The Department of Health and Human Services’ Office for Civil Rights has released guidance to teach the general public regarding the application of the Health Insurance Portability and Accountability Act (HIPAA) laws when it comes to sharing of COVID-19 vaccination status data and requests from persons regarding whether an individual has gotten immunization against COVID-19.
OCR explained in the guidance that HIPAA is applied to HIPAA-covered entities. HIPAA governed entities pertain to the health plans, healthcare providers, and healthcare clearinghouses that perform regular electronic transactions, and business associates of those entities that need access to or come across protected health information (PHI). OCR told the public that the HIPAA Privacy Rule is not applicable to employers or employment information. That consists of details gathered or saved by HIPAA-covered entities in their potential as an employer.
OCR described how HIPAA is applicable to COVID-19 vaccination details in particular circumstances via a website Q&A and explains:
The HIPAA Privacy Rule doesn’t stop businesses or men and women from inquiring whether or not their customers or clients have obtained a COVID-19 vaccine. People who work at a HIPAA-covered entity or business associate aren’t forbidden from questioning if a person has gotten a vaccine.
The HIPAA Privacy Rule won’t stop customers or clients of a company from exposing if they have gotten a COVID-19 vaccine.
The HIPAA Privacy Rule does not prohibit an employer from requiring a workforce member to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties.
The HIPAA Privacy Rule doesn’t hinder a covered entity or business associate from necessitating its labor force members to make known to their employers or other people if the employees have acquired a COVID-19 vaccine.
OCR has affirmed that, usually, the HIPAA Privacy Rule forbids a physician’s clinic from revealing a patient’s PHI, which includes COVID-19 vaccination data, to the person’s company or other entities. Such disclosures are allowed if in line with other regulations and pertinent ethical criteria, for instance revealing to a health plan to acquire payment for administering the vaccine and disclosures of such data to public health regulators.
OCR mentioned that there are situations when a HIPAA-covered clinic is allowed to share PHI pertaining to a persons’ vaccination condition to the person’s manager.
This is merely possible to permit the company, to carry out an assessment associated with medical monitoring of the work environment (e.g., surveillance of the spread of COVID-19 inside the employed pool) or to assess whether or not the person has a work-associated sickness. In such instances, disclosures are just allowed if all these conditions are met:
The covered hospital is delivering the medical care service to the person at the request of the individual’s boss or as a part of the employer’s labor force.
The PHI that is revealed includes results regarding work-connected sickness or workplace-associated medical supervision.
The company needs the information to be able to carry out its responsibilities under the legitimate regulators of the Mine Safety and Health Administration (MSHA), the Occupational Safety and Health Administration (OSHA), or state regulations possessing an identical objective.
The covered health care organization gives written notice to the person that the PHI associated with the medical supervision of the work environment and work-associated health issues will be shared with the manager.
This guidance is being given to aid customers, companies, and health care entities realize when HIPAA can be applied to sharing about COVID-19 vaccination state and to make sure that they get the details they require to make educated choices concerning safeguarding themselves and other people from COVID-19.