OCR: HIPAA Doesn’t Preclude Vaccine Question, It Protects the Answer

There’s nothing stopping hospitals and other providers from asking patients whether they’ve been vaccinated for COVID-19 under HIPAA. Patients don’t have to answer, but if they do, the privacy rule kicks in, according to new guidance from the HHS Office for Civil Rights (OCR).[1] By the same token, HIPAA doesn’t apply to employment records or have anything to say about employer vaccination mandates and related documentation requirements.

“The Privacy Rule does not regulate the ability of covered entities and business associates to request information from patients or visitors. Rather, the Privacy Rule regulates how and when covered entities and business associates are permitted to use and disclose protected health information (PHI) (e.g., PHI about whether an individual has received a COVID-19 vaccine) that covered entities and business associates create, receive, maintain, or transmit,” the guidance explains.

And despite what’s on social media, HIPAA doesn’t apply when people are asked their vaccination status by other people, employers, restaurants, and anyone else that’s not regulated by HIPAA, OCR explained. People can reveal whether they got the shot or any health information and it has nothing to do with HIPAA.

This document is only available to subscribers. Please log in or purchase access.
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field