Myth Buster: Employers, Information on Vaccines and HIPAA | Verrille


With the nation’s continued focus on COVID-19 vaccinations, you may hear information – and misinformation – about your obligations under HIPAA, the federal Health Information Portability and Accountability Act. In this segment of Myth hunters, we discuss some common misconceptions about HIPAA and its applicability to employer and employee health information.

Myth: My employees do not have to provide their COVID-19 vaccination status or proof of vaccination status as this information is protected by HIPAA.

Truth: Employers can require an employee to provide COVID-19 vaccination status and present proof of vaccination, such as a vaccination card, as HIPAA does not apply to these requests.

HIPAA governs the use and disclosure of protected health information (PHI) held by certain “covered entities” in the health care space, including health plans, health care clearinghouses, and health care clearinghouses. healthcare providers who perform certain healthcare transactions electronically, as well as certain “business associates” of these covered entities. For example, when a physician electronically submits a medical claim to a patient’s health plan for payment, HIPAA is triggered because the physician is a covered entity disclosing a patient’s protected health information. In general, however, most employers outside of the healthcare industry are not covered entities or business associates and therefore are not subject to HIPAA.

Nonetheless, employers should remain alert to other federal and state laws that might apply when an employee discloses their immunization status. For example, if an employee reveals that he is not vaccinated, an employer should generally not ask why, as this may obtain information about an employee’s disability or medical condition in violation of the Americans with Disabilities. Act (ADA). However, if the employee is subject to an employer-imposed or state or federal vaccination requirement, it may be necessary to explore the reasons why the employee is not vaccinated in order to determine whether a reasonable accommodation for immunization is necessary and possible.

Myth: My organization is a healthcare entity / provider, so HIPAA applies to all employee health information collected by my organization.

Truth: While HIPAA will apply to your organization in its role as a healthcare provider, it will not apply to your organization when it is acting in its capacity as an employer. For example, if an employee disclosed disability-related information for the purpose of seeking reasonable accommodation or medical information relevant to a leave request under the Family and Medical Leave Act (FMLA), that information would not be not considered RPS subject to HIPAA Protections. Additionally, the US Department of Health and Human Services (HHS) recently confirmed that the HIPAA privacy rule does not prohibit a covered entity (for example, a doctor, hospital, or covered health plan) or an associate to inquire whether an individual (for example, a patient or visitor) has received a particular vaccine, including COVID-19 vaccines, although it regulates how and when a covered entity or its business associate may use or disclose information about an individual’s immunization status.

However, HIPAA would apply to other employee health information collected by the organization in its capacity as a health care provider. For example, if an employee of a hospital becomes a patient of that hospital, HIPAA law will apply to the employee’s patient records, but not to their employment records.

Myth: I may disclose an employee’s immunization status to other employees or customers because HIPAA law does not apply to my organization.

Truth: Not so fast, even if an employer is not subject to HIPAA, other laws limit the disclosure of an employee’s health information. For example, the ADA requires employers to treat as a confidential medical record any medical information obtained through an employer’s disability-related investigation, employment-related medical examination (including in the voluntary wellness programs) or through voluntary employee disclosure. Employers can only share medical information in limited circumstances, such as managers or supervisors who need to know about an employee’s work restrictions and accommodations. Likewise, the FMLA requires that employers keep medical records and information private. If an employee needs time off for a critical illness or for some other qualifying reason, including a reason related to COVID-19 or vaccination, employers must keep this information confidential in accordance with FMLA obligations.

Employers should also be aware of other state-specific privacy laws that may apply to protect personal information held by an employer against inappropriate disclosure, theft and / or misuse. In the absence of employee notification and consent, disclosure of an employee’s immunization status to third parties is likely to constitute unauthorized disclosure or a violation under applicable national privacy laws. Almost all states require employers to notify employees when there has been an unauthorized disclosure of certain defined categories of personal information, including Social Security numbers. Recently, several states have extended these laws to cover the disclosure of employee health information. For example, the Maryland Personal Information Protection Act (PIPA) was amended effective January 1, 2018, to require companies to “implement and maintain reasonable security procedures and practices” to protect against unauthorized disclosure. authorized employee “personal information”, including health information. . Finally, recently implemented privacy laws may require notice in one form or another.

Therefore, an employer should generally not disclose an employee’s immunization status – or any other employee health information – to other employees or to a customer. In addition, employers must keep all employee health information confidential and store this information securely separately from the employee’s personal file.

Leave A Reply

Your email address will not be published.