More and more employers, including the federal government are considering either vaccine mandates or knowledge of an employee’s vaccination status. Even President Biden will require vaccinations or knowledge of it for all government employees. In the news recently, Dak Prescott, quarterback of the Dallas Cowboys, and Congressperson Marjorie Taylor Green both cited HIPAA as a reason to not disclose. How should employers respond when employees yell out HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The U.S. Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule.
The Privacy Rule standards address the use and disclosure of individuals’ health information (known as “protected health information” or PHI) by entities subject to the Privacy Rule. These individuals and organizations are called “covered entities.” The Privacy Rule also contains standards for individuals’ rights to understand and control how their health information is used. A major goal of the Privacy Rule is to ensure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well-being.
The following types of individuals and organizations are subject to the Privacy Rule and considered covered entities:
- Healthcare providers: Every healthcare provider, regardless of size of practice, who electronically transmits health information in connection with certain transactions. These transactions include claims, benefit eligibility inquiries, referral authorization requests, and other transactions for which HHS has established standards under the HIPAA Transactions Rule.
- Health plans: Entities that provide or pay the cost of medical care. Health plans include health, dental, vision, and prescription drug insurers; health maintenance organizations (HMOs); Medicare, Medicaid, Medicare+Choice, and Medicare supplement insurers; and long-term care insurers (excluding nursing home fixed-indemnity policies). Health plans also include employer-sponsored group health plans, government- and church-sponsored health plans, and multi-employer health plans. Exception: A group health plan with fewer than 50 participants that is administered solely by the employer that established and maintains the plan is not a covered entity.
- Healthcare clearinghouses: Entities that process nonstandard information they receive from another entity into a standard (i.e., standard format or data content), or vice versa. In most instances, healthcare clearinghouses will receive individually identifiable health information only when they are providing these processing services to a health plan or healthcare provider as a business associate.
- Business associates: A person or organization (other than a member of a covered entity’s workforce) using or disclosing individually identifiable health information to perform or provide functions, activities, or services for a covered entity. These functions, activities, or services include claims processing, data analysis, utilization review, and billing.
Employers are generally exempt from HIPAA requirements. Although vaccination information is classified as PHI and is covered by HIPAA Rules, HIPAA does not apply to these questions by employers. Hence, if an employer asks an employee to provide proof that they have been vaccinated in order to allow that individual to work without wearing a facemask, that is not a HIPAA violation.
An employer can ask for a doctor’s note or other health information if they need the information for sick leave, workers’ compensation, wellness programs, or health insurance. If the employer directly asks the employee’s healthcare provider for such information, the healthcare provider would violate HIPAA if the information is provided without employee’s authorization. Therefore, the employer should ask the employee for authorization for these records.
Moreover, an employer should not require employees to disclose additional health information such as the reason why they are not vaccinated. These questions could lead to liability under other federal laws such as the ADA.
Similar to ADA or FMLA requests for health information, if an employee fails to provide such information, they could be disciplined or denied protections under the law. Employers need this information in order to determine if an employee is FMLA eligible or to identify reasonable accommodations. If an employee yells HIPAA (or claims its unconstitutional) when requesting vaccination information, HR should consult with legal counsel before proceeding with any adverse actions in order to err on the safe side.
Source: HIPAA Journal 5/25/21, HHS.gov, CDC