Matthew Bowles | October 5, 2021
On September 30, 2021, the U.S. Department of Health and Human Services’ ("HHS") Office for Civil Rights issued guidance regarding HIPAA, COVID-19 vaccination, and the workplace. In its guidance, HHS reminded employers that the HIPAA Privacy Rule only applies "to covered entities (health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions) and, to some extent, their business associates" (e.g., health care claims processing services, medical transcriptionists, and accounting firms with access to protected health information). Accordingly, the HIPAA Privacy Rule does not apply to most non-healthcare employers.
Employers often confuse the HIPAA Privacy Rule requirements for the privacy requirements of the Americans with Disabilities Act ("ADA"). The ADA requires employers to safeguard employee health information. Specifically, employers must maintain employee health information separate from the employee’s personnel file and limit access to such information by storing it under lock and key.
HHS guidance further clarifies that HIPAA does not prevent covered entities and business associates from requesting employee health information. For instance, employers subject to the HIPAA Privacy Rule may request that an employee provide proof of vaccination and/or other health related information required to screen an employee for COVID-19 infection in order for the employee to enter and/or remain in the workplace. HHS also reminds covered employers and business associates that the HIPAA Privacy Rules does not apply to "employment records held by covered entities or business associates in their capacity as employers." Instead, the ADA’s requirements apply. However, the HIPAA Privacy Rule may apply in certain circumstances where a health care provider, such as a hospital, provides employee health care services. The health information obtained from providing health care to employees is subject to the HIPAA Privacy Rule.
Although the HIPAA Privacy Rule may not apply to an employer, it may prevent a covered entity or business associate from providing protected health information, such as an employee’s COVID-19 vaccination status, directly to an employer requesting such information without the employee’s authorization. Accordingly, employers should direct their requests for COVID-19 related health information, such as an employee’s COVID-19 vaccination status, to the employee, not the employee’s health care provider.