Share this article on:
There has been a lot of confusion about whether asking someone if they have had a COVID-19 vaccine constitutes a HIPAA violation, specifically in relation to employers asking their employees to provide proof of being vaccinated against COVID-19 to avoid wearing a facemask in the workplace.
It is not only employers that have been confused about HIPAA and an individual’s vaccine status. On May 18, 2021, Rep. Marjorie Taylor Greene, (R-Ga) was asked whether she had been vaccinated, as she had refused to wear a mask on the House floor. In breach of House rules, several GOP members had refused to wear a mask, even though they had not been vaccinated. Greene told reporters that asking her about her vaccine status was a HIPAA violation, but this was not correct as HIPAA does not apply in such situations.
The Health Insurance Portability and Accountability Act (HIPAA) includes provisions related to privacy and the allowable uses and disclosures of protected health information (PHI), which includes an individual’s vaccination status. The HIPAA Privacy Rule limits uses and disclosures of individuals’ PHI to those required for treatment, payment, or healthcare operations. Other uses and disclosures generally require consent to be provided by the individual in writing. So how does HIPAA relate to requests for proof of vaccine status?
HIPAA and Proof of Vaccine Status
Vaccination information is classed as PHI and is covered by the HIPAA Rules; however, HIPAA only applies to HIPAA-covered entities – healthcare providers, health plans, and healthcare clearinghouses – and their business associates. If an employer asks an employee to provide proof that they have been vaccinated in order to allow that individual to work without wearing a facemask, that is not a HIPAA violation as HIPAA does not apply to most employers.
It would also not be a HIPAA violation for an employer to ask an employee’s healthcare provider for proof of vaccination. It would however be a HIPAA violation for the employee’s healthcare provider to disclose that information to their employer, unless the individual had provided authorization to do so.
Just as an employer can require all employees to wear a uniform in the workplace, an employer can have a policy that requires employees to wear a facemask during a pandemic. They are also within their rights to refuse entry to the workplace if a mask is not worn to protect other members of the workforce.
Asking about vaccine status would not violate HIPAA but it is possible that other laws could be violated. For instance, requiring employees to disclose additional health information such as the reason why they are not vaccinated could potentially violate federal laws in some instances, although this would not be a HIPAA violation. It is also possible for states to introduce laws that prohibit employers from asking employees about their vaccine status.
The Equal Employment Opportunity Commission (EEOC) recently issued advice for employers to help them avoid any potential violations of anti-discrimination laws, such as the Americans with Disabilities Act (ADA) and the Genetic Information Nondiscrimination Act (GINA) , and confirmed that “there’s no indication that there’s any federal law that would be violated by the employer asking this question.”
While employers can ask the question about whether an employee has been vaccinated, care should be taken when asking any follow up questions, such as why an employee has not been vaccinated. “There are many reasons that may explain why an employee has not been vaccinated, which may or may not be disability-related. Simply requesting proof of receipt of a COVID-19 vaccination is not likely to elicit information about a disability and, therefore, is not a disability-related inquiry,” explained the EEOC. “However, subsequent employer questions, such as asking why an individual did not receive a vaccination, may elicit information about a disability and would be subject to the pertinent ADA standard that they be ‘job-related and consistent with business necessity.'”
Disclosure of an Individual’s Vaccine Status by a Healthcare Provider
Healthcare providers can ask if a patient has been vaccinated as asking the question in no way violates HIPAA. It would be permitted for the healthcare provider to share vaccine status information with another covered entity or business associate, provided the disclosure was permitted under the HIPAA Privacy Rule – for treatment, payment, or healthcare operations – or if authorized to do so by a patient.
Authorizations would not be required when sharing vaccine status information for “public health activities.” For instance, a disclosure would be permitted to “a public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including but not limited to, the reporting of disease, injury, vital events,” and also for “the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority.”