Posted By HIPAA Journal on May 25, 2021

According to several media sources, there appears to be a degree of confusion about the purpose of HIPAA, who it applies to, and whether asking someone if they have had a COVID-19 vaccine constitutes a HIPAA violation.

The confusion was highlighted recently when, on May 18, 2021, Rep. Marjorie Taylor Greene, (R-Ga) was asked whether she had been vaccinated, as she had refused to wear a mask on the House floor in breach of House rules. Greene told reporters that asking her about her vaccine status was a HIPAA violation, but this was not correct as HIPAA does not apply in such situations.

It is not only Rep. Greene who is unsure about the purpose of HIPAA and who it applies to. Several organizations have also raised concerns that asking employees to provide proof of being vaccinated against COVID-19 in order to avoid wearing a facemask, maintain social distancing, or self-isolate after exposure to an infected person may also be a violation of HIPAA.

HIPAA and Its Purpose

The Health Insurance Portability and Accountability Act (HIPAA) was created primarily to modernize the flow of healthcare information, stipulate how personally identifiable information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage.

Personal details such as whether or not an individual has been vaccinated against COVID-19 comes within the “provision of care” classification of health information that should be protected when it can be combined with other personal details (i.e., name, social security number, etc.) that can identify the individual. Protected health information is commonly referred to as PHI.

The HIPAA Privacy Rule limits uses and disclosures of individuals’ PHI to uses and disclosures required for treatment, payment, or healthcare operations. Other uses and disclosures generally require consent to be provided by the individual in writing. However, HIPAA only applies to certain organizations and businesses. So how does HIPAA relate to requests for proof of vaccine status?

HIPAA and Proof of Vaccine Status

Vaccination information is classed as PHI and is covered by the HIPAA Rules. However, HIPAA only applies to HIPAA-covered entities – healthcare providers, health plans, and healthcare clearinghouses – and their business associates. If an employer asks an employee to provide proof that they have been vaccinated in order to allow that individual to work without wearing a facemask, that is not a HIPAA violation as HIPAA does not apply to most employers.

It would not be a HIPAA violation for an employer to ask an employee’s healthcare provider for proof of vaccination. It would however be a HIPAA violation for the employee’s healthcare provider to disclose that information to the employer unless the individual had provided authorization to do so. If an employer is running their own vaccination program and an employee chooses to have their vaccine privately, that individual may have to authorize their healthcare provider to disclose certain information about their vaccine to their employer as proof that they have been vaccinated.

Asking about vaccine status would not violate HIPAA but it is possible that other laws could be violated. For instance, requiring employees to disclose additional health information such as the reason why they are not vaccinated could potentially violate federal laws. Furthermore, several states have passed laws – or are considering laws – that prohibit employers in the public sector from asking employees about their vaccine status.

Compliance with Other Federal, State, and International Laws

The Equal Employment Opportunity Commission (EEOC) recently issued advice for employers to help avoid any potential violations of anti-discrimination laws, such as the Americans with Disabilities Act (ADA) and the Genetic Information Nondiscrimination Act (GINA). The EEOC confirmed “there’s no indication that there’s any federal law that would be violated by the employer asking this question.”

While employers can ask the question about whether an employee has been vaccinated, care should be taken when asking follow-up questions, such as why an employee has not been vaccinated. “There are many reasons that may explain why an employee has not been vaccinated, which may or may not be disability-related. Simply requesting proof of receipt of a COVID-19 vaccination is not likely to elicit information about a disability and, therefore, is not a disability-related inquiry.”

“However,” continued the EEOC “subsequent employer questions, such as asking why an individual did not receive a vaccination, may elicit information about a disability and would be subject to the pertinent ADA standard that they be ‘job-related and consistent with business necessity.’” The same advice can also relate to state laws such as California´s Privacy Rights Act and to international privacy laws such as the EU´s General Data Protection Regulation (GDPR).With regards to other federal and international laws, organizations are free to ask employees if they have been vaccinated against COVID-19. However, how employees´ answers are recorded and protected against unauthorized use and disclosure – or used to impact employee benefits, roles, or work experience – determines whether or not the organization is in compliance with the relevant law. In respect of state laws, the picture is frequently changing and organizations are advised to keep up-to-date with potential legislative changes.

Disclosure of an Individual’s Vaccine Status by a Healthcare Provider

Healthcare providers can ask if a patient has been vaccinated as asking the question in no way violates HIPAA. It would be permitted for the healthcare provider to share vaccine status information with another covered entity or business associate, provided the disclosure was permitted under the HIPAA Privacy Rule – for treatment, payment, or healthcare operations – or if authorized to do so by a patient.

Authorizations would not be required when sharing vaccine status information for “public health activities.” For instance, a disclosure would be permitted to “a public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including but not limited to, the reporting of disease, injury, vital events,” and also for “the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority.”

Asking for Proof of Vaccinations and HIPAA Violations: FAQs

Is it a HIPAA Violation to Ask about COVID Vaccines?

No. Any organization can ask any employee, customer, or relevant third party whether or not they have been vaccinated against COVID-19 without violating HIPAA. However, before asking the question, organizations should be prepared for how they will respond to individuals´ answers, or how they will respond if an individual refuses to answer the question.

Does HIPAA Apply to COVID Vaccines?

Only organizations that are HIPAA Covered Entities or Business Associates are subject to the HIPAA regulations with regards to how information about vaccination statuses is collected, maintained, used, and disclosed. Organizations not covered by HIPAA may be subject to other federal, state, or international laws.

Is It a HIPAA Violation to Ask about Vaccinations?

It is not a HIPAA violation to ask about vaccinations against COVID-19. However, it is advisable for HIPAA-Covered Entities and organizations subject to other privacy protection laws to amend Privacy Policy Notices to ensure individuals know why they are being asked about their vaccination status and how the information will be protected.

Can a Business Ask for Proof of Vaccination?

Subject to state laws, businesses can ask for customers to demonstrate proof of vaccination, but – due to laws such as ADA – cannot flatly refuse to provide a service to the customer if they cannot prove their vaccination status. Instead, if a customer has not been vaccinated or refuses to disclose their vaccination status, businesses can require the customer to wear a mask or can organize an outside delivery of their purchase. If the customer refuses to agree to the compromise, businesses can then refuse to provide a service on health and safety grounds.

Can an Employer Ask for Proof of Vaccination?

Employers have a duty of care under the Occupational Safety and Health Act of 1970 (OSHA) to provide a safe workplace for employees. To fulfill the duty of care, an employer can ask for proof of vaccination against COVID-19 subject to the EEOC guidelines discussed above and state legislation. If an employee is unable or unwilling to provide proof of vaccination, the employer may be entitled to enforce workplace safety policies such as mask wearing or social distancing.

Can an Employee Refuse to Tell their Employer about their Vaccine Status?

Under HIPAA (but not all state laws), employers are permitted to ask employees about their vaccine status, but employees are not required to provide that information to their employer. There could, however, be consequences for failing to provide that information to an employer. An employee who refuses to say whether they have received the COVID-19 vaccine may well be treated in the same way as an individual who has refused the vaccine on non-medical or non-religious grounds.

Can Employers Require Employees to be Vaccinated?

No individual is required to have a vaccine, as they have the choice whether or not to be vaccinated, but there can be consequences for employees who refuse a vaccine on non-medical or non-religious grounds depending on state regulations. However, just as an employer can require all employees to wear a uniform in the workplace, an employer can have a policy that requires employees to wear a facemask during a pandemic. They are also within their rights to refuse entry to the workplace if a mask is not worn contrary to a workplace policy in order to protect other members of the workforce or customers.

The Civil Rights Act of 1964 requires employers to provide reasonable accommodations for employees who have strongly held religious beliefs, and the ADA requires employers to provide reasonable accommodations for employees who have an underlying disability under the Civil Rights Act of 1964. Accommodations therefore need to be made for individuals who have refused a vaccine on these grounds.

Could an Employee be Terminated for Refusing to have a COVID-19 Vaccine?

Being terminated for not having the vaccine is a possibility in some states, but employees could potentially take legal action against their employer for wrongful termination. The Food and Drug Administration (FDA) fast-tracked the approval process for COVID-19 vaccines through an Emergency Use Authorization (EUA), otherwise approval of live-saving vaccines would have been delayed.

The EUA requires a drug or vaccine to be accompanied with information for individuals about their right to refuse and to be told about the consequences of such a refusal. The wording of the EUA in this case could be interpreted in different ways, and wrongful termination lawsuits based on the refusal to be vaccinated are a possibility although yet to be tested in the courts.

There is also an issue that could arise if a substantial portion of the workforce refuses the vaccine. An employer would then have to decide whether to terminate all of those employees or none at all. If only certain employees were to be terminated for refusing the vaccine on non-medical or non-religious ground, there could well be valid claims that individuals have been discriminated against.

What is HIPAA Law regarding Vaccine Passports?

HIPAA law regarding vaccine passports is the same as any other proof of vaccination. Only HIPAA Covered Entities and their Business Associates are required to comply with HIPAA. Therefore, if an individual is asked for a vaccine passport by their health plan provider, the health plan provider is subject to HIPAA law. However, if an amusement park operator requests to see a vaccine passport, they are not a HIPAA Covered Entity or Business Associate and therefore not subject to HIPAA law.

Does the same apply with regards to Negative COVID Tests and HIPAA?

Yes. If an employer requests evidence of a negative COVID test before allowing an employee to return to work, or a university requests evidence of a negative COVID test before allowing a student to resume in-person tuition, neither is in violation of HIPAA law provided neither is a HIPAA Covered Entity nor Business Associate.

If an Individual Discloses their Vaccination Status Voluntarily, do they Forgo HIPAA Protections?

No. If an individual voluntarily discloses their vaccination status to a HIPAA Covered Entity or Business Associate, the information they have provided is still protected under the HIPAA Security and privacy Rules. If an individual voluntarily discloses their vaccination status to an entity not covered by HIPAA, the disclosure is not subject to HIPAA Rules.

Which Take Priority – State Vaccination Disclosure Rules or HIPAA Vaccination Disclosure Rules?

For HIPAA Covered Entities and Business Associates, HIPAA takes priority in respect of measures to prevent the unauthorized use or disclosure of PHI unless state laws exist that are at least as protective as HIPAA – for example California´s privacy Rights Act and Texas HB 300.

Why are Some States Introducing their Own Laws about Proof of Vaccination?

Some states have taken the view that, because COVID vaccines do not guarantee 100% protection against the virus, proof of vaccination only demonstrates an individual is less likely to contract and transmit the virus. It is also the case nobody knows for sure how long vaccine-induced immunity lasts. Therefore, it is possible an individual with a vaccine passport can still present a risk of infection.