In the best of times, people can get confused about what is (and is not) a HIPAA violation.  In pandemic times, with misinformation running rampant, we see it even more. Statements such as, “My manager wants to know if I got a COVID vaccine.  That’s a HIPAA violation!” and “HIPAA means you can’t ask me whether or not I’m vaccinated” are becoming more common.

Let’s begin with some information about HIPAA so we can better understand how this protective measure works.

HIPAA is the acronym for the Health Insurance Portability and Accountability Act.  It was first signed into law in 1996 and was meant to “improve the portability and accountability of health insurance coverage” for anyone between jobs (so you didn’t lose the ability to obtain health insurance if you lost your job). In 2003, the privacy rule was implemented to protect individuals’ medical records and other personal health information, including protected health information (PHI). This meant that health providers were educated and required to protect the health information of their patients within strict guidelines.  The privacy rule also gave patients new rights over their healthcare data (i.e., the right to obtain their own information, make changes when needed, and prevent details from being disclosed to insurers).

HIPAA only applies to covered entities, including health plans, healthcare providers, and healthcare clearinghouses.  Therefore, if your business is a restaurant, asking your wait staff if they have been vaccinated is not a HIPAA violation. That said, we do want to be cautious about inadvertently revealing a potential ADA /disability situation, and, in some cases, HIPAA might be a concern. If you are going to make vaccine-related inquiries, make sure they are strictly related to the job the employee performs or are asked out of business necessity only.

Here are some helpful tips to avoid a potential violation:

  1. You may ask your employee, “Have you received the vaccine?” If the answer is no, do not ask your employee why they haven’t received the vaccine.
  2. If you are providing the vaccine as part of a HIPAA-covered health plan or wellness program, the employee will need to sign an authorization for you (employer) to receive the vaccine information from the provider.
  3. If you provide the vaccine as a work safety public health measure, outside of the company health plan, then vaccine cards can be shared with the employer, by the employee, without HIPAA oversight.
  4. If the employee goes out on their own and gets the vaccine and shares that information with you, that is their choice of disclosure and no violations have occurred.

Regardless of the method by which you receive information regarding your employee’s vaccination status, such information should be treated as private information and not shared with others in the company, unless their position requires that knowledge.

We realize that not all situations can be covered in an article like this.  Members with questions about their obligations under HIPAA or any other employment law should contact a member of our team of HR and legal professionals to discuss. Not a member? Join today to begin enjoying the benefits of membership.