News & Resources

Publications & Media

How Does HIPAA Prevent Using and Disclosing COVID-19 Vaccination Information? HHS OCR Issues Guidance

Health & Life Sciences Meghan O’Connor, Rachel Weiss, Sarah Erdmann

Does HIPAA prevent businesses from asking whether customers or clients are vaccinated? (No). Does HIPAA prevent an employer from requiring an employee to disclose vaccination status? (No). Does HIPAA prohibit doctors from telling a patient’s employer about the patient’s vaccination status? (Generally yes).

Yesterday the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) issued guidance on how the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) applies to disclosures and requests for an individual’s COVID-19 vaccination status. The guidance is helpful for employers considering vaccine mandates and businesses responding to customer questions.

The guidance is written in a question-and-answer format but focuses on clarifying the following:

  • HIPAA does not prohibit any business or person from asking about an individual’s COVID-19 vaccination status.

HIPAA does not regulate the ability of HIPAA covered entities to request information from patients and visitors. Instead, HIPAA regulates how and when covered entities and business associates may disclose protected health information (“PHI”), including COVID-19 vaccination status, that the entity creates, receives, maintains, or transmits.

Similarly, the HIPAA Privacy Rule does not apply when an individual is asked about their vaccination status by a school, employer, store, restaurant, entertainment venue, or another individual.

  • HIPAA does not prevent an employer from requiring an employee to disclose vaccination status.

HIPAA does not apply to employers or employment records. The HIPAA Privacy Rule generally does not regulate what information can be requested from employees as part of the terms and conditions of employment that an employer may impose on its workforce.

This includes employment records held by an entity subject to HIPAA in its capacity as an employer (e.g., HIPAA does not apply to a hospital’s HR employment records). A covered entity/business associate may, as an employer, request workforce members to provide documentation of vaccination.

  • Generally, HIPAA prohibits a health care provider from disclosing an individual’s COVID-19 vaccination status to the individual’s employer.

HIPAA prohibits covered entities (including health care providers) from disclosing an individual’s PHI (including COVID-19 vaccination status) without the individual’s authorization or as otherwise permitted under HIPAA.

For example, if consistent with other law and ethical standards, under the HIPAA Privacy Rule:

  • A pharmacy is permitted to disclose PHI regarding an individual’s vaccination status to a public health authority (e.g., state or local public health agency).
  • A provider is permitted to disclose PHI regarding an individual’s vaccination status to the individual’s employer so that the employer may conduct an evaluation related to medical surveillance of the workplace (e.g., surveillance of spread of COVID-19 within the workforce) or to evaluate whether the individual has a work-related illness as long as various conditions are met.
  • A physician is permitted to disclose PHI relating to an individual’s vaccination status to the individual’s health plan as necessary to obtain payment for administration of a COVID-19 vaccine.

In many other circumstances, the Privacy Rule requires the individual to provide a written authorization before disclosing PHI. For example, an authorization is required before a provider discloses vaccination status to a sports arena, hotel, cruise ship, airline, or car rental agency.

  • HIPAA does not prohibit an individual from choosing to disclose their COVID-19 vaccination status.

The HIPAA Privacy Rule does not apply to individuals’ disclosures about their own information. It only applies to covered entities and, to some extent, their business associates.

In determining whether your business needs to take HIPAA compliance into consideration as it relates to handling COVID-19 vaccination data will depend on whether your business is a covered entity or business associate required to comply with HIPAA. Even if you are a covered entity, you may be able to request and disclose an individual’s COVID-19 vaccination status in your capacity as an employer (e.g., if you are a healthcare provider that is a covered entity under HIPAA, you can still require – in your role as an employer – your staff to provide vaccination status).

Given the widespread confusion and misinformation about applicability of HIPAA to vaccination information, it is not surprising that OCR has issued this guidance. This is not a new interpretation of HIPAA, but it is helpful to have written guidance from regulators to use when responding to questions from employees, customers, and patients. Businesses should consider any relevant employment laws when requesting an individual’s COVID-19 vaccination status, but with this guidance, OCR has publicly confirmed that HIPAA is not a barrier.

For additional questions on this legal alert or on HIPAA compliance generally, contact your Quarles & Brady attorney or: