The Health Insurance Portability and Accountability Act of 1996 (HIPAA), through its Privacy and Security Rules, governs the permitted and required uses and disclosures of Protected Health Information (PHI) by Covered Entities (CE) and their Business Associates (BA).
A CE includes a medical plan (Plan); a Plan is a legal entity that permits the Plan Sponsor (i.e., Employer) access to PHI to perform services on behalf of the Plan (outlined in a plan document). Practically, an employer sponsors a Plan for the benefit of plan participants (i.e., employees).
HHS provided recent guidance regarding the interaction of HIPAA, the workplace, and COVID-19 vaccinations, letโs run down the highlights.
The Privacy Rule prohibits CEs and their BAs from using or disclosing a personโs PHI (i.e., vaccine status) except with that personโs authorization or as otherwise expressly permitted or required by the Rule.
The Privacy Rule:
This means that HIPAA doesnโt prevent a CE or BA from requiring or requesting each workforce member to provide vaccination documentation to their current or prospective employer; wear a mask while in the employer facility or property, or in the normal course of performing duties at another location; or to disclose whether they have received the CVOID-19 vaccination un response to inquires from current or prospective patients.
The HHS guidance provides several examples of how HIPAA does and does not apply in particular instances.
Donโt forget! HIPAA governs PHI use and disclosure by CEs and their BAs. Other federal and state laws address vaccinations in employment settings. Seek counsel and verify facts of the request, and which laws apply, before pursuing a course of action.
To learn more about HIPAAโs Privacy and Security Rules, check out The Dashboardโs Geek Out! Pages.
