Guidance Issued on HIPAA and COVID-19 Vaccinations 

Situation Report | October 11, 2021 

On September 30, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued guidance on when the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule applies to disclosures and requests for information about whether a person has received a COVID-19 vaccine. 

The guidance is available on the HHS website.

The guidance reminds the public that the HIPAA Privacy Rule does not apply to employers or employment records. This is because the HIPAA Privacy Rule only applies to HIPAA covered entities (health plans, health care clearinghouses and health care providers that conduct standard electronic transactions), and, in some cases, to their business associates

The guidance addresses common workplace scenarios and answers questions about whether and how the HIPAA Privacy Rule applies. Some information in the guidance includes: 

  • The Privacy Rule does not prohibit a covered entity (e.g., a covered doctor, hospital, or health plan) or business associate from asking whether an individual (e.g., a patient or visitor) has received a particular vaccine, including COVID-19 vaccines, although it does regulate how and when a covered entity or its business associate may use or disclose information about an individual’s vaccination status. 
  • The Privacy Rule does not apply when an individual asks a company, such as a home health agency, whether its workforce members are vaccinated. 

For additional information on the Privacy Rule and its application, click here.