By: HUB’s EB Compliance Team

It is a common misconception that all health information, regardless of its source or who is asking for it, is subject to the privacy protections of HIPAA, the Health Insurance Portability and Accountability Act of 1996. Simply put, this isn’t true. Some recent FAQs from the Department of Health and Human Services (“HHS”) demonstrate how this applies in the current COVID context.

HIPAA’s Protections

As the FAQs make clear, HIPAA’s privacy rule only applies to “covered entities” and “business associates.” Covered entities are health plans, health care clearinghouses, and health care providers that conduct certain electronic transactions. Business associates are typically vendors who assist covered entities and have access to protected health information from the covered entity.

Additionally, HIPAA does not typically govern asking for health information. However, once a covered entity or business associate has protected health information, HIPAA’s privacy rule puts limits on the covered entity’s or business associate’s ability to use or disclose the protected health information.

Ask and You Can Receive

Given this background, if a business or individual asks if you are vaccinated, is that a HIPAA violation? No, it’s not. For example, a restaurant is not a covered entity and almost certainly not a business associate, but even if it was, asking for the information is not a HIPAA violation. The same analysis applies to a school, entertainment venue, or retail store. (Note that state privacy laws may apply to retaining that data, if the business chooses to store it somewhere.)

Additionally, if you ask your coworker if they’re vaccinated around the watercooler (actual or virtual), it doesn’t make you suddenly subject to HIPAA. However, other employment laws may be implicated and your employer’s policies may restrict your ability to ask this question. Therefore, while you may not get in HIPAA trouble for asking, that doesn’t mean you won’t get in trouble.

Similarly, giving away your own information does not implicate HIPAA at all. You are entitled to share your own health information with whomever you want.

Employers are Not Covered Entities

The FAQs similarly confirm that employers are not subject to HIPAA when collecting employment-related information. Therefore, if an employer (even if the employer is a covered entity for other purposes, such as a hospital) is requiring that its employees or vendors be vaccinated against COVID-19 and asks for proof, that proof is not subject to HIPAA.

However, as the FAQs also note, other laws (such as the Americans with Disabilities Act) require that vaccination information must be kept confidential and stored separately from an employee’s personnel file. Therefore, while HIPAA does not apply, that does not mean the information can be disclosed; other confidentiality protections may still apply. (For a fuller discussion of the employment law implications of vaccine mandates and incentives, visit HUB’s Coronavirus Resource Center.)

But You Can’t Always Get What You Ask For

Even though asking for vaccine status is permitted, in some cases, entities may not be able to get the information. While individuals are free to disclose their own medical information, if the employer or another business (like a sports arena, hotel, restaurant, etc.) asks a covered entity (like a medical provider or health plan) for an individual’s vaccine status, the covered entity cannot disclose it without the individual’s permission. (This also applies to business associates.)

Practically speaking, most of the time, businesses are going to ask for this information from the individual, so these types of requests will rarely be made to a covered entity. However, an employer may want to leverage health plan data on vaccinations to verify or confirm that someone is vaccinated. Unfortunately, without each individual’s permission, the health plan cannot provide that data. Therefore, the most compliant approach is to ask the individual to provide the information (but remember to keep it confidential for other reasons, as discussed above).

Takeaways

These new FAQs do not break any new ground, but they are helpful in explaining the parameters of HIPAA. Put simply, while employers or other businesses may have concerns about asking individuals for COVID-19 vaccination information, HIPAA is not one. However, requests to get that information from the health plan or a health care provider require the individual’s permission. Additionally, other state or federal laws may apply to how that information is stored and maintained. 

If you have any questions, please contact your HUB Advisor. View more compliance articles in our Compliance Directory

NOTICE OF DISCLAIMER 

Neither Hub International Limited nor any of its affiliated companies is a law or accounting firm, and therefore they cannot provide legal or tax advice. The information herein is provided for general information only, and is not intended to constitute legal or tax advice as to an organization’s or individual's specific circumstances. It is based on Hub International's understanding of the law as it exists on the date of this publication. Subsequent developments may result in this information becoming outdated or incorrect and Hub International does not have an obligation to update this information. You should consult an attorney, accountant, or other legal or tax professional regarding the application of the general information provided here to your organization’s specific situation in light of your or your organization’s particular needs.