Provided by:  Jennifer Kirschenbaum, Esq.

October 28, 2021


Hi Jennifer,

How does HIPAA apply to information regarding my employees COVID-19 vaccination status?

Dr. P


There has been some widespread confusion over whether HIPAA prevents an employer from requiring an employee to disclose their vaccination status. Due to this confusion, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) issued guidance regarding when the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule applies to disclosures of an individual’s COVID-19 vaccination status. This OCR guidance is a useful resource for businesses considering implementing vaccine mandates, as well as employers responding to customer/patient questions. OCR Director, Lisa Pino, stated, “We are issuing this guidance to help consumers, businesses and health care entities understand when HIPAA applies to disclosures about COVID-19 vaccination status and to ensure that they have the information they need to make informed decisions about protecting themselves and others from COVID-19.”

As a helpful reminder, the HIPAA Privacy Rule only applies to HIPAA covered entities (and some business associates) and does not apply to employers or employment records. HIPAA-covered entities are health plans, health care clearinghouses and health care providers that conduct standard electronic transactions.

According to OCR’s guidance, the Privacy Rule does not regulate the ability of HIPAA covered entities to request information from patients and visitors. Rather, the Privacy Rule regulates how and when covered entities are permitted to use and disclose their patient’s protected health information, including their vaccination status, that the covered entity created, received, maintained, or transmitted. That is, the Privacy Rule does not prohibit a covered entity from asking an individual about their vaccination status, but it does regulate how and when that entity can use or disclosure that information. Additionally, the Privacy Rule does not dictate whether an individual discloses or conceals their own medical information to others—including vaccination status.

The Privacy Rule does not prevent an employer from requiring an employee to disclose their vaccination status. However, other federal or state laws, such as the Americans with Disabilities Act (ADA), do address terms and conditions of employment. The ADA requires employers to maintain the confidentiality of employee medical information, including whether they have received the COVID-19 vaccine. This means that employers are prohibited from answering a patient’s question of whether an individual employee is vaccinated.

We are here to help ensure that you are compliant with all pertinent employment laws when determining whether to request an employer’s vaccination status. Call or email if you wish to discuss.