The Office for Civil Rights (“OCR”)—the agency within the U.S. Department of Health and Human Services responsible for, among other things, enforcing compliance with HIPAA— recently released guidance on HIPAA’s application to an individual’s COVID-19 vaccination status to combat the misinformation circulating that HIPAA applies to a broader array of entities than it actually does. The guidance reminds the public that HIPAA only applies to the three categories of covered entities—health plans, health care clearinghouses and health care providers that conduct standard electronic transactions—and their respective business associates. More particularly, OCR’s guidance aims to clarify when HIPAA applies to the disclosures of, and requests for, information regarding whether an individual has received one of the COVID-19 vaccines, with a specific focus on the workplace.

As those of us in and adjacent to the health care industry have surely noticed, misinformation about the scope and application of HIPAA has been rampant during the pandemic. This has only intensified with the introduction of the COVID-19 vaccines, followed by the shift in some instances from vaccination incentives to vaccination mandates.

The guidance is organized into five FAQs, each followed by a detailed response including footnoted sources and links to additional resources. According to OCR’s new guidance, the general response is no to questions 1-4 and yes to question 5, but it is important that you follow the link above for the detailed explanations underlying these general responses.

  1. Does the HIPAA Privacy Rule prohibit businesses or individuals from asking whether their customers or clients have received a COVID-19 vaccine?
  2. Does the HIPAA Privacy Rule prevent customers or clients of a business from disclosing whether they have received a COVID-19 vaccine?
  3. Does the HIPAA Privacy Rule prohibit an employer from requiring a workforce member to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties?
  4. Does the HIPAA Privacy Rule prohibit a covered entity or business associate from requiring its workforce members to disclose to their employers or other parties whether the workforce members have received a COVID-19 vaccine?
  5. Does the HIPAA Privacy Rule prohibit a doctor’s office from disclosing an individual’s protected health information (PHI), including whether they have received a COVID-19 vaccine, to the individual’s employer or other parties?

As a final matter, it is important to note that while the COVID-19 vaccines are of paramount concern to many at the moment, the OCR’s responses to each of the foregoing FAQs are equally applicable to any other vaccine. If any of the FAQs is relevant to you or your business, please see the guidance linked above to review OCR’s responses.