New HIPAA Guidance from OCR on COVID-19 Vaccines and the Workplace

Published: October 7, 2021

The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) issued guidance regarding the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) privacy rule (the “Privacy Rule”) in the form of Q&A to assist covered entities in determining when it is appropriate to release or request protected health information (“PHI”) related to an individual’s COVID-19 vaccination status.

Specifically, OCR provided certain examples of instances in which a covered entity may permissibly disclose PHI, including, without limitation, the following:

Unless an exception applies, the Privacy Rule otherwise prohibits a covered entity from disclosing PHI. Accordingly, in instances in which an exception does not apply, a covered entity disclosure of PHI, including, without limitation, the vaccination status of an individual to a third party (e.g., sports arena, hotel, resort, cruise ship or airline) would require a valid HIPAA authorization or court order.

The OCR also confirmed that the Privacy Rule generally does not apply to a covered entity or business associate in their capacity as employers, which is consistent with the regulations and prior pronouncements. Therefore, according to the OCR, a covered entity or business associate is permitted to require or request its workforce members to:

For questions about this alert, please contact the authors. Also, visit the Steptoe & Johnson Health Care Team on LinkedIn to keep up with the latest developments in health care law.

Stay informed. Sign up for our mailing lists.

Stay Informed

All of our news and resources are shared electronically. Select your preferred list(s) below.(Required)