Skip to main content
Enforcement Edge
October 21, 2021

OCR Issues Guidance on the HIPAA Privacy Rule’s Applicability to Workplace Scenarios Involving COVID-19 Vaccination Status

Enforcement Edge: Shining Light on Government Enforcement

The US Department of Health and Human Services’ Office for Civil Rights (OCR) recently issued guidance on how the privacy regulations that OCR promulgated under the Health Insurance Portability and Accountability Act of 1996 (the HIPAA Privacy Rule) apply to requests for and disclosures of an individual’s COVID-19 vaccination status. The guidance creates no new requirements; rather, it provides answers to commonly posed questions relating to vaccination status as relevant to workplace scenarios. As OCR stated in its press release, “this guidance reminds the public that the HIPAA Privacy Rule does not apply to employers or employment records,” and thus should alleviate concerns among employers that their access to and use of vaccination status information is restricted by the HIPAA Privacy Rule. As employers across the country are grappling with how to handle new vaccination mandates, OCR believes the guidance will help ensure that consumers, employers, and healthcare industry members “have the information they need to make informed decisions about protecting themselves and others from COVID-19.”

The guidance emphasizes the limited scope of the Privacy Rule, which protects the privacy of individually identifiable health information (protected health information or PHI): The Rule applies only to group health insurance plans, certain health care providers, health care “clearinghouses,” and “business associates” of those three types of “covered entities.” The Rule does not apply to employers, stores, schools, entertainment venues, or restaurants, and thus does not restrict an employer’s actions with respect to PHI that is part of employment records. That limited application is true even if the employer is a covered health care provider or other HIPAA covered entity, to the extent it is acting in its capacity as an employer. So a covered entity’s actions with respect to a COVID test result, for example, while generally strictly regulated under the Privacy Rule, are not limited by the Privacy Rule with regard to its employees or otherwise in the employment context. For example, the Privacy Rule does not prohibit employers from requiring a workforce member to disclose whether they have received a COVID-19 vaccine or a positive COVID test result (although other federal and state laws might impose certain restrictions on such a requirement).

As the guidance notes, the Privacy Rule generally prohibits a doctor’s office from disclosing whether an individual has received a COVID-19 vaccination or a COVID-19 test result (information that is PHI) without obtaining a written authorization from the individual. There are exceptions, however, such as when a laboratory is required to report a positive COVID-19 test result to the Centers for Disease Control or a pharmacy or physician needs to disclose an individual’s vaccination status to the individual’s health plan as necessary to obtain payment for providing a COVID-19 vaccine.

The guidance also reminds covered entities that they can disclose vaccination information to employers without an individual’s authorization where the entity is providing health care to that individual at the employer’s request, if that request relates to medical surveillance of the workplace or an evaluation of whether the individual has a work-related illness or injury, provided several conditions are met. These conditions include, among other things, that the employer needs the findings of such an evaluation to comply with obligations under certain legal authorities including the Occupational Safety and Health Administration (OSHA).

The guidance should be particularly helpful for businesses and health care entities considering return-to-office plans and policies. At a time when misinformation and misconceptions proliferate around COVID-19 vaccines and rules related to them, businesses and health care entities should find OCR’s guidance a reliable source of clear direction on what to be concerned about—and not concerned about—when addressing COVID-related HIPAA-compliance issues.  And by clarifying the parameters of the Privacy Rule’s applicability, the guidance should be helpful in reminding HIPAA covered entities of the actions they must take to remain in compliance as well as the actions that might trigger patient complaints to OCR (there is no private right of action under HIPAA), OCR investigations, and potentially, OCR penalties.

© Arnold & Porter Kaye Scholer LLP 2021 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.