A MoFo Privacy Minute Q&A (13 October 2021)

This is A MoFo Privacy Minute, where we will answer the questions our clients are asking us in sixty seconds or less.

Question: My company would like to collect COVID-19 vaccination status of its employees and clients. Is this permitted under HIPAA?

Answer: Yes. HIPAA does not prohibit businesses from requesting—or even requiring, in the case of employees—individuals to provide their vaccination status, for the COVID-19 and other vaccines.

As a general matter, the HIPAA Privacy Rule applies only to covered entities (health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions) and, to some extent, their business associates. HIPAA does not apply to employers or employment records, including employment records held by covered entities or business associates.

Accordingly, HIPAA would not prohibit an employer from requiring or requesting that employees:

1. disclose whether they have a received a COVID-19 vaccine;
2. provide documentation of a COVID-19 vaccine; or
3. wear a mask while in the employer’s facility or on the employer’s property.

However, an important distinction to make is that if an employer is receiving COVID-19 vaccination information from an employee’s health care provider that is a covered entity, then the disclosure of that information is subject to HIPAA and would require the covered entity to obtain the employee’s authorization for disclosure. While HIPAA doesn’t regulate an individual’s disclosure of his/her health information, it does regulate how covered entities may disclose an individual’s protected health information to third parties. Although there are certain HIPAA exceptions that permit covered entities to disclose an individual’s vaccination information without first obtaining their authorization (e.g., as required by law, or specific to Occupational Safety and Health Administration requirements), generally speaking, the covered entity needs an individual’s authorization prior to disclosing any protected health information.

We note that while employers, including those that are covered entities and their business associates, are permitted to collect, use, and disclose their employees’ vaccination status under HIPAA (including as a condition of employment), such activities would generally be subject to other laws, including Title I of the Americans with Disabilities Act, which requires that employers keep medical information confidential and separate from personnel files.

For more information regarding HIPAA’s applicability to COVID-19 vaccination information and the workplace, including additional examples, please refer to the Department of Health and Human Services Office for Civil Rights’ recently issued guidance for an overview of permitted activities.

Visit our Privacy + Data Security page to view the entire A MoFo Privacy Minute Series or for additional information from our privacy library and resource centers on cybersecurity, state privacy laws, and the GDPR.