Q&A: HIPAA doesn’t apply to employee information | Vigilant

Vigilant Blog

News, trends and analysis in employment law, HR, safety & workers' comp

Home » Blog » Q&A: HIPAA doesn’t apply to employee information

Oct 21, 2021

Q&A: HIPAA doesn’t apply to employee information

Question: We implemented a mandatory COVID-19 (coronavirus) vaccine policy for all employees. Some employees are refusing to produce proof of vaccination status because they believe they have the right to refuse under the Health Insurance Portability and Accountability Act (HIPAA). We’re a private employer operating a manufacturing facility. Does HIPAA apply to us?

Answer: No. There is widespread misinformation about the privacy rules under HIPAA, including who is subject to these rules and what they require. The federal Department of Health and Human Services (HHS) recently issued guidance on the applicability of HIPAA to COVID-19 vaccination information. In short, HIPAA rules governing the privacy and security of health information apply only to “covered entities,” and to a limited extent, their business associates. A covered entity is defined as: (1) a health plan; (2) a health plan clearinghouse; or (3) a health care provider who transmits any health information in electronic form to carry out financial or administrative activities related to healthcare. (See the federal regulations at 45 CFR 160.103.)

More importantly, all employers, even covered entities and business associates, have the right to ask their workers about their vaccination status, because HIPAA doesn’t apply to employment records held in the capacity of an employer. If you don’t meet the definition of a covered entity or business associate, you don’t have to comply with any of the HIPAA rules. This means that you may ask customers, visitors, and employees for proof of vaccination status for the purpose of enforcing workplace safety rules. The HHS guidance also makes clear that HIPAA privacy rules don’t apply when an individual is asked about their vaccination status by a school, employer, store, restaurant, entertainment venue, or any other individual. However, the Americans with Disabilities Act (ADA) requires you as an employer to store all employee medical records in a file separate from the personnel file. You must keep all employee medical information strictly confidential and disclose it only to those who have a business need to know. The Equal Employment Opportunity Commission (EEOC) has provided additional guidance on the ADA and COVID-19 as we previously reported here. Questions? Contact your Vigilant Law Group employment attorney.

This website presents general information in nontechnical language. This information is not legal advice. Before applying this information to a specific management decision, consult legal counsel.
divider--carrot
About The Author

Kara Craig

Employment Attorney Vigilant Law Group
  • Born and raised in Quincy, Illinois, B.A. and law degree from the University of Illinois
  • Attorney licensed in Washington and Oregon
  • Holds fast to her Midwestern roots and will never pass up fried cheese curds
  • Avid fan of college basketball, tennis and Mark Twain
View all posts
Read bio

Free Legal Guides & Model Policies

More Free Downloads
downloads-graphic-SVG
Browse By Category
Browse By Topic
Filter By State
Get Our Newsletter
Sign Up Today
Connect With Us

Linkedin

Don’t Navigate Employment Issues On Your Own

Learn how Vigilant membership can help with your complex employment situations.
Get in Touch Today
Scroll to Top