On September 30, 2021, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued guidance to help the public understand when the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule applies to disclosures and requests for information about whether a person has received the COVID-19 vaccine.
The guidance addresses common workplace scenarios and answers questions about whether and how the HIPAA Privacy Rule applies. The guidance questions and answers include the following example:
Does the HIPAA Privacy Rule prohibit businesses or individuals from asking whether their customers or clients have received a COVID-19 vaccine?
No. The Privacy Rule does not prohibit any person (e.g., an individual or an entity such as a business), including HIPAA covered entities and business associates, from asking whether an individual has received a particular vaccine, including COVID-19 vaccines. The Privacy Rule applies only to covered entities and to some extent, their business associates. Additionally, the Privacy Rule does not regulate the ability of covered entities and business associates to request information from patients or visitors. Rather, the Privacy Rule regulates how and when covered entities and business associates are permitted to use and disclose protected health information (PHI) that covered entities and business associates create, receive, maintain, or transmit. Therefore, the Privacy Rule does not prohibit a covered entity or business associate from asking whether an individual has received a particular vaccine, although it does regulate how and when a covered entity or its business associate may use or disclose information about an individualās vaccination status.
Examples of when the Privacy Rule does NOT apply include when an individual:
- Is asked about his or her vaccination status by a school, employer, store, restaurant, entertainment venue, or another individual.
- Asks another individual, their doctor, or a service provider whether they are vaccinated.
- Asks a company, such as a home health agency, whether its workforce members are vaccinated.
Other state and federal laws address whether individuals are required to disclose if they have received a vaccine under certain circumstances.
The OCR Director, Lisa Pino stated, āWe are issuing this guidance to help consumers, businesses, and healthcare entities understand when HIPAA applies to disclosures about COVID-19 vaccination status and to ensure that they have the information they need to make informed decisions about protecting themselves and others from COVID-19.ā
The Guidance may be accessed at: HIPAA, COVID-19 Vaccination, and the Workplace | HHS.gov.
Issue:
It is essential that all healthcare workers understand HIPAA, the Privacy Rule, and the guidance for requesting COVID-19 vaccine status. The Privacy Rule allows access to information needed to ensure high quality healthcare for patients/residents, and facilities must promptly provide requested information to authorized individuals. All staff members must demonstrate understanding of the Privacy Rule, HIPAA, and how to protect PHI. Additional information is available in the Med-Net Corporate Compliance and Ethics Manual, Chapter 5 Privacy Plan, PP 2.0, Privacy Policy and Procedure.
Discussion Points:
- Review policies and procedures related to HIPAA, PHI, and Privacy. Ensure that they address how health information exchanges should be conducted between healthcare associates and timely response to requests from authorized individuals.
- Train all staff on HIPAA, PHI, and Privacy, including responding timely to requests for records, minimally upon hire and annually. Document that these trainings occurred and file the signed training document in the employeesā education files.
- Periodically audit to ensure that facility policies and procedures for HIPAA, PHI, privacy, and record release are being followed by all staff, and that each person demonstrates understanding and competency.