DHS says employers are free to ask about vaccination status

Maybe you’ve encountered employees who won’t tell you their covid vaccination status because they say you’re infringing on their medical privacy. Nothing could be further from reality, according to the Department of Health and Human Service Office for Civil Rights (OCR). OCR has issued guidance on HIPAA’s privacy rules and the pandemic.

Feel free to ask employees about vaccination status

Asking employees about their vax status doesn’t legally infringe their privacy, medical or otherwise, nor does it violate HIPAA’s privacy rules.

HIPAA’s privacy rules only apply to covered entities — health plans, health care clearinghouses, and health care providers conducting standard electronic transactions. They do not apply to employers and employment records. Even employers covered by the privacy rule (for example, a hospital) get a pass in their capacity as employers.

So you can ask employees about their vaccination status and require them to present proof of their vax status. A covered entity such as your group health plan can ask your employees about their about vax status; they just have to keep it private.

Of course, employees can authorize covered entities to disclose their protected health information, but employees’ consent isn’t always necessary. A couple of exceptions to HIPAA’s privacy rules may apply here:

  • A health plan may disclose an individual’s vax status where required to do so by law. We’ll have to wait and see if OSHA’s upcoming emergency temporary standard meets the as-required-by-law standard.
  • A covered hospital can disclose protected health information relating to employees’ vaccination status to you so you can conduct an evaluation relating to medical surveillance of the workplace (e.g., surveillance of the spread of covid-19 within your workforce) or to evaluate whether employees have a work-related illness, but only if all of the following conditions are met:
    • The hospital is providing the health care service to employees at your request or as a member of your workforce.
    • The disclosure consists of findings concerning work-related illness or workplace-related medical surveillance.
    • You need the information in order to comply with OSHA’s health and safety obligations or state laws having a similar purpose.
    • The hospital provides written notice of the disclosure of PHI to the individual.

But there’s more to consider

Having a mandatory vaccination policy, provided you accommodate employees with religious objections under Title VII or medical reasons under the Americans with Disabilities Act is standard fare by now. And just like HIPAA, the ADA has privacy rules.

Once employees present their vax cards or other proof of vaccination to you, or tell you they can’t be vaccinated, the ADA requires you to keep this information confidential and stored separately from employees’ personnel files.