HHS Issues Guidance on HIPAA Privacy Rule and COVID-19 Vaccinations
By on
Posted in Legal Bites, The Staff Report
HHS Issues Guidance on HIPAA Privacy Rule and COVID-19 Vaccinations

On September 30, 2021, the U.S. Department of Health and Human Services (“HHS”) Office of Civil Rights issued guidance to help the public and employers understand what privacy rules apply to disclosures and requests for information about whether a person has received a COVID-19 vaccine.

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) has a Privacy Rule that regulates covered entities, including health plans, health care clearinghouses and health care providers. According to HHS, “The HIPAA Privacy Rule establishes national standards to protect individuals' medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.”

The HHS guidance states that the Privacy Rule does not prohibit any person (e.g., an individual or an entity such as a business), including HIPAA-covered entities and business associates, from asking whether an individual has received a particular vaccine, including COVID-19 vaccines.

The guidance further states that the Privacy Rule does not apply when an individual:

  • Is asked about their vaccination status by a school, employer, store, restaurant, entertainment venue or another individual;
  • Asks another individual, their doctor or a service provider whether they are vaccinated; and
  • Asks a company, such as a home health agency, whether its workforce members are vaccinated.

Although other state and federal laws may apply to employers, the Privacy Rule does not apply to employment records, including employment records held by covered entities or business associates in their capacity as employers. Generally, the Privacy Rule does not regulate what information can be requested from employees as part of the terms and conditions of employment that an employer may impose on its workforce.

Tags: COVID-19
  • Pooja S. Nair
    Pooja S. Nair
    Partner
    | 310.281.6320

    Pooja S. Nair is a Partner and Chair of the Food, Beverage and Hospitality Department.

    Pooja S. Nair is a business litigator with a proven track record of delivering creative, effective, and long-term solutions to complex legal ...

    Full Bio | Contact Author | Blog Posts

Subscribe

Recent Posts

Blogs

Contributors

Archives

Jump to PageX

Ervin Cohen & Jessup LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek