Can your employer ask you about your vaccination status and force disclosure of PHI? The short answer is, “Yes, but…” But it’s not as straightforward as that. As the United States continues to relax mask restrictions and open back up, the question of who needs to know about employees’ vaccination status has become a hot topic.
It's OK For Employers to Ask About Vaccinations, But There Are Right and Wrong Ways to Go About Requesting Patient Information
Before you say, “Wait, that’s my protected HIPAA information!” take a moment to remember that the Health Insurance Portability and Accountability Act applies to covered entities such as providers, health plans, clearinghouses, and their business associates.
Although you may be employed by an organization that is a covered entity, be aware that HIPAA rules do not extend to certain areas. For example, employers are not HIPAA-covered entities. So, if an employer asks for proof of vaccination in order to allow an employee to stop wearing a mask, the request may be permissible.
The employee may also have special protections that the employer is unaware of and should therefore have that conversation with their employer. Employers should consult with the Human Resources and privacy laws that apply to their jurisdiction.
Employers should also exercise caution when they are sourcing information regarding federal and state mandates; only credible sources should be utilized. Applicable policies and procedures may require updating to remain relevant.
This is why the short answer is, “Yes, but…”.
For fully vaccinated people providing their status, your employer may still request that you wear a mask as part of your workplace attire. Just like they might require you to wear a jacket or ask you to leave your flip-flops at home.
What Would Be a HIPAA Violation?
The official answer, according to the Department of Health & Human Services is this. HIPAA Rules generally require that covered entities and business associates enter into contracts with each other in order to ensure that they will appropriately safeguard protected health information and medical records.
A business associate may use or disclose protected health information only as permitted or required by its business associate contract or as required by law.
How does this apply to an employer inquiring about whether or not an employee got his or her vaccination?
A violation occurs when your employer calls your doctor to request your vaccination status, and the physician gives the information without your consent. The violation would be the physician releasing the information from your medical records – not necessarily the employer requesting the information.
As the COVID-19 pandemic continues, many facets of the long-term implications remain unknown. Clear communication of expectations between employer and employee is vital to successful navigation.
InSync Offers Peace of Mind with HIPAA-Compliant EHR Software
When it comes to HIPAA regulations, it's always better to be proactive than reactive - to remain informed and compliant. Part of that proactive approach includes:
Accurate and thorough risk assessments to identify potential risks and vulnerabilities
Implementation of a risk management plan to address those risks and vulnerabilities
Implementation of an EHR software with security standards that fully align with and support a HIPPA-compliant ecosystem
Schedule a demo with InSync Healthcare Solutions and get a closer look at how the InSync EHR can support your growing medical practice.
Department of Health and Human Services: