The U.S. Department of Health and Human Services (HHS) released guidance to address how the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule applies to various entities’ requests for information related to an individual’s COVID-19 vaccination status.

HHS emphasized that the Privacy Rule applies only to covered entities, including health plans and most health care providers, and their business associates (those who obtain protected health information in performing services for a covered entity).  The Privacy Rule does not apply to other individuals and entities.   Employers, schools, stores, restaurants, and many others may request that an individual disclose whether he or she has been vaccinated without violating the Privacy Rule.  Thus, schools may request students to disclose their vaccination status.  Businesses may request that information from their patrons.  Employers may request that information from their employees.  None of these requests violate HIPAA’s Privacy Rule.    However, these entities must comply with other applicable state and federal laws that impose restrictions on the design and implementation of COVID-19 vaccination requirements and requirements that apply to the maintenance and storage of information related to individuals’ vaccination status.

If an organization is considered a covered entity, such as a health care provider or business associate, the organization will generally be treated like other organizations when acting as an employer.  For example, a hospital may request information about the vaccination status of an employee.  When the organization acts as a covered entity or business associate, it may still collect vaccination information.  For example, doctors may collect that information from their patients (and the patients may provide it).  But the organization will be subject to HIPAA in its handling of the information.  As a result, a covered entity may disclose an individual’s vaccination status only if it is expressly permitted or required by the Privacy Rule or if the disclosure is authorized by the individual.

The guidance describes certain situations when disclosure is permitted without authorization.  For example, a health care provider may disclose an individual’s vaccination status to a health plan for payment or to a public health authority or vaccine manufacturer to report appropriately on the quality, safety or effectiveness of the COVID-19 vaccine.  In certain situations, as when an employer engages a health care provider to assist in medical surveillance of its workplace pursuant to OSHA requirements, a health care provider may disclose an individual’s vaccination status to the employer, although even then the individual must be notified of the disclosure.

If the disclosure is not expressly permitted by the Privacy Rule, a health care provider may not disclose an individual’s vaccination status without his or her written authorization.  For example, a health care provider could not generally disclose an individual’s vaccination status to entertainment and sporting venues, airlines, cruise ships, resorts or hotels, although they may ask individuals – and individuals may provide – this information.