Employee Vaccine Information: Privacy Concerns

Given the COVID-19 vaccine mandates, employers—including healthcare entities—will need to confirm their employees’ vaccination status. Employers and healthcare providers must ensure they comply with privacy rules relating to employee vaccination information, including those imposed by the Health Insurance Portability and Accountability Act (HIPAA) and Americans with Disabilities Act (ADA).

1. Employer Requests for Vaccination Information from Employees. The Office for Civil Rights (OCR) and the Equal Employment Opportunity Commission (EEOC) both have confirmed that employers may ask employees for vaccination information. The OCR published the following FAQ:

If my employer requires proof of my COVID-19 vaccination status, does that violate my rights under HIPAA?

In general, the HIPAA Rules do not apply to employers or employment records. HIPAA only applies to HIPAA covered entities – health care providers, health plans, and health care clearinghouses – and, to some extent, to their business associates. If an employer asks an employee to provide proof that they have been vaccinated, that is not a HIPAA violation, and employees may decide whether to provide that information to their employer.

(OCR, FAQ)

While the ADA limits an employer’s ability to inquiry about disabilities, the EEOC posted the following FAQ confirming that employers may ask about vaccination status:

Under the ADA, is it a “disability-related inquiry” for an employer to inquire about or request documentation or other confirmation that an employee obtained the COVID-19 vaccine from a third party in the community, such as a pharmacy, personal health care provider, or public clinic?

No. When an employer asks employees whether they obtained a COVID-19 vaccine from a third party in the community, such as a pharmacy, personal health care provider, or public clinic, the employer is not asking a question that is likely to disclose the existence of a disability; there are many reasons an employee may not show documentation or other confirmation of vaccination in the community besides having a disability. Therefore, requesting documentation or other confirmation of vaccination by a third party in the community is not a disability-related inquiry under the ADA, and the ADA’s rules about such inquiries do not apply.

(EEOC, What You Should Know About COVID-19 and the ADA, the Rehabilitation Act, and Other EEO Laws (“EEOC Guidance”))

2. Healthcare Provider Disclosures to Employers. Although the ADA permits employers to request vaccine or other COVID-related information from healthcare providers, HIPAA generally prohibits healthcare providers from disclosing protected health information (including information about vaccinations or COVID-19 tests they administered) to the employer without the patient’s written HIPAA-compliant authorization or the existence of another HIPAA exception. (45 C.F.R. § 164.502; 65 Fed. Reg. 82592 and 82640).^[1]

a. Employee Authorizations. A healthcare provider should generally obtain the patient’s written HIPAA authorization before disclosing vaccination status or COVID-19 test results to an employer. If the vaccination or test is administered on behalf of the employer with the understanding that the results are to be disclosed to an employer, the healthcare provider may condition the vaccine or test on the employee/patient’s authorization. (45 C.F.R. § 164.508(b)(4)(iii); 65 Fed. Reg. 82516 and 82658). In such cases, if the employee/patient refuses, the provider may refuse to administer the vaccination and/or test, which may result in adverse employment action against the employee/patient. (65 Fed. Reg. 82592 and 82640). A provider who relied on the authorization in performing the vaccination or test may generally refuse to allow the employee/patient to revoke the authorization once the vaccination or test has been administered. (45 C.F.R. § 164.508(b)(5)).

b. Exceptions to Authorizations. Absent the employee/patient’s authorization, a healthcare provider would generally need to fit within a HIPAA exception to disclose protected health information to the employer. To date, there is no general COVID-19 exception to the HIPAA privacy rules. (See, e.g., OCR, Bulletin: HIPAA Privacy and Novel Coronavirus (2/20)) As noted by the OCR, relevant exceptions for COVID situations might include:

• Disclosures for purposes of treating the patient or others, obtaining payment for the care rendered, or certain “healthcare operations” of the provider. (45 C.F.R. § 164.506).
• Disclosures required by law to the extent the law requires the disclosure. (45 C.F.R. § 164.512(a)).
• Disclosures to public health agencies as authorized by law. (45 C.F.R. § 164.512(b)).
• Disclosures to avert a serious and imminent threat of harm. (45 C.F.R. § 164.512(j))

Application of these exceptions in a given case will depend on the facts and there is no guarantee that the OCR will agree with the provider. Accordingly, if the provider wants to disclose vaccine or testing information to the employer, the safer course would be to obtain the employee’s HIPAA-compliant authorization.

3. Healthcare Provider’s Use of Its Own Employees’ Protected Health Information. Given the vaccine mandates, healthcare employers may want to access their own employees’ health information to verify vaccination or COVID-19 status. The rules for a healthcare provider’s use or disclosure of its employees’ health information depends on the capacity in which the healthcare provider obtained the information: did the provider generate or obtain the information in its capacity as a healthcare provider or simply as an employer?

a. Healthcare Provider Administered the Vaccine or Test. Hospitals and other healthcare providers often administer the vaccine or test to their own employees. In such cases, the healthcare provider is generally bound by HIPAA. As explained by HHS:

a covered entity must remain cognizant of its dual roles as an employer and as a health care provider [or] health plan....Individually identifiable health information created, received, or maintained by a covered entity in its health care capacity is protected health information. It does not matter if the individual is a member of the covered entity's workforce or not. Thus, the medical record of a hospital employee who is receiving treatment at the hospital is protected health, information and is covered by the [Privacy] Rule, just as the medical record of any other patient of that hospital is protected health information and covered by the Rule. The hospital may use that information only as permitted by the Privacy Rule, and in most cases will need the employee's authorization to access or use the medical information for employment purposes.

....For example, drug screening test results will be protected health information when the provider administers the test to the employee, but will not be protected health information when, pursuant to the employee's authorization, the test results are provided to the provider acting as employer and placed in the employee's employment record. Similarly, the results of a fitness for duty exam will be protected health information when the provider administers the test to one of its employees, but will not be protected health information when the results of the fitness for duty exam are turned over to the provider as employer-pursuant to the employee's authorization.

(67 Fed. Reg. 53191, emphasis added).

Based on this commentary, if the healthcare provider administered the vaccine or COVID-19 test to its employees, the general rules for HIPAA disclosures discussed above would still apply: the provider would generally need the employee/patient’s HIPAA-compliant authorization or another HIPAA exception to use or disclose the employee/patient’s protected health information for employment-related purposes.

Given the current COVID-19 surge, one might argue that using or disclosing vaccination status is necessary to prevent a serious and imminent threat of harm and, therefore, no authorization is required under HIPAA. (45 CFR 164.512(j)). To date, however, the OCR has stopped short of categorically classifying the potential spread of COVID-19 as a “serious and imminent threat of harm” so as to trigger the statute and, accordingly, application of this exception may be risky. (See, e.g., OCR Guidance)

Alternatively, a fairly strong argument can be made that using or disclosing an employee’s vaccination information fits within the HIPAA exception for “healthcare operations,” especially when the employer is subject to a vaccine mandate. Under HIPAA:

Health care operations means any of the following activities of the covered entity to the extent that the activities are related to covered functions:

(1) Conducting quality assessment and improvement activities…; patient safety activities (as defined in 42 CFR 3.20)^[2]; …protocol development,…; and related functions that do not include treatment;

(2) Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance,…accreditation, certification, licensing, or credentialing activities;

…

(6) Business management and general administrative activities of the entity, including, but not limited to:

(i) Management activities relating to implementation of and compliance with the requirements of this subchapter….

(45 C.F.R. § 164.501).

Although infection control is not specifically included in the definition of “healthcare operations,” one could argue that infection control is a subset of “quality assessment and improvement activities”; that an employer may and should verify an employee’s vaccination status when reviewing their “qualifications” to perform services; and/or that an employer may appropriately access the employee’s information to verify an employee’s vaccination and ensure its compliance with vaccine mandates. Even if the OCR were to disagree, it is doubtful that the OCR would find that such an interpretation would amount to “willful neglect” so as to trigger mandatory HIPAA penalties especially when the Administration has mandated vaccines for healthcare workers. (See 45 C.F.R. § 160.401 et seq.). Nevertheless, we have not tested these arguments and there is no guarantee how the OCR would respond. Again, the safer course would be to obtain the patient/employee’s authorization before accessing or using their protected health information.

b. Healthcare Provider Obtained the Information Solely as an Employer. In contrast to the situation in which the provider administered the vaccine or test, HIPAA generally does not apply to information obtained by a healthcare provider about its employees while the provider was acting solely in its capacity as an employer, and not as a healthcare provider or health plan. HIPAA defines “protected health information” to exclude information “held by a covered entity in its role as employer.” (45 C.F.R. § 160.103). The OCR explained:

The Privacy Rule does not protect your employment records, even if the information in those records is health-related. In most cases, the Privacy Rule does not apply to the actions of an employer.

If you work for a health plan or a covered health care provider:

• The Privacy Rule does not apply to your employment records.

• The Rule does protect your medical or health plan records if you are a patient of the provider or a member of the health plan.

(OCR, Employers and Health Information in the Workplace)

The commentary to the HIPAA Privacy Rule includes the following:

Comment: One commenter asked for clarification as to how [HHS] would characterize the following items that a covered entity may have: (1) medical file kept separate from the rest of an employment record containing (a) doctor’s notes; (b) leave requests; (c) physician certifications; and (d) positive hepatitis test results; (2) FMLA documentation including: (a) physician certification form; and (b) leave requests; (3) occupational injury files containing (a) drug screening; (b) exposure test results; (c) doctor’s notes; and (d) medical director’s notes.

Response: As explained above, the nature of the information does not determine whether it is an employment record. Rather, it depends on whether the covered entity obtains or creates the information in its capacity as employer or in its capacity as covered entity....It is the function being performed by the covered entity and the purpose for which the covered entity has the medical information, not its record keeping practices, that determines whether the health information is part of an employment record or whether it is protected health information.

(67 Fed. Reg. 53191, emphasis added).

Accordingly,

[w]hen the individual gives his or her medical information to the covered entity as the employer, such as when submitting a doctor's statement to document sick leave, or when the covered entity as employer obtains the employee's written authorization for disclosure of protected health information, such as an authorization to disclose the results of a fitness for duty examination, that medical information becomes part of the employment record, and, as such, is no longer protected health information. The covered entity as employer, however, may be subject to other laws and regulations applicable to the use or disclosure of information in an employee's employment record.

(Id. at 53192).

As applied to COVID-19, if the healthcare provider obtained an employee’s vaccination status or other COVID-19 information about an employee solely through its function as an employer (e.g., an employee reported her vaccination status, test results, or symptoms to a supervisor), and not through rendering any healthcare to the employee or through information received through the employee benefit plan, then HIPAA would not apply to the information or the employer’s use of the information. However, as the HHS commentary notes, other laws may apply, including the ADA.

4. Health Information Obtained by an Employer. Whether or not HIPAA applies, once an employer obtains an employee’s vaccination or other health information, the employer is obligated to keep the information in a file separate from the employee’s personnel file and maintain the confidentiality of such information. (29 C.F.R. § 1630.14(c). As the EEOC recently stated,

Is information about an employee’s COVID19 vaccination confidential medical information under the ADA?

Yes. The ADA requires an employer to maintain the confidentiality of employee medical information, such as documentation or other confirmation of COVID19 vaccination. This ADA confidentiality requirement applies regardless of where the employee gets the vaccination. Although the EEO laws themselves do not prevent employers from requiring employees to bring in documentation or other confirmation of vaccination, this information, like all medical information, must be kept confidential and stored separately from the employee’s personnel files under the ADA.

(EEOC Guidance)

The ADA limits access and use of employee medical information to the following circumstances:

1. Supervisors and managers may be informed regarding necessary restrictions on the work or duties of an employee and necessary accommodations;
2. First aid and safety personnel may be informed (when appropriate) if the employee's physical or medical condition might require emergency treatment; and
3. Government officials investigating compliance with FMLA (or other pertinent law) shall be provided relevant information upon request.

(29 C.F.R. § 1630.14(c)(1)).

Employers—including healthcare employers—should ensure that their managers, supervisors and other relevant personnel understand the importance of and rules concerning confidentiality of vaccine and other COVID-19 information.

Conclusion. Healthcare providers and other employers must navigate a maze of overlapping federal and potentially state laws when implementing existing and forthcoming vaccine mandates. It is possible that relevant agencies will issue new rules or guidance to make the implementation less burdensome. In the meantime, however, employers need to ensure that their use and/or disclosure of vaccine information—like other COVID-19 information—complies with relevant state and federal laws, including HIPAA and the ADA.

[1] For more information about disclosures to employers, see our client alerts at https://www.hollandhart.com/hipaa-disclosing-exam-results-to-employers and https://www.hollandhart.com/disclosing-employees-covid-19-status-to-employer.

[2]  42 CFR 3.20 defines “patient safety activities” as the following activities carried out by or on behalf of a provider:

1. Efforts to improve patient safety and the quality of health care delivery;
2. The collection and analysis of patient safety work product;
3. The development and dissemination of information with respect to improving patient safety, such as recommendations, protocols, or information regarding best practices;
4. The utilization of patient safety work product for the purposes of encouraging a culture of safety and of providing feedback and assistance to effectively minimize patient risk;
5. The maintenance of procedures to preserve confidentiality with respect to patient safety work product;
6. The provision of appropriate security measures with respect to patient safety work product;
7. The utilization of qualified staff; and
8. Activities related to the operation of a patient safety evaluation system and to the provision of feedback to participants in a patient safety evaluation system.