There has been a lot of confusion about whether asking someone if they have had a COVID-19 vaccine constitutes a HIPAA violation, specifically in relation to employers asking their employees to provide proof of being vaccinated against COVID-19 to avoid wearing a face mask in the workplace.
The Health Insurance Portability and Accountability Act (HIPAA) includes provisions related to privacy and uses and disclosures of protected health information (PHI), which includes an individual’s vaccination status. The HIPAA Privacy Rule limits uses and disclosures of individuals’ PHI to those required for treatment, payment, or healthcare operations. Other uses and disclosures generally require consent to be provided by the individual in writing before their PHI can be used or disclosed. So how does HIPAA relate to requests for proof of vaccine status?
HIPAA and Proof of Vaccine Status
Vaccination information is classed as PHI and is covered by the HIPAA Rules; however, HIPAA only applies to HIPAA-covered entities – healthcare providers, health plans, and healthcare clearinghouses – and their business associates. If an employer asks an employee to provide proof that they have been vaccinated in order to allow that individual to work without wearing a facemask, that is not a HIPAA violation as HIPAA does not apply to employers.
It would also not be a HIPAA violation for an employer to ask an employee’s healthcare provider for proof of vaccination. It would however be a HIPAA violation for the employee’s healthcare provider to disclose that information to their employer, unless the individual had provided authorization to do so.
Just as an employer can require all employees to wear a uniform in the workplace, an employer can have a policy that requires employees to wear a facemask during a pandemic to protect other members of the workforce and to refuse entry to the workplace if a mask is not worn.
Asking about vaccine status would not violate HIPAA but it is possible that other laws could be violated. For instance, requiring employees to disclose additional health information such as the reason why they are not vaccinated could potentially violate federal laws in some instances, although this would not be a HIPAA violation. It is also possible for states to introduce laws that prohibit employers from asking employees about their vaccine status.
On May 18, 2021, Rep. Marjorie Taylor Greene, (R-Ga) was asked by reporters whether she had been vaccinated, as she had refused to wear a mask on the House floor. In breach of House rules, several GOP members had refused to wear a mask, even though they had not been vaccinated. Greene told reporters that asking her about her vaccine status was a HIPAA violation, but this was not correct as reporters are not covered by HIPAA.
Disclosure of an Individual’s Vaccine Status by a Healthcare Provider
Healthcare providers can ask if a patient has been vaccinated as asking the question in no way violates HIPAA. It would be permitted for the healthcare provider to share vaccine status information with another covered entity or business associate, provided the disclosure was permitted under the HIPAA Privacy Rule – for treatment, payment, or healthcare operations – or if authorized to do so by a patient.
Authorizations would not be required when sharing vaccine status information for “public health activities.” For instance, a disclosure would be permitted to “a public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including but not limited to, the reporting of disease, injury, vital events,” and also for “the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority.”
The post Is it a HIPAA Violation to Ask for Proof of Vaccine Status? appeared first on HIPAA Journal.