By: Dave Davidson
Despite two years of COVID and a year’s worth of vaccinations, there remains some confusion over the privacy of an employee’s vaccination status. As a healthcare employer, are you permitted to ask your employees if they’re vaccinated? Do you breach the Health Information Protection and Accountability Act (HIPAA) in doing so? The quick answers to those questions are: it’s OK for an employer to ask; and as long as the inquiry is made to the employee (and not to a third party or sought from medical records), the employer probably hasn’t violated HIPAA.
First, let’s address HIPAA applicability in general. As a health care attorney, HIPAA is an integral part of my “filter” in providing legal analysis. However, it surprises me when I hear people who work outside the health care arena claim HIPAA protection over all kinds of information – and most recently, their COVID-19 vaccination status. Those protections are from a much broader interpretation of the HIPAA protections than is actually provided. In a nutshell, HIPAA applies to health plans, health care clearinghouses, and health care providers (along with their business associates). Unless an employer falls into one of those categories, HIPAA does not play a role. Nevertheless, health care employers who have employees who are also patients, or employees who have provided Protected Health Information (PHI) to their employer cannot just shrug off their HIPAA obligations when it comes to vaccinations. PHI must always be safeguarded in accordance with the HIPAA Privacy Rule. Continue reading