Under the new Biden COVID-19 Action Plan, employers with 100 or more employees will soon be required to ensure their workforce is fully vaccinated or tested for COVID-19 on a weekly basis. Even without this mandate, many employers request proof of vaccination or a negative test from employees to protect the health and safety of their workplaces.

When requesting proof of vaccination status or test results, employers may have concerns with HIPAA compliance. Generally, the HIPAA Privacy Rule requires “covered entities” and business associates to safeguard individuals’ protected health information (PHI) and sets limits on the uses and disclosures of PHI. In our prior article, we discussed how employers can comply with the HIPAA Privacy Rule with regard to their group health plans and how workplace COVID-19 screening (e.g., COVID-19 related inquiries, temperature tests, and COVID-19 tests) does not necessarily implicate HIPAA.

Recently, the Department of Health and Human Services (HHS) released more comprehensive guidance on HIPAA, COVID-19 Vaccination, and the Workplace, which confirms that HIPAA does not prohibit employers from requesting proof of vaccination status and test results.

The HHS guidance outlines that the HIPAA Privacy Rule:

  • Does not prohibit a business from asking whether their customers or clients have been vaccinated against COVID-19 (the Privacy Rule does not regulate the ability of covered entities and business associates from requesting information from patients or visitors, rather, it regulates how and when they are permitted to use and disclose protected health information);
  • Does not apply when an individual is asked about their vaccination status by a school, employer, store, restaurant, entertainment venue, another individual, their doctor, or a service provider;
  • Does not apply to an individual’s disclosure about their own health information, such as whether they have been vaccinated against COVID-19;
  • Does not prohibit an employer from requiring a workforce member to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties;
  • Does not prohibit an employer from requiring a workforce member from signing a HIPAA authorization for a covered health provider to disclose the workforce member’s COVID-19 vaccination record;
  • Does not prohibit an employer from requiring a workforce member from wearing a mask while in the employer’s facility, on the employer’s property, or in the normal course of performing their duties at another location; and
  • Does prohibit a doctor’s office from disclosing an individual’s vaccination status to their employer or other parties, except with the individual’s authorization or where expressly permitted by the HIPAA Privacy Rule (e.g., disclosure to the individual’s health plan to obtain payment for the administration of the vaccine is permitted).

The biggest takeaway for employers is that HIPAA does not prohibit employers from requiring their employees to disclose whether they have been vaccinated. Further, the guidance emphasizes that the HIPAA Privacy Rule does not apply to employment records and does not regulate what information can be requested from employees as a part of the terms and conditions of employment that an employer many impose on its workforce.

The HHS guidance is consistent with the guidance released by the Equal Employment Opportunity Commission (EEOC), which stated that federal anti-discrimination laws do not prevent employers from requiring employees physically entering the workplace to be fully vaccinated and to provide proof of vaccination, subject to reasonable accommodation requirements. However, documentation of vaccination must be kept confidential and stored separately from the employee’s personnel files under the Americans with Disabilities Act (ADA). We discussed the EEOC guidance and how employers can implement vaccination policies in compliance with federal anti-discrimination laws in our prior blog.

Employer Takeaway

The HHS guidance further confirms that employers can request proof of COVID-19 vaccination status and COVID-19 test results without violating HIPAA. Employers who do request this information should keep it confidential and store it separately from employee personnel files to comply with the ADA.

Additional Resources

Emerald Law — Emerald is a Senior Compliance Consultant for Sequoia, where she works with our clients to optimize and streamline benefits compliance. In her free time, Emerald enjoys stand-up comedy, live music, and writing non-fiction.