With the COVID-19 vaccine becoming widely available, and many employers beginning to require workforce members to be vaccinated, questions have surfaced about why employers are permitted to ask about an employee’s COVID vaccine status without violating HIPAA regulations.
To answer this question, we’ll first take a look at what the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule applies to and what a HIPAA violation is as a result. HIPAA’s Privacy Rule was implemented to ensure that an individual’s privacy and health information is protected by covered entities, which include health plans, healthcare clearinghouses, and healthcare providers.
The Privacy Rule addresses how and when the disclosure and use of such health information can occur amid the flow of health information that’s needed for providing care. Protected health information (PHI) can include anything from a Patient’s name or other identifiable information, to general health status and health records. This information must be exchanged in a safe and confidential way that complies with HIPAA regulations, such as software that ensures HIPAA complaint email.
The HIPAA Privacy Rule doesn’t apply to requests for COVID vaccine status
The reality is, HIPAA’s Privacy Rule simply applies to how health information is used and disclosed by covered entities, and it does not apply in the case of employers requesting the vaccine status of their employees. Employers are, after all, requesting the information from the employee directly and not from a covered entity. According to the U.S. Department of Health and Human Services (HHS), “the Privacy Rule does not regulate what information can be requested from employees as part of the terms and conditions of employment.”
What employers can (and can’t) ask about your COVID vaccine status
While employers are permitted to ask employees their vaccination status, and even request formal documentation confirming that employees received the COVID vaccine, the ADA prohibits employers from asking any question that persuades an employee to disclose a disability. For example, if an employee responds to their employer’s request for vaccine status by saying they are not vaccinated, some legal teams are advising employers not to ask for the reason they aren’t vaccinated, since the reason may relate to a disability.
Can employers require a COVID vaccine?
Employers are permitted to require any employees entering the workplace to be vaccinated. According to the Equal Employment Opportunity Commission (EEOC) , requiring employees to be vaccinated does not violate federal law. Employers may be required, however, to provide reasonable accommodation to employees who disclose that they are unvaccinated due to a disability or religious beliefs.
Reasonable accommodations may include:
- Workspaces conducive to social distancing
- Telecommuting opportunities
- Altered work shifts
- Work reassignment
Can your employer ask for proof of vaccination?
Since the HIPAA Privacy Rule doesn’t apply to an employer’s request for a worker’s vaccine status, proof of vaccination can also be requested by the employer. The most common form of documentation is a copy of the individual’s COVID vaccination card. The EEOC does recommend, however, that employers who will be rolling out a policy requiring proof of vaccination should notify staff in advance. The notification should state that the company will be reviewing and considering any requests for reasonable accommodations with regards to individuals not getting vaccinated because of a disability or religious affiliation.
Is your vaccine status confidential medical information?
Once an employer obtains vaccination status from an employee, the information must be kept confidential and secured, according to ADA requirements. The ADA considers documents containing a worker’s vaccine status medical information, and they must be stored in a separate place outside of the employee’s standard personnel file.
Even though your employer may not be subject to HIPAA, healthcare professionals most certainly are. Make sure you are sending HIPAA compliant email with Paubox Email Suite. Our email solution doesn’t change the regular email behavior for recipients or senders once integrated, and emails are automatically encrypted and delivered to inboxes directly. There’s no password required and no portal to visit in order to access your encrypted email message. Through integration with Google Workspace, Microsoft 365, and Microsoft Exchange, the transition to HIPAA compliant email with Paubox Email Suite is seamless.