Skip to Main Content
Services Talent Knowledge
Site Search
Menu

Alert

Our attorneys stay on top of changes in legislation, agency regulations, case law, and industry trends—then craft timely legal alerts to keep clients up to date on legal developments important to their business.

October 6, 2021

HHS OCR Issues Guidance on HIPAA and COVID-19 Vaccine Information

On September 30, 2021, the US Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) issued guidance to the public on the applicability of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to disclosures and requests for COVID-19 vaccine information.

OCR’s guidance clarifies that the HIPAA Privacy Rule does not prohibit businesses or individuals from asking whether their customers or clients have received a COVID-19 vaccine, as the Privacy Rule only applies to HIPAA-covered entities (including health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions) and, in some cases, covered entities’ business associates. Covered entities—such as health care providers—in their role as an employer may ask these questions of employees. The Privacy Rule also does not prohibit an individual or entity, including HIPAA-covered entities, from asking whether an individual has received a COVID-19 vaccine and does not regulate the ability of covered entities and business associates to request information from patients or visitors. However, the Privacy Rule does regulate how and when this information may be used or disclosed.

The guidance from OCR also clarifies that the HIPAA Privacy Rule does not:

  • Prevent customers or clients of a business from disclosing whether they have received a COVID-19 vaccine
  • Apply when an individual tells another person about their own vaccination status
  • Prohibit an employer from requiring workforce members to disclose whether they have received a COVID-19 vaccine
  • Prohibit covered entities or business associates from requiring workforce members to disclose vaccination information to their employers or other parties

According to the OCR guidance, the HIPAA Privacy Rule does, however, generally prohibit a doctor’s office from disclosing an individual’s protected health information (PHI), including whether the individual has received a COVID-19 vaccine, to the individual’s employer or other parties. The Privacy Rule prohibits covered entities and their business associates from using or disclosing an individual’s PHI unless the individual has authorized the use or disclosure or as otherwise expressly permitted or required by the Privacy Rule. Disclosures of vaccination status to sports arenas, hotels, resorts, cruise ships, airlines, and car rental agencies, among others, all require an individual’s written authorization before the information can be disclosed. The guidance provides that the following disclosures are permitted under the Privacy Rule, so long as they are consistent with other laws and applicable ethical standards:

  • A covered physician may disclose PHI relating to an individual’s vaccination to the individual’s health plan as necessary to obtain payment for the administration of a COVID-19 vaccine.
  • A covered pharmacy may disclose PHI relating to an individual’s vaccination status to a public health authority.
  • A health plan may disclose an individual’s vaccination status where required to do so by law.
  • A covered clinician who is an investigator in a COVID-19 vaccine clinical trial may use or disclose PHI to the vaccine manufacturer and the US Food and Drug Administration about clinical trial participants for the purpose of activities related to the quality, safety, or effectiveness of the COVID-19 vaccine.
  • A covered hospital may disclose PHI relating to an individual’s vaccination status to the individual’s employer so that the employer may conduct an evaluation relating to medical surveillance of the workplace or to evaluate whether the individual has a work-related illness, so long as certain conditions are met.

Providers should review the guidance from OCR and take steps to ensure that they are using and disclosing COVID-19 vaccine information in ways that comply with federal and state laws, including the HIPAA Privacy Rule. The OCR guidance on HIPAA, COVID-19 Vaccinations, and the Workplace may be viewed in its entirety here.

If you have any questions regarding the content of this alert, please contact Melissa Zambri, Health & Human Services Providers Team co-leader, at mzambri@barclaydamon.com; Margaret Surowka, counsel, at msurowka@barclaydamon.com; Dena DeFazio, associate, at ddefazio@barclaydamon.com; or another member of the firm’s Health & Human Services Providers Team.

We also have a specific team of Barclay Damon attorneys who are actively working on assessing regulatory, legislative, and other governmental updates related to COVID-19 and who are prepared to assist clients. Please contact Yvonne Hennessey, COVID-19 Response Team leader, at yhennessey@barclaydamon.com, or any member of the COVID-19 Response Team, at COVID-19ResponseTeam@barclaydamon.com.
 

Featured Media

Alerts

Recent DOJ and OCR Settlement Highlights Provider Responsibilities to Deaf and Hearing Impaired Patients

Alerts

Court Rules in Favor of Office of Renewable Energy Siting Regulations in Article 78 Challenge

Alerts

HHS OCR Issues Guidance on HIPAA and COVID-19 Vaccine Information

Alerts

New York State Cannabis Control Board Holds First Meeting

Alerts

NYS DOH and DASNY Announce Availability of Funds for Residential Health Care and Other Providers

Alerts

To Dismiss or Not to Dismiss? Second Department Takes Another Look at Abandonment

This site uses cookies to give you the best experience possible on our site and in some cases direct advertisements to you based upon your use of our site.

By clicking [I agree], you are agreeing to our use of cookies. For information on what cookies we use and how to manage our use of cookies, please visit our Privacy Statement.

I AgreeOpt-Out