HHS Clarifies Applicability of HIPAA Privacy Rule to COVID-19 Vaccination Status Requests

The U.S. Department of Health and Human Services (HHS) has released guidance to address how the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule applies to various entities’ requests for information related to an individual’s COVID-19 vaccination status. 

HHS emphasized that the Privacy Rule applies only to covered entities, including health plans and most health care providers, and their business associates (those who obtain protected health information in performing services for a covered entity). The Privacy Rule does not apply to other individuals and entities.

Employers, schools, stores, restaurants, and many others may request that an individual disclose whether they have been vaccinated without violating the Privacy Rule. Thus, schools may request students to disclose their vaccination status. Businesses may request that information from their patrons. Employers may request that information from their employees. None of these requests violate HIPAA’s Privacy Rule. However, these entities must comply with other applicable state and federal laws that impose restrictions on the design and implementation of COVID-19 vaccination requirements and requirements that apply to the maintenance and storage of information related to individuals’ vaccination status. 

If an organization is considered a covered entity, such as a health care provider or business associate, the organization will generally be treated like other organizations when acting as an employer. For example, a hospital may request information about the vaccination status of an employee. When the organization acts as a covered entity or business associate, it may still collect vaccination information. For example, doctors may collect that information from their patients (and the patients may provide it). But the organization will be subject to HIPAA in its handling of the information. As a result, a covered entity may disclose an individual’s vaccination status only if it is expressly permitted or required by the Privacy Rule or if the disclosure is authorized by the individual. 

The guidance describes certain situations when disclosure is permitted without authorization. For example, a health care provider may disclose an individual’s vaccination status to a health plan for payment or to a public health authority or vaccine manufacturer to report appropriately on the quality, safety, or effectiveness of the COVID-19 vaccine. In certain situations, as when an employer engages a health care provider to assist in medical surveillance of its workplace pursuant to OSHA requirements, a health care provider may disclose an individual’s vaccination status to the employer, although even then the individual must be notified of the disclosure. 

If the disclosure is not expressly permitted by the Privacy Rule, a health care provider may not disclose an individual’s vaccination status without written authorization. For example, a health care provider could not generally disclose an individual’s vaccination status to entertainment and sporting venues, airlines, cruise ships, resorts, or hotels, although they may ask individuals–and individuals may provide–this information.

Copyright © 2024 by Ballard Spahr LLP.
www.ballardspahr.com
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.