HHS Addresses HIPAA Privacy and COVID-19 Vaccinations in the Workplace

The Department of Health and Human Services (HHS) has issued Q&A guidance addressing how requirements under the Privacy Rule of the Health Insurance Portability and Accountability of 1996 (HIPAA) apply regarding vaccinations for COVID-19 (the disease that results from SARS-CoV-2). Among other topics, the guidance addresses the ability of HIPAA covered entities and business associates to require employees to disclose whether they have received COVID-19 vaccines.

HHS clarified that the HIPAA Privacy Rule does not bar a person or business (including HIPAA covered entities (CEs) and business associates (BAs)) from asking whether their clients or customers have received a particular vaccine—including COVID-19 vaccines. HHS noted that the Privacy Rule governs only CEs (that is, health plans, health care clearinghouses, and health care providers that perform standard electronic transactions) and, to a lesser extent, their BAs.

HHS also concluded that the Privacy Rule does not prohibit employers from requiring employees (or other workforce members) to disclose whether they have received a COVID-19 vaccine to the employer itself or the employer's clients or other parties.