Attached is recent Guidance from Office for Civil Rights (“OCR”), the agency within the U.S. Department of Health and Human Services responsible for, among other things, enforcing compliance with HIPAA. The guidance highlights that HIPAA only applies to the three categories of covered entities—health plans, health care clearinghouses and health care providers that conduct standard electronic transactions—and their respective business associates. More particularly, OCR’s guidance aims to clarify when HIPAA applies to the disclosures of, and requests for, information regarding whether an individual has received one of the COVID-19 vaccines, with a specific focus on the workplace.
The guidance is organized into five FAQs, each followed by a detailed response. The general response is no to questions 1-4 and yes to question 5:
- Does the HIPAA Privacy Rule prohibit businesses or individuals from asking whether their customers or clients have received a COVID-19 vaccine?
- Does the HIPAA Privacy Rule prevent customers or clients of a business from disclosing whether they have received a COVID-19 vaccine?
- Does the HIPAA Privacy Rule prohibit an employer from requiring a workforce member to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties?
- Does the HIPAA Privacy Rule prohibit a covered entity or business associate from requiring its workforce members to disclose to their employers or other parties whether the workforce members have received a COVID-19 vaccine?
- Does the HIPAA Privacy Rule prohibit a doctor’s office from disclosing an individual’s protected health information (PHI), including whether they have received a COVID-19 vaccine, to the individual’s employer or other parties?
UTCA Staff is doing its best to keep you informed on all COVID related rules / guidance and as the information becomes available we will be getting it to you. If you have any questions please call Dave at 732-292-4300 or email Dave