Skip to Main Content
Services Talent Knowledge
Site Search
Menu
Home page
Services Talent Knowledge
Firm Facebook
Firm Linkedin
Firm Twitter
Close Menu

Featured Industries

New & Emerging Industry Practice Areas

Practice Areas

Alert

Our attorneys stay on top of changes in legislation, agency regulations, case law, and industry trends—then craft timely legal alerts to keep clients up to date on legal developments important to their business.

October 6, 2021

HHS OCR Issues Guidance on HIPAA and COVID-19 Vaccine Information

On September 30, 2021, the US Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) issued guidance to the public on the applicability of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to disclosures and requests for COVID-19 vaccine information.

OCR’s guidance clarifies that the HIPAA Privacy Rule does not prohibit businesses or individuals from asking whether their customers or clients have received a COVID-19 vaccine, as the Privacy Rule only applies to HIPAA-covered entities (including health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions) and, in some cases, covered entities’ business associates. Covered entities—such as health care providers—in their role as an employer may ask these questions of employees. The Privacy Rule also does not prohibit an individual or entity, including HIPAA-covered entities, from asking whether an individual has received a COVID-19 vaccine and does not regulate the ability of covered entities and business associates to request information from patients or visitors. However, the Privacy Rule does regulate how and when this information may be used or disclosed.

The guidance from OCR also clarifies that the HIPAA Privacy Rule does not:

  • Prevent customers or clients of a business from disclosing whether they have received a COVID-19 vaccine
  • Apply when an individual tells another person about their own vaccination status
  • Prohibit an employer from requiring workforce members to disclose whether they have received a COVID-19 vaccine
  • Prohibit covered entities or business associates from requiring workforce members to disclose vaccination information to their employers or other parties

According to the OCR guidance, the HIPAA Privacy Rule does, however, generally prohibit a doctor’s office from disclosing an individual’s protected health information (PHI), including whether the individual has received a COVID-19 vaccine, to the individual’s employer or other parties. The Privacy Rule prohibits covered entities and their business associates from using or disclosing an individual’s PHI unless the individual has authorized the use or disclosure or as otherwise expressly permitted or required by the Privacy Rule. Disclosures of vaccination status to sports arenas, hotels, resorts, cruise ships, airlines, and car rental agencies, among others, all require an individual’s written authorization before the information can be disclosed. The guidance provides that the following disclosures are permitted under the Privacy Rule, so long as they are consistent with other laws and applicable ethical standards:

  • A covered physician may disclose PHI relating to an individual’s vaccination to the individual’s health plan as necessary to obtain payment for the administration of a COVID-19 vaccine.
  • A covered pharmacy may disclose PHI relating to an individual’s vaccination status to a public health authority.
  • A health plan may disclose an individual’s vaccination status where required to do so by law.
  • A covered clinician who is an investigator in a COVID-19 vaccine clinical trial may use or disclose PHI to the vaccine manufacturer and the US Food and Drug Administration about clinical trial participants for the purpose of activities related to the quality, safety, or effectiveness of the COVID-19 vaccine.
  • A covered hospital may disclose PHI relating to an individual’s vaccination status to the individual’s employer so that the employer may conduct an evaluation relating to medical surveillance of the workplace or to evaluate whether the individual has a work-related illness, so long as certain conditions are met.

Providers should review the guidance from OCR and take steps to ensure that they are using and disclosing COVID-19 vaccine information in ways that comply with federal and state laws, including the HIPAA Privacy Rule. The OCR guidance on HIPAA, COVID-19 Vaccinations, and the Workplace may be viewed in its entirety here.

If you have any questions regarding the content of this alert, please contact Melissa Zambri, Health & Human Services Providers Team co-leader, at mzambri@barclaydamon.com; Margaret Surowka, counsel, at msurowka@barclaydamon.com; Dena DeFazio, associate, at ddefazio@barclaydamon.com; or another member of the firm’s Health & Human Services Providers Team.

We also have a specific team of Barclay Damon attorneys who are actively working on assessing regulatory, legislative, and other governmental updates related to COVID-19 and who are prepared to assist clients. Please contact Yvonne Hennessey, COVID-19 Response Team leader, at yhennessey@barclaydamon.com, or any member of the COVID-19 Response Team, at COVID-19ResponseTeam@barclaydamon.com.
 

Subscribe

Click here to sign up for alerts, blog posts, and firm news.
Sign Up

Key Contacts

Dena DeFazio

Associate

Albany 518.429.4230 Read More
About Dena DeFazio
Margaret Surowka

Partner

Albany 518.429.4295 Read More
About Margaret Surowka
Melissa Zambri

Partner

Albany 518.429.4229 Read More
About Melissa Zambri

Related Industries

Featured Media

Alerts

EPA Lists Two New "Forever Chemicals" Under CERCLA

Read More
About EPA Lists Two New "Forever Chemicals" Under CERCLA

Alerts

NYS Governor Hochul Announces Final RFP for New Certified Community Behavioral Health Clinics

Read More
About NYS Governor Hochul Announces Final RFP for New Certified Community Behavioral Health Clinics

Alerts

The Second Department Affirms Successful Storm in Progress Defense of Slip and Fall Case

Read More
About The Second Department Affirms Successful Storm in Progress Defense of Slip and Fall Case

Alerts

The New York FY 2025 Budget – CDPAP FIs Under Threat

Read More
About The New York FY 2025 Budget – CDPAP FIs Under Threat

Alerts

Website Accessibility Lawsuits: Several "Tester" Plaintiffs—Anderson, Beauchamp, Murray, Angeles, Monegro, and Bullock—Targeting Businesses in Recent Flurry of Lawsuits

Read More
About Website Accessibility Lawsuits: Several "Tester" Plaintiffs—Anderson, Beauchamp, Murray, Angeles, Monegro, and Bullock—Targeting Businesses in Recent Flurry of Lawsuits

Alerts

Updated Bulletin on Tracking Technologies in the Health Care Industry

Read More
About Updated Bulletin on Tracking Technologies in the Health Care Industry
Previous Alert
Next Alert
View All Alerts

We're Growing in DC!

We’re excited to announce Barclay Damon’s combination with Washington DC–based Shapiro, Lifschitz & Schram. SLS’s 10 lawyers, three paralegals, and four administrative staff will join Barclay Damon while maintaining their current office in DC’s central business district. Our clients will benefit from SLS’s corporate, real estate, finance, and construction litigation experience and national energy-industry profile, and their clients from our full range of services.

Read More

This site uses cookies to give you the best experience possible on our site and in some cases direct advertisements to you based upon your use of our site.

By clicking [I agree], you are agreeing to our use of cookies. For information on what cookies we use and how to manage our use of cookies, please visit our Privacy Statement.

I AgreeOpt-Out