clients have received a COVID-19 vaccine. As the guidance explains:
[T]he Privacy Rule does not regulatethe ability of covered entities and business associates to request information from patients or visitors. Rather, the Privacy Rule regulates how and when covered entities and business associates are permitted to use and disclose protected health information (PHI)(e.g., PHI about whether an individual has received a COVID-19 vaccine) that covered entities and business associates create, receive, maintain, or transmit. Thus, the Privacy Rule does not prohibit a covered entity (e.g., a covered doctor, hospital, or health plan) or business associate from asking whether an individual (e.g., a patient or visitor) has received a particular vaccine, including COVID-19 vaccines, although it does regulate how and when a covered entity or its business associate may use or disclose information about an individual’s vaccination status.
As further explained in the Guidance, the Privacy Rule also does not apply when an individual:
Is asked about their vaccination status by a school, employer, store, restaurant, entertainment venue, or another individual.
Asks another individual, their doctor, or a service provider whether they are vaccinated.
Asks a company, such as a home health agency, whether its workforce members are vaccinated.
The Guidance also addresses whether the Privacy Rule prevents an individual from disclosing whether that individual has been vaccinated against COVID-19 or any other disease. “The Privacy Rule does not apply to individuals’ disclosures about their own health information. It applies only to covered entities and, to some extent their business associates,” the Guidance states. “Therefore, the Privacy Rule does not apply when an individual tells another person, such as a colleague or business owner, about their own vaccination status.”
Another area where HIPAA-related COVID-19 vaccine questions arise is mandatory workplace disclosures. As set forth in the Guidance, the HIPAA Privacy Rule does not prohibit an employer from requiring a workforce member to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties, even if they are covered entities under the law.
“The Privacy Rule does not apply to employment records, including employment records held by covered entities and business associates acting in their capacity as employers,” OCR advises. “Thus, the Privacy Rule generally does not regulate what information can be requested from employees as part of the terms and conditions of employment that a covered entity or business associate may impose on its workforce, such as the ability of a covered entity or business associate to require its workforce members to provide documentation of their vaccination against COVID-19 or to disclose whether they have been vaccinated to their employer, other workforce members, patients, or members of the public.”
Additionally, the Guidance provides that the Privacy Rule does not prohibit a covered entity or business associate from requiring or requesting each workforce member to:
Provide documentation of their COVID-19 or flu vaccination to their current or prospective employer.
Sign a HIPAA authorization for a covered health care provider to disclose the workforce member’s COVID-19 or varicella vaccination record to their employer.
Wear a mask–while in the employer’s facility, on the employer’s property, or in the normal course of performing their duties at another location.
Disclose whether they have received a COVID-19 vaccine in response to queries from current or prospective patients.
Finally, the Guidance addresses situations where HIPAA does apply. Most notably, the Privacy Rule generally would prohibit a doctor’s office from disclosing an individual’s PHI, including whether they have received a COVID-19 vaccine, to the individual’s employer or other parties.
Key Takeaway
COVID-19 vaccination continues to be a controversial issue. For businesses, it is imperative to thoroughly understand your legal rights and obligations. To boost compliance and avoid unintended liability, it is always advisable to work with experienced counsel when drafting and implementing any COVID-19 policies, including those governing vaccination.
If you have questions, please contact us
If you have any questions or if you would like to discuss the matter further, please contact me, Jorge R. de Armas or the Scarinci Hollenbeck attorney with whom you work, at 201-896-4100.
Non-disclosure agreements (NDAs) remain a critical tool for protecting sensitive business information. However, New York NDA requirements have evolved, and businesses must ensure these agreements are carefully drafted to remain enforceable. In a competitive market like New York City, NDAs are commonly used to protect proprietary information, client relationships, and strategic plans. At the same […]
How Courts Evaluate Testamentary Capacity and Undue Influence Will contests in New Jersey are difficult to win, given the strong presumption that a properly executed will reflects the testator’s intent. However, challenges based on lack of testamentary capacity and undue influence remain common, particularly where there are concerns about mental capacity or the involvement of […]
Bringing on outside investors can provide the capital and strategic support a business needs to grow. However, raising capital also introduces important legal, financial, and operational considerations. Before bringing on investors, businesses should address key legal issues to reduce risk, streamline investor due diligence, and position the company for long-term success. Early preparation signals that […]
How the Updated Law Shapes Retirement and Estate Planning The SECURE 2.0 Act of 2022 materially reshapes the required minimum distribution (RMD) landscape, extending tax deferral opportunities while accelerating distribution requirements for many beneficiaries. For high-net-worth individuals and families, these changes are not merely technical. They require a reassessment of retirement income strategies, beneficiary planning, […]
Buying Commercial Property in New Jersey: Legal Guide for Small Businesses
Small businesses considering buying commercial property in New Jersey must evaluate a range of legal, financial, and operational factors. While ownership can offer long-term value and control, it also introduces significant risks if not properly structured. This guide outlines key considerations to help New Jersey business owners make informed decisions, minimize legal exposure, and successfully […]
The SEC’s Latest Guidance on Applying Federal Securities Laws to Tokenized Securities
On January 28, 2026, staff of the U.S. Securities and Exchange Commission’s Divisions of Corporation Finance, Investment Management, and Trading and Markets issued a joint statement clarifying how existing federal securities laws apply to tokenized securities. The SEC’s “Statement on Tokenized Securities” does not establish new law, but it does provide greater clarity on the […]
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.
Sign up to get the latest from our attorneys!
Explore What Matters Most to You.
Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.
Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.
Let`s get in touch!
Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!
