Privacy & Information Security Law Blog

On September 30, 2021, the U.S. Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) issued guidance regarding when the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule applies to disclosures and requests for information about a person’s COVID-19 vaccination status.

The guidance is a reminder that the HIPAA Privacy Rule applies only to HIPAA covered entities (and, in some cases, to their business associates) and does not apply to employers or employment records. HIPAA-covered entities are health plans, health care clearinghouses and health care providers that conduct standard electronic transactions.

The guidance addresses common workplace scenarios and answers questions about whether and how the HIPAA Privacy Rule applies. For example, the guidance explains that the HIPAA Privacy Rule does not regulate what information can be requested from employees as part of the terms and conditions of employment, even though other federal or state laws may address terms and conditions of employment.  The guidance also states that, under the Americans with Disabilities Act, documentation or other confirmation of vaccination must be kept confidential and stored separately from an employee’s personnel file.

In its press release, OCR stated that the information will be helpful to the public as the country continues to navigate the COVID-19 pandemic. OCR Director Lisa Pino stated, “We are issuing this guidance to help consumers, businesses and health care entities understand when HIPAA applies to disclosures about COVID-19 vaccination status and to ensure that they have the information they need to make informed decisions about protecting themselves and others from COVID-19.”