• Can employers ask whether their employees have received the COVID-19 vaccine?
  • How do laws surrounding COVID-19 and HIPAA affect employers?
  • Learn the 6 questions employers are asking about COVID-19, vaccines, and HIPAA

Read more below.

hipaa and covid 19

Throughout the pandemic, there has been a lot of talk about risk. The risk of infection, exposure, spreading the COVID-19 virus. The risk of getting vaccinated, not getting vaccinated. Now, as employees are returning to in-person work, returning to group events, etc. there are questions. For example, as an employer, can you ask your employees for proof of vaccination? Are you violating privacy laws by doing so? It’s important for employers to understand the laws surrounding COVID-19 and HIPAA.

Yes, employers can ask whether their employees have received the coronavirus vaccine — and even require it.

To help shed some light on questions, protocols, and exemptions around the COVID-19 vaccination status in the workplace, we have compiled information and resources for laws such as:

  • Health Insurance Portability and Accountability Act (HIPAA),
  • Americans with Disabilities Act (ADA),
  • Genetic Information Nondiscrimination Act (GINA), and
  • Title VII of the Civil Rights Act of 1964.

Vaccination information is protected health information (PHI) and is covered by the HIPAA Rules. However, HIPAA only applies to HIPAA-covered entities: healthcare providers, health plans, insurance providers, and healthcare clearinghouses, and their business associates. 

Click here to download the ebook “Compliance with the HIPAA Breach Notification Rule During the COVID-19 Pandemic.”

HIPAA is a federal law that aims to protect privacy by restricting how sensitive health information can be used or disclosed. It also gives you the right to examine and obtain a copy of your medical records, according to the United States Department of Health and Human Services (HHS).

1. Can an employer ask employees if they have been vaccinated?

Yes. If an employer asks an employee to provide proof that they have been vaccinated for COVID-19 in order to allow that individual to work without wearing a face mask, that is not a HIPAA violation.

Employees may decide whether to provide that information to their employer. If an employer requires employees to provide proof that they have received a COVID-19 vaccination from a pharmacy or their own healthcare provider, the employer cannot mandate that the employee provide additional medical information as part of the proof.

“Employers are within their rights to ask employees about vaccination status or to require proof of vaccination as a condition of continued employment. Similarly, colleges and universities can require proof of vaccination for faculty, staff, and students,” states Michael S. Sinha, MD, JD, MPH, adjunct faculty at the Northeastern University School of Law and visiting scholar at the NUSL Center for Health Policy and Law.

-Sources: Center for Disease Control and Prevention (CDC) and Very Well Health

2. Can other organizations ask for proof of COVID-19 vaccination?

Under federal laws, there are very few situations in which businesses, airlines, employers, schools, and even those covered by HIPAA are prohibited from asking individuals to share their vaccination status or show their vaccine record card, writes The Washington Post.

If they ask for a vaccination status before allowing individuals to enter a facility, attend classes, come to work in person, or even book a flight, that’s not a HIPAA violation.

-Source: The Washington Post

3. Is it a HIPAA violation to ask for proof of vaccination status?

“Asking about vaccine status would not violate HIPAA but it is possible that other laws could be violated. For instance, requiring employees to disclose additional health information such as the reason why they are not vaccinated could potentially violate federal laws. Furthermore, several states have passed laws — or are considering laws — that prohibit employers in the public sector from asking employees about their vaccine status.”

-Source: HIPAA Journal

Reduce Privacy Risk with Benchmarking and KIPs:

Read now

4. Is it a violation of privacy to ask for proof of vaccination status?

There is nothing in HIPAA that bars asking employees about their health — including vaccination status — or requiring proof that the information is accurate. There are other federal and state confidentiality laws that may require employers and schools to protect your privacy.

“It’s not really a prohibition on asking, it’s a prohibition against sharing,” said Kayte Spector-Bagdady, an associate director at the Center for Bioethics and Social Sciences in Medicine at the University of Michigan.

-Source: The Washington Post

5. What about violations of anti-discrimination laws, such as ADA and GINA?

According to the U.S. Equal Employment Opportunity Commission (EEOC), there is no indication that there’s any federal law that would be violated if the employer asks for proof of vaccination status.

Federal Equal Employment Opportunity (EEO) laws do not prevent an employer from requiring all employees physically entering the workplace to be vaccinated for COVID-19, so long as employers comply with the reasonable accommodation provisions of the ADA and Title VII of the Civil Rights Act of 1964 and other EEO considerations.

-Source: EEOC

6. What about asking your employees follow-up questions about COVID-19?

Employers should be careful when asking follow-up questions, such as why an employee has not been vaccinated. These types of questions could trigger obligations under the ADA and the GINA.

A possible violation might be if an employer’s attempt to find out why a worker didn’t get vaccinated could elicit information about a disability. It’s important to note that federal laws protect employees against employment discrimination during the COVID-19 pandemic.

How employees’ answers are recorded and protected against unauthorized use and disclosure — or used to impact employee benefits, roles, or work experience — determines whether or not the organization is in compliance with relevant state, federal, and international laws.

-Sources: EEOC and HIPAA Journal

Vaccine Mandates, Vaccination Passports, What’s Next?

The EEOC provides information on workplace anti-discrimination laws and COVID-19. Additional resources about COVID-19 and the workplace can be found via the U.S. Department of Labor’s website.

Time will tell what’s ahead. In the meantime, stay healthy! And if you have questions about what might constitute a privacy breach, we’re here for you. With the ever-evolving landscape of global data breach notification laws — and privacy laws evolving before our eyes — you might be interested in our free library of hundreds of global privacy laws, rules, and regulations, designed for privacy and security professionals to stay current on existing and even proposed legislation. Check out Breach Law Radar anytime for peace of mind.

Learn How to Scale Privacy During Digital Transformation

You may also be interested in:

[vc_basic_grid post_type=”post” max_items=”3″ element_width=”12″ item=”765″ grid_id=”vc_gid:1628621937905-40094ef6-93be-1″]