January 18, 2022

Volume XII, Number 18


January 15, 2022

Subscribe to Latest Legal News and Analysis

OCR Issues Clarifying Guidance on HIPAA, COVID-19 Vaccinations, and the Workplace

Questions abound as to whether HIPAA comes into play when COVID-19 vaccination information is provided to employers. Recently, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued clarifying guidance on the applicability of the HIPAA Privacy Rule in the context of COVID-19 vaccination information provided to employers.

This guidance is to remind the public that the HIPAA Privacy Rule generally does not apply to employers or employment records, which includes health care providers in their roles as employers. The HIPAA Privacy Rule applies only to health care providers and health plans (and their business associates) in their roles as health care providers or payers – not in their roles as employers. The guidance emphasized that the HIPAA Privacy Rule does not prohibit anyone, including health care providers, health plans, and their business associates, from asking whether an individual has received any vaccine, including the COVID-19 vaccine. 

While the HIPAA Privacy Rule regulates a health care provider or health plan’s ability to use and disclose protected health information (PHI), it does not regulate the ability to collect protected health information from employees, patients and visitors within the context of seeking COVID-19 vaccination status. Also, to eliminate any confusion, the guidance states that the HIPAA Privacy Rule does not apply when employers, schools, stores, restaurants, entertainment venues, or other individuals inquire about any individual’s vaccination status. It also does not apply when individuals ask companies about the vaccination status of their employees.

Health care providers and health plans that are required to comply with HIPAA are permitted to disclose PHI for a number of reasons, including treatment, payment, operational and public health activities. For example, a health care provider may relay an individual’s vaccination status to a public health authority for purposes of comparing the effectiveness of different COVID-19 vaccinations. Additionally, a health care provider is permitted to disclose PHI relating to an individual’s vaccination to the individual’s health plan as necessary to obtain payment for the administration of a COVID-19 vaccine.

Importantly, OCR clarified that in the current COVID-19 environment, a health care provider is permitted to disclose PHI relating to an individual’s vaccination status to the individual’s employer for purposes of surveillance of the spread of COVID-19 within the workforce, so long as all of the following conditions are met:

  • Health care services were provided to the individual at the request of the individual’s employer or as a member of the employer’s workforce;

  • The PHI disclosed consists of findings concerning work-related illness or workplace-related medical surveillance;

  • The employer is required to have the information to comply with legal obligations under the Occupational Safety and Health Administration (OSHA), the Mine Safety and Health Administration (MSHA), or state laws having a similar purpose; and

  • The individual is provided written notice that the PHI related to the medical surveillance of the workplace and work-related illnesses will be disclosed to the employer.

Within the guidance, OCR also emphasized that the HIPAA Privacy Rule does not apply to employment records. Nothing in the HIPAA Privacy Rule prevents employers from requesting documentation of COVID-19 vaccination or requesting employees wear masks while on the employer’s property or when performing work-related duties. While other state and federal laws address whether employment may be conditioned on vaccination status and regulate confidentiality and storage of employee health information, HIPAA does not. 

In a press release, OCR Director Lisa Pino stated, “we are issuing this guidance to help consumers, businesses, and health care entities understand when HIPAA applies to disclosures about COVID-19 vaccination status and to ensure that they have the information they need to make informed decisions about protecting themselves and others from COVID-19.”

The OCR guidance is available here

*Ashley Durner, who contributed to this article, is a Law Clerk and not licensed to practice.

© 2022 Dinsmore & Shohl LLP. All rights reserved.National Law Review, Volume XI, Number 306

About this Author

Jennifer Mitchell, health care practice group partner, Dinsmore Shohl, law firm,

Jennifer is a Partner in the Health Care Practice Group and leads the firm’s HIPAA Privacy and Security practice and initiatives. In her HIPAA practice, she works with clients to minimize the risk of privacy and data security issues, assisting with all aspects of HIPAA privacy and security compliance, governance, audits/investigations, breach analyses, training and strategic planning. She has a thorough understanding of federal and state privacy and confidentiality laws and has served as a health care privacy expert witness. 

Within the...

Jared Bruce, Dinsmore Law Firm, Cincinnati, Corporate and Health Care Law Attorney

Jared focuses his practice on various health care law matters, including regulatory compliance, transactional matters and cybersecurity.  His prior experience includes serving as in-house counsel for a large non-profit managed care plan.

He drafts and negotiates complex health care-related contracts involving information technology (software licenses and professional service agreements), provider agreements, data sharing agreements and Business Associate Agreements. Jared’s practice includes advising payers, hospitals and providers on compliance...