HIPAA and COVID Vaccination – Q & A’s from the Dept. of Health and Human Services

Does the HIPAA Privacy Rule prohibit businesses or individuals from asking whether their patients have received a COVID-19 vaccine?  This and other questions were answered by U.S. Department of Health and Human Services (HHS) in its newly issued guidance for professionals.  This guidance is applicable to dental practices if the dental practice transmits an electronic “covered transaction,” such as submitting an electronic claim to a dental plan. A dental practice is also a covered entity if someone else (like a clearinghouse) sends an electronic covered transaction on behalf of the dental practice.

On September 30, 2021, the Office for Civil Rights (OCR) – an office of the HHS – issued guidance to help the public understand when the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule applies to disclosures and requests for information about whether a person has received a COVID-19 vaccine.

The answer to the initial question is NO.  The Privacy Rule does not prohibit your business, from asking whether an individual has received a particular vaccine, including COVID-19 vaccines.  The Privacy Rule applies only to covered entities and, to some extent, their business associates.  It  does not regulate the ability of a dental practice to request the information from patients or visitors.  It relates specifically to how the health information of your patients is used and disclosed.  So, the protected health information (PHI) does not extend to inquiring whether or not your patient has received a COVID-19 vaccine.  However, it does regulate how and when a dental practice may use or disclose information about an individual’s vaccination status.

Another question covered by the HHS guidance is:  Does the HIPAA Privacy Rule prohibit an employer from requiring a staff member to disclose to the employer or other parties whether they have received a COVID-19 vaccine?  Again, the answer is NO.  The Privacy Rule does not apply to employment records, including employment records held by covered entities or business associates in their capacity as employers. Generally, the Privacy Rule does not regulate what information can be requested from employees as part of the terms and conditions of employment that an employer may impose on its staff.   However, documentation or other confirmation of vaccination must be kept confidential and stored separately from the employee’s personnel files under Title I of the Americans with Disabilities Act (ADA).

Next question answered by the guidance:  Does the HIPAA Privacy Rule prohibit a covered entity from requiring its staff members to disclose to their employers or other parties whether they have received a COVID-19 vaccine?  Once again, the answer is NO.  As stated previously, the Privacy Rule does not apply to employment records, including employment records held by covered entities and business associates acting in their capacity as employers.   The dental practice may require staff members to provide documentation of their vaccination against COVID-19 or to disclose whether they have been vaccinated to their employer, other staff members, patients, or members of the public.  The Privacy Rule does not prohibit a covered dental practice from requiring or requesting each staff member to:

• Provide documentation of their COVID-19 vaccination
• Sign a HIPAA authorization for a covered health care provider to disclose the staff member’s COVID-19 vaccination record to their employer.
• Wear a mask–while in the employer’s facility, on the employer’s property, or in the normal course of performing their duties at another location.
• Disclose whether they have received a COVID-19 vaccine in response to queries from current or prospective patients.

Now look at this question:  Does the HIPAA Privacy Rule prohibit a doctor’s office from disclosing an individual’s PHI, including whether they have received a COVID-19 vaccine, to the individual’s employer or other parties?  Under most circumstances, YES it does.  The HIPAA Privacy Rule prohibits covered entities and their business associates from using or disclosing an individual’s PHI (e.g., information about whether the individual has received a vaccine, such as a COVID-19 vaccine) except with the individual’s authorization or as otherwise expressly permitted or required by the Privacy Rule.  Generally, where a covered entity or business associate is permitted to disclose PHI, it is limited to disclosing the PHI that is reasonably necessary to accomplish the stated purpose for the disclosure.

For example, if consistent with other law and applicable ethical standards, under the Privacy Rule:

• The employer needs the findings to comply with its obligations under the legal authorities of the Occupational Safety and Health Administration (OSHA), or state laws having a similar purpose (e.g., under OSHA’s recordkeeping requirements, worker side effects from vaccination constitute a “recordable illness.”
• The covered health care provider provides written notice to the individual that the PHI related to the medical surveillance of the workplace and work-related illnesses will be disclosed to the employer.

In other circumstances, the Privacy Rule generally requires a covered entity to obtain an individual’s written authorization before disclosing the individual’s PHI, such as disclosure of whether the individual has received a vaccine.

This article is directed to dental practices and includes information on this topic which is relevant to the dental industry.  However, please note that the HHS guidance discussed is applicable to other health care professionals as defined by the HIPAA as well.  You may view the entirety of the guidance here.  Remember to contact Regulatory Support Services if you have any other questions about HIPAA compliance.