January 26, 2023

Volume XIII, Number 26


January 26, 2023

Subscribe to Latest Legal News and Analysis

January 25, 2023

Subscribe to Latest Legal News and Analysis

January 24, 2023

Subscribe to Latest Legal News and Analysis

January 23, 2023

Subscribe to Latest Legal News and Analysis

HIPAA: Top 5 Takeaways as HHS Addresses Misconceptions on Applicability to COVID-19 Vaccination Information

The federal Department of Health and Human Services (HHS) issued guidance on the applicability of HIPAA to COVID-19 vaccination information, directly addressing a number of misconceptions about when HIPAA does, or does not, regulate disclosures of an individual’s COVID-19 vaccination status. Here are five key takeaways from the guidance.

"The Privacy Rule does not prohibit any person (e.g., an individual or an entity such as a business), including HIPAA covered entities and business associates, from asking whether an individual has received a particular vaccine, including COVID-19 vaccines.” – HHS (Sep 30, 2021)

1. HIPAA only regulates covered entities and business associates. 

The guidance serves as a reminder that HIPAA applies only to covered entities (health plans, health care providers that conduct electronic standard transactions, and health care clearinghouses) and their business associate vendors. HIPAA generally does not apply to employers, restaurants, stores, schools, and entertainment venues. Further, HIPAA does not apply to individuals’ disclosure of their own vaccination information.

2. HIPAA does not prohibit covered entities or business associates from asking about vaccinations. 

HIPAA restricts how covered entities and business associates can use and disclose protected health information (PHI)—HIPAA does not prohibit anyone from asking whether someone has received a vaccination. For example, HIPAA does not prohibit a covered entity from asking whether patients or visitors have been vaccinated against COVID-19. However, patients’ vaccination information is PHI and HIPAA regulates how the covered entity further uses and discloses that information once received.

3. HIPAA does not apply to employee information. 

With regard to employers in particular, the guidance notes that HIPAA does not apply to health information in employee files, even where the employer is a covered entity or business associate. That means vaccination records of employees that an organization maintains as an employer are not regulated by HIPAA. HIPAA also does not apply to employees being asked about, or disclosing, their own vaccination status. While there may be other federal and state laws that are implicated in these situations, HIPAA does not apply. For example, see EEOC guidance “What You Should Know About COVID-19 and the ADA, the Rehabilitation Act, and Other EEO Laws.”

4. HIPAA covered entities do not always need authorization to disclose vaccination information. 

The general rule under HIPAA is that a covered entity needs the individual’s authorization to use or disclose PHI, unless an exception applies. 45 C.F.R. § 164.502(a). The HHS guidance summarizes the scenarios where HIPAA permits a covered entity to disclose an individual’s vaccination status without the individual’s authorization, including, without limitation, (i) to a health plan when necessary to obtain payment for the vaccination, (ii) to public health authorities, and (iii) where required by law.

Note that these disclosures may be further restricted by applicable state law, however. The guidance also notes that the covered entity will generally need authorization to disclose the individual’s vaccination status to entertainment venues, cruise ships, airlines, and similar types of disclosures.

5. HIPAA covered entity health care providers can disclose vaccination information to employers without authorization only in specific circumstances. 

Covered entities need authorization to disclose vaccination information to an individual’s employer unless the disclosure fits into all of the following conditions:

  1. The covered entity is a health care provider who provides health care to the individual at the request of the employer to conduct an evaluation relating to medical surveillance of the workplace (e.g., surveillance of the spread of COVID-19 within the workforce) or to evaluate whether the individual has a work-related illness or injury;

  2. The PHI disclosed is the findings concerning a work-related illness or injury or workplace-related medical surveillance;

  3. The employer needs the findings to comply with its legal obligations under OSHA, the Mine Safety and Health Administration , or state laws having a similar purpose; and

  4. The covered entity has provided written notice to the individual that the PHI related to the medical surveillance of the workplace and work-related illnesses will be disclosed to the employer by one of the notice methods permitted by HIPAA.

45 C.F.R. § 164.512(b)(1)(v). If any of these conditions are not met, covered entities generally will need the employee’s authorization to disclose vaccination status to the employer. In addition, as noted above, these disclosures may be further restricted by applicable state law.

For reference, the following table summarizes some of the examples that HHS provided in the guidance:

Fact Pattern

Does HIPAA apply?

 Covered entity or business associate uses or discloses patients’/health plan members’ vaccine information


 Covered entity or business associate asks if individual has been vaccinated

 No (although uses or disclosures of that information, if the individual is a patient or plan member, is regulated by HIPAA)

 Individual A asks Individual B if Individual B is vaccinated


 Individual discloses individual’s own vaccination status


 School, employer, store, restaurant, or entertainment venue asks an individual about that individual’s vaccination status


 Individual asks their doctor if the doctor is vaccinated


 Individual asks company if its workforce is vaccinated


 Employer requires employee to provide documentation of vaccination




© 2023 Foley & Lardner LLPNational Law Review, Volume XI, Number 277

About this Author

Jennifer Hennessy, Foley Lardner Law Firm, Privacy Security and Healthcare Attorney

Jennifer J. Hennessy is a privacy and security and health care regulatory attorney with Foley & Lardner LLP. Her practice includes advising businesses on compliance with state and federal data privacy and security laws. She assists covered entities and business associates in complying with the HIPAA Privacy and Security Rules, and also advises businesses and individuals on compliance with state data privacy laws and federal law 42 C.F.R. Part 2, Confidentiality of Alcohol and Drug Abuse Treatment Records. She frequently guides clients through data incident management...

Jennifer L. Urban Data Security Attorney Foley & Lardner Milwaukee, WI

Jennifer L. Urban (formerly Rathburn) is a partner with Foley & Lardner LLP. Jennifer focuses her practice on counseling clients on data protection programs, data incident management, breach response and recovery, monetization of data and other privacy and security issues. She is one of the founders of the Midwest Cyber Security Alliance and has a deep understanding of the complex risk, operational and legal issues companies must address to maintain the confidentiality of, access toand integrity of their data.

As a member of the firm’s Technology Transactions & Outsourcing...

Samuel Goldstick, Foley Lardner Law Firm, Chicago, Cybersecurity and Healthcare Law Attorney

Samuel (Sam) Goldstick is a data privacy and cybersecurity associate at Foley & Lardner LLP. He is a member of the firm’s Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices, as well as Technology and Health Care Industry Teams. He also is accredited by the International Association of Privacy Professionals (IAPP) as a Certified Information Privacy Professional in both the United States and Europe (CIPP/US and CIPP/E).

Prior to joining Foley, Mr. Goldstick was an associate at a prominent law...