As employees return to the workplace, an increasing number of employers are asking their workers to provide proof of their COVID-19 vaccinations. This has led to many questions and concerns about whether such a practice is permitted under various healthcare privacy laws, particularly the Health Insurance Portability and Accountability Act (“HIPAA”).
At first glance, the Department of Health and Human Services’ (“HHS”) stance on HIPAA’s applicability to employer requests for COVID-19 vaccination records is fairly straightforward:
[I]f an employer asks an employee to provide proof that they have been vaccinated, that is not a HIPAA violation, and employees may decide whether to provide that information to their employer.
What this statement doesn’t address: considerations and potential pitfalls for covered entity employers obtaining proof of COVID-19 vaccination from their employees. This could include a healthcare provider that administers the COVID-19 vaccine to its own employees or an employer-sponsored group health plan.
Covered entity employers must still exercise caution when they collect employee COVID-19 vaccination records, and ensure they do not inadvertently violate their HIPAA obligations with respect to their employees’ protected health information (“PHI”).
Covered Entity or Employer?
In circumstances involving employee COVID-19 vaccination records, a covered entity needs to distinguish whether it is acting in its capacity as a covered entity (such as a health plan or a healthcare provider) or as an employer when it accesses or uses the employee health information.
Individually identifiable health information contained in the employment records held by a covered entity in its role as employer is excluded from the definition of PHI. This means employee COVID-19 vaccination records voluntarily provided to an employer (including a covered entity employer) for employment purposes would technically be excluded from HIPAA rules governing the protection of PHI.
However, this does not grant covered entity employers unrestricted access to their employees’ COVID-19 vaccination records. For example, if an employee obtains his or her vaccination from the hospital that also employs them, it might be tempting for the hospital to immediately send over the employee’s vaccination information to the HR Department and/or access the employee’s medical record to obtain proof of vaccination.
Such actions could trigger a HIPAA violation, since the hospital provided the vaccination to the employee in the hospital’s capacity as a covered entity healthcare provider, meaning any subsequent use or disclosure of the patient’s COVID-19 vaccination record by the hospital would be subject to the restrictions of HIPAA, regardless of the patient’s employment status with the hospital.
If a covered entity employer wishes to obtain proof of its employee’s COVID-19 vaccination using the medical records maintained by the covered entity employer, the covered entity employer should treat itself the same as it would any third-party employer seeking similar information. In other words, the covered entity employer should obtain a signed HIPAA patient authorization from its employee before using or disclosing the employee’s COVID-19 vaccination record internally for employment-related purposes.
To the extent a covered entity employer seeks an employee’s signed HIPAA authorization, it should also ensure it does not require the employee to sign the authorization before obtaining the COVID-19 vaccine from the covered entity employer and/or requiring the authorization as a condition to treatment or payment. HIPAA authorizations can be invalidated if treatment, payment, or eligibility for health plan benefits are conditioned on the employee signing the HIPAA authorization.
Alternatively, if the covered entity employer already maintains the employee’s COVID-19 vaccination record, including as the employee’s healthcare provider or health plan, the employee can still voluntarily provide the proof of COVID-19 vaccination directly to the covered entity employer to be used for employment purposes. For example, the covered entity employer might ask an employee to provide a copy of his or her CDC vaccination card directly to the HR Department. However, the covered entity employer should not access or use its healthcare provider or health plan records to obtain the employee’s COVID-19 vaccination details without a HIPAA patient authorization.
Overall, a covered entity employer wears two hats: one as a healthcare provider, health plan, or healthcare clearinghouse, and another as the employer. When it comes to an employee’s proof of COVID-19 vaccination, the covered entity employer should determine what “hat” it is wearing before using or disclosing any employee COVID-19 vaccination information. If the COVID-19 vaccination record is not in the employee’s employment record, it is PHI subject to HIPAA protections.
HIPAA is not the only consideration when it comes to the privacy and confidentiality of employee COVID-19 vaccination records. Employers should ensure they are compliant with other applicable state or federal laws and requirements related to employee health information, including but not limited to the Americans with Disabilities Act. Employers should consult with an attorney regarding their obligations with respect to employee COVID-19 vaccination records under HIPAA and any other applicable laws.
 See Department of Health and Human Services Frequently Asked Questions, available at, https://www.hhs.gov/answers/if-my-employer-requires-proof-of-my-covid-19-vaccination-status/index.html
 45 CFR 160.103