Wednesday, October 13, 2021

Coronavirus Update 10-13-2021: Unfortunately I need to keep clarifying misconceptions about HIPAA

I came across the following information on the website of a prominent national payroll provider:
Q: In what ways can/should HR departments capture and record employee vaccination information? What are the HIPAA implications?

A: When it comes to recording this data, it's a good idea to keep it separate from other employee information on file. It should not be part of standard employee records and should be accessible to as few people as possible. Because vaccination records are covered under HIPAA regulations, businesses must ensure they're diligent about securely collecting, recording and storing this information to limit the risk of compromise.
It cuts me to the quick to see an entity that should know better getting HIPAA so very wrong. If they can't get it correct, we have little hope that the general public will stop raising HIPAA as an objection to any disclosure of their health information, including vaccination status.

So, to clear the air once and for all, this is what HIPAA covers and doesn't cover, and why it does not apply to employers gathering vaccine-related information from employees.

1/ Broadly speaking, HIPAA does protect the privacy of individuals' medical information. But not all medical information and only in certain limited circumstances.

HIPAA applies only to "covered entities," defined as: (1) health plans; (2) healthcare clearinghouses; (3) healthcare providers that electronically transmit certain health information; and certain "business associates" of covered entities. If an employer does not fall into one of those categories, HIPAA does not apply to it at all. Thus, HIPAA does not apply to employee health information collected or maintained by an employer in its role as an employee's employer.

For employees, HIPAA does not:
  • Prohibit an employer from requiring or otherwise asking for medical information (such an employee's vaccination status).
  • Impact the ability to request information necessary to administer programs, such as healthcare benefits, workers' comp, or sick leave.
  • Protect all health data maintained in employment records, only those employees' medical and health plan records that relate to their participation as a member of the employer's healthcare plan.
For businesses dealing with the public (such as a retail store or restaurant, for example), HIPAA simply does not apply at all. HIPAA does not prohibit a business from asking a customer about his or her vaccination status as a condition to entry or donning a mask upon entry. Period. Hard stop.

2/ An employer that merely asks its employees for proof of vaccination status also does not violate other laws, such as the Americans with Disabilities Act. The ADA does place limits on an employer's disability-related inquiries of its employees. But, as the EEOC has clearly and succinctly stated, "requesting proof of receipt of a COVID-19 vaccination is not likely to elicit information about a disability and, therefore, is not a disability-related inquiry." The ADA does, however, require that an employer keep vaccination status and other employee medical information confidential once it is disclosed.

The bottom line is that private businesses absolutely can require employees to provide vaccination status as a condition of employment (subject to certain reasonable accommodation obligations), and further, a business can require the same as a condition to entry. A business can't force anyone to provide that information, but it can legally deny access to anyone who won't or can't provide it, just as it can deny employment to someone who refuses to provide it. We all have a choice to make—to vax or not to vax. It's really this simple. If you don't want to wear a mask, get vaccinated. If you don't want to get vaccinated, wear a mask. If you don't want to do either, then accept that there are places you won't be able to go for now and for the foreseeable future.