Are you Breaching HIPAA if you ask an Employee if they had a COVID Vaccine?

Recently there has been a lot of discussion in relation to employers asking their staff if they have had their COVID-19 vaccine and whether enquiring about this is actually a breach of HIPAA.

Included provisions of the Health Insurance Portability and Accountability Act (HIPAA) that deal with privacy and sharing protected health information (PHI) can be applied to an individual’s vaccination status. The HIPAA Privacy Rule restricts uses and sharing of individuals’ PHI. This is only allowable in relation to treatment, payment, or healthcare operations. Anything not included here can only be completed in consent has been provided by the individual in writing prior to the PHI being shared or accessed.

Proof of Vaccine Status & HIPAA

As it is classified as PHI, vaccination information is governed by the HIPAA Rules; however, HIPAA is only applicable to HIPAA-covered entities – healthcare providers, health plans, and healthcare clearinghouses – and their business associates.

For example, if a company deemed that a staff member must provide evidence that they have been administered with a COVID-19 vaccine in order to carry out their work duties without wearing a mask it would not be deemed a HIPAA violation as HIPAA does not apply to employers. Using the same logic, it cannot be deemed breach of HIPAA violation if an employer requests an employee’s healthcare provider for proof of vaccination. However, unless the individual in question has provided authorization for this information to be shared the employee’s healthcare provider would be breaching HIPAA to disclose it.

So a request submitted for the information if not a HIPAA breach but sharing this information must be completed in a HIPAA compliant manners.

It is possible for employers to breach HIPAA in other ways related to this. For example, if any employee could not be vaccinated for health reasons and there is an additional enquiry as to why this is the case then that would represent a HIPAA breach by the employer.

Healthcare Providers Sharing an Individual’s Vaccine Status

Another situation where authorizations are not required are when vaccine status information is required for “public health activities.” This means that sharing is allowed to “a public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including but not restricted limited to, the reporting of disease, injury, vital events,” and also for “the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority.”

It is permissible for Healthcare providers to enquire if a patient has been vaccinated as asking the question is not a breach of HIPAA. The healthcare provider may also disclose vaccine status information with another covered entity or business associate, as long as this is in line with the HIPAA Privacy Rule – for treatment, payment, or healthcare operations – or if permission to do so has been provided by a patient.