HIPAA Law and Your COVID Vaccination Status

Here at ETHIX360, and I’m sure for most of you, we are trying to return to “normal.”  I’m not really sure I could precisely define “normal” in the context of reopening businesses, and frankly the world, post-COVID and the pandemic, but I do know that it will include going back to work, kids going back to school, taking trips, going to restaurants, and celebrating holidays with families and friends.

The elephant in the room on most of these is all about personal safety – masks, vaccines, social distancing, comprehensive sanitizing procedures, etc.  I’ll make no attempt to talk about each one in this week’s blog, but I will offer thoughts on one that I think is largely misunderstood – believing that HIPAA regulations prevent your employer from asking you if you have been fully vaccinated against COVID.  Simply put, they don't.

I saw a member of Congress recently tweet, “Vax records, along with ALL medical records are private due to HIPPA rights.”  A couple of things on this tweet, the first being that it’s HIPAA, not HIPPA.  Secondly, this is just not true.

HIPAA Law and COVID-19

I know the majority of our readers are ethics, compliance, and HR professionals and have a deep understanding of HIPAA, but for the rest, let’s start with a primer:

What is HIPAA?

HIPAA, also known as the Health Insurance Portability and Accountability Act of 1996, and its subsequently added Privacy Rule include provisions to protect a person’s identifying health information from being shared without their knowledge or consent. The law, though, only applies to specific health-related entities, such as insurance providers, health care clearinghouses, health care providers, and their business associates.

According to the U.S. Department of Health and Human Services (HHS), a “Covered Entity” must receive, directly or through another entity, federal financial assistance from the HHS. Some of these might be:

• State and local government agencies that are responsible for administering health care

• State and local government income assistance and human service agencies

• Hospitals

• Medicaid and Medicare Providers

• Physicians and other health care professionals in private practice with patients assisted by Medicaid

• Family Health Centers

• Community Mental Health Centers

• Alcohol and Drug Treatment Centers

• Nursing Homes

• Foster Care Homes

• Public And Private Adoption and Foster Care Agencies

• Day Care Centers

• Senior Citizen Centers

• Nutrition Programs

• Any entity established under the Affordable Care Act

Nowhere on the list are private employers.  Simply put, your employer does have the right to ask you if you have been vaccinated or not. Experts almost universally agree that there are very few, if any, situations in which businesses, airlines, employers, schools, and even those covered by HIPAA are prohibited from asking you to share your vaccination status or show your vaccine record card. It is not a limitation on asking – it is a limitation on sharing.

A HIPAA violation would occur if your employer called your doctor to ask if you had been vaccinated and your doctor gave them any information.  In that case, your doctor would be guilty of a HIPAA violation for sharing your PHI (Personal Health Information).

This takes us to the next logical question: can you refuse to tell your employer whether or not you’ve been vaccinated?  Now that we’ve discussed that HIPAA law is not a standard to protect you in this regard, contrary to Congresswoman Greene’s uninformed tweet, saying no can have consequences determined solely by your employer.   I expect that businesses will treat people who refuse to answer in the same way that they treat individuals who have not been vaccinated.

What aren’t employers allowed to ask?

There is, of course, some nuance as well. Although HIPAA regulations might not apply to an employer, the employer may violate the Americans with Disabilities Act or the Genetic Information Nondiscrimination Act if their attempt to find out why a worker didn’t get vaccinated could elicit information about a disability. Employers would not be violating these laws as long as they were careful about what vaccination-related questions they asked. 

In a December guidance, the Equal Employment Opportunity Commission, which enforces federal workplace anti-discrimination laws, essentially confirmed that there’s no indication that there’s any federal law that would be violated by the employer asking about an employee’s vaccination status or even requiring workers and customers to be vaccinated. In fact, they only addressed the possibility of vaccination requirements violating Title II of the ADA, suggesting this is the only instance when requiring vaccinations may be considered discriminatory against anyone eligible for a medical or religious exemption. The EEOC stated: 

“Simply requesting proof of receipt of a COVID-19 vaccination is not likely to elicit information about a disability and, therefore, is not a disability-related inquiry.  However, subsequent employer questions, such as asking why an individual did not receive a vaccination, may elicit information about a disability and would be subject to the pertinent ADA standard that they be “job-related and consistent with business necessity.”  If an employer requires employees to provide proof that they have received a COVID-19 vaccination from a pharmacy or their own health care provider, the employer may want to warn the employee not to provide any medical information as part of the proof in order to avoid implicating the ADA.”

Now that we’ve established the legality of it all, get ready for some awkward conversations!  I would recommend that you are clear about why you are asking about someone’s vaccination status when you ask.  When your employer is asking (or the restaurant owner, shopkeeper, or car service driver for that matter) it should be obvious that they are asking because a novel virus has caused a global pandemic and you have an obligation to provide a safe environment for your employees, customers, or patrons. 

The ETHIX360 blog brings you weekly updates on all things human resources and compliance.

MEET THE AUTHOR

J Rollins is the co-founder and CEO of ETHIX360. J is a well known leader and innovator who has served on senior leadership teams ranging in responsibility from Chief Revenue Officer, Chief Marketing Officer, SVP of Product Strategy and Chief Operating Officer.

ABOUT ETHIX360

RELATED BLOGS