HIPAA, COVID-19 Vaccination, and the Workplace – Commonly Asked Questions

HIPAA is often bantered about as the reason an employer or manager cannot do something like ask about vaccine status.  The HIPAA Privacy Rule is limited.  It only applies to health plans, healthcare clearinghouses, healthcare providers, and to some extent their business associates.

HIPAA Privacy Rule does not apply to most businesses unless they are in the healthcare field or have access to patient information for those healthcare businesses. 

Here are the answers to the most frequently asked questions concerning HIPAA, Covid-19, and the workplace:

1. Does the HIPAA Privacy Rule prevent businesses or individuals from asking if their customers or clients have been vaccinated against Covid-19?

No - The Privacy Rule does not apply when an individual:

  • Is asked about their vaccination status by a school, employer, store, restaurant, entertainment venue, or another individual.

  • Asks another individual, their doctor, or a service provider whether they are vaccinated.

  • Asks a company, such as a home health agency, whether its workforce members are vaccinated.

2. Does the HIPAA Privacy Rule prohibit customers or clients of a business from disclosing if they have received a COVID-19 vaccine?

No. The Privacy Rule does not prevent any individual from disclosing their vaccination status. The Privacy Rule does not apply to individuals’ disclosures about their own health information.

3. Does the HIPAA Privacy Rule prohibit an employer from requiring an employee to disclose whether they have received COVID-19 vaccination to the employer, customers, or others?

No. The Privacy Rule does not apply to employment records, including employment records held by healthcare providers or business associates in their capacity as employers. For the most part, the Privacy Rule does not govern what information can be requested from employees as part of the terms and conditions of their employment.

4. Does the HIPAA Privacy Rule prohibit a covered entity or business associate from requiring its workforce members to disclose to their employers or other parties whether the workforce members have received a COVID-19 vaccine?

No. The Privacy Rule does not prohibit a business whether they are a healthcare provider or not  from requiring or requesting each employee to:

  • Provide documentation of their COVID-19 or flu vaccination to their current or prospective employer.

  • Sign a HIPAA authorization for a covered health care provider to disclose the employee’s COVID-19 or varicella vaccination record to their employer.

  • Wear a mask--while in the employer’s facility, on the employer’s property, or in the normal course of performing their duties at another location.

  • Disclose whether they have received a COVID-19 vaccine in response to queries from current or prospective patients.

5. Does the HIPAA Privacy Rule prohibit a doctor’s office from disclosing an individual’s protected health information (PHI), including if they have received COVID-19 vaccination, to the individual’s employer or other parties?

Yes, in general.  Some situations require the doctor’s office to obtain written permission from the individual before disclosing vaccination status or other information to such things as:

  • A sports arena or entertainment purveyor.

  • A hotel, resort, or cruise ship.

  • An airline or car rental agency.

If you are an employer who is not in the healthcare field, and your employees or visitors claim you are in violation of HIPAA by asking any of these questions, you may need to educate them as to why HIPAA does not apply.  Your HR people or Labor Attorney are there to help.

To learn more about the Privacy Rule and its application, visit https://www.hhs.gov/hipaa/for-individuals/index.html.