The Department of Health and Human Services’ Office for Civil Rights has given guidance to instruct people regarding the application of the Health Insurance Portability and Accountability Act (HIPAA) Rules to disclosures of COVID-19 vaccination status data and requests from persons regarding whether a man or woman has received vaccination against COVID-19.
OCR pointed out in the guidance that HIPAA is applicable to HIPAA-governed entities. HIPAA-covered entities refer to the healthcare providers, health plans, and healthcare clearinghouses that carry out routine electronic transactions, and business associates of those entities that get access to or use protected health information (PHI). OCR informed the public that the HIPAA Privacy Rule doesn’t apply to employers or employment data. That comprises details accumulated or kept by HIPAA-governed entities in their capacity as an employer.
OCR discussed how HIPAA is applicable to COVID-19 vaccination details in specific scenarios by means of a website Q&A and says:
The HIPAA Privacy Rule can’t forbid businesses or men and women from inquiring if their customers or clients have acquired a COVID-19 vaccine. Persons who are employed at a HIPAA-covered entity or business associate are not banned from questioning if somebody has been given a vaccine.
The HIPAA Privacy Rule won’t stop customers or clients of an organization from revealing whether or not they have gotten a COVID-19 vaccine.
The HIPAA Privacy Rule does not prohibit an employer from requiring a workforce member to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties.
The HIPAA Privacy Rule doesn’t hinder a covered entity or business associate from demanding its staff members to reveal to their employers or other persons whether or not the staff members have acquired a COVID-19 vaccine.
OCR has established that, normally, the HIPAA Privacy Rule discourages a doctor’s office from sharing a person’s PHI, such as COVID-19 vaccination data, to the patient’s company or other parties. Such disclosures are permitted if in keeping with other rules and appropriate ethical principles, for example disclosing to a health plan to get paid for providing the vaccine and sharing of such data to public health authorities.
OCR spelled out that there are instances when a HIPAA-covered healthcare facility is granted to disclose PHI pertaining to a patient’s vaccination condition to the person’s boss.
This is solely possible to enable the workplace, to perform an analysis associated with medical monitoring of the workplace (e.g., surveillance of the spread of COVID-19 in the labor force), or to examine if the person has a work-connected health issue. In such circumstances, disclosures are merely authorized if all the subsequent conditions are satisfied:
The covered hospital is giving the health care service to the man or woman as requested by the individual’s boss or as a fellow member of the employer’s employed pool.
The PHI that is shared involves results about work-associated health issues or workplace-linked medical monitoring.
The company needs the information so as to follow its commitments under the appropriate governing bodies of the Mine Safety and Health Administration (MSHA), the Occupational Safety and Health Administration (OSHA), or state legislation with the same goal.
The covered health care company presents written notice to the patient that the PHI linked to the medical monitoring of the work area and work-connected ailments will be revealed to the manager.
This guidance is being issued to support individuals, organizations, and health care entities to know when HIPAA can be applied to disclosures about COVID-19 vaccination state and to make certain that they already have the details they need to have to make well-informed judgments concerning securing themselves and other individuals from COVID-19.