On September 30, the Department of Health and Human Services (HHS) issued guidance on the connection between HIPAA and COVID-19. In summary, the Health Insurance Portability and Accountability Act (HIPAA) protects patient health information from disclosure without prior consent. Chiefly, the guidance addresses when HIPAA applies to disclosures and requests for information about a person receiving a COVID-19 vaccine. Earlier, in March, the HHS’s Office for Civil Rights (OCR) requested comments for proposed changes to the HIPAA Privacy Rule.
Overview of the Guidance on HIPAA and COVID-19
Basically, the guidance reminds the public that HIPAA and its Privacy Rule do not apply to employers or employment records. The HIPAA Privacy Rule explicitly applies to HIPAA-covered entities. (For example, health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions.) Similarly, covered entities could include specific business associates. Overall, the guidance addresses common workplace scenarios and answers questions about whether and how the HIPAA Privacy Rule applies. In light of the continuing pandemic, the HHS believes the information is helpful to employers and the public at large.
Contents of the Guidance
Given that the guidance addresses the connection between HIPAA and COVID-19, the key points and questions include:
- Does the HIPAA Privacy Rule prohibit businesses from asking whether their customers or clients have received a COVID-19 vaccine?
- Are customers or clients of a business prohibited from disclosing whether they have received a COVID-19 vaccine?
- Does HIPAA prohibit a covered entity or business associate from requiring employees to disclose if they received a COVID-19 vaccine?
- Can employers require employees to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties?
- Does the HIPAA Privacy Rule prohibit a doctor’s office from disclosing an individual’s protected health information (PHI)? For instance, telling an individual’s employer or other parties that the individual received a COVID-19 vaccine.