HIPAA Vaccination Law: A Guide

As COVID-19 vaccinations are now available to most of the adult U.S. population, employers are concerned that requiring vaccinations, asking whether an employee has been vaccinated, or demanding to see a vaccination card, may violate HIPAA.

There are limits to the “at-will” rule. An employer may only terminate an employee for a lawful reason. Example: I am an employer. One of my “at-will” employees has a disability. The employee’s work performance has been sub-par, for reasons having nothing to do with the disability. The law allows me to terminate this employee for the sub-par work performance. The law does not allow me to terminate the employee because he or she is disabled. To do so would violate the federal Americans With Disabilities Act. In this instance, even though the employee’s relationship is “at will,” the employee has been unlawfully terminated.

Since employees are “at will,” the question becomes whether requiring a vaccination violates a specific law. 

There are two possible legal suspects. Employers have asked whether requiring vaccination, asking about vaccination, and demanding to see a vaccination card, are unlawful under:

• HIPAA
• The Americans With Disabilities Act
• Title VII of the Civil Rights Act of 1964

Does Requiring Vaccination Violate HIPAA: HIPAA Vaccination Law and OSHA?

No. HIPAA was designed to give patients greater control over the privacy and security of their health information. Employers who are not covered entities or business associates are not bound by the HIPAA Privacy Rule in the first instance, and as such, HIPAA does not bar employers from requiring, asking about, or demanding proof of vaccination. Some employers are covered entities. Some are business associates. 

In general, covered entities must safeguard the privacy of patient health information. Business associates who access patient PHI on covered entities’ behalf must safeguard that information as well. However, if someone is simply an employee of a covered entity, and is not a patient of the covered entity, the HIPAA regulations do not prohibit that covered entity from asking whether the employee has been vaccinated. Employers may ask employees questions about whether they are ill. Such questions can be asked when the illness in question is COVID-19.  

The Occupational Safety and Health Act (OSH Act) requires employers to furnish a safe and healthful workplace to employees. An employer who treats COVID-19 as if it does not exist – an employer who allows patients with COVID to remain in the workplace, and who does not ask employees if they have received an antibody test or a COVID test – is not taking measures to provide a safe and healthful workplace. Requiring an employee to be vaccinated, asking about whether an employee has been vaccinated, and requiring proof of vaccination in the form of a vaccination card, are all measures taken to provide a safe and healthful workplace. One law, HIPAA, does not prevent these measures to be taken, and another law, OSHA, encourages these measures to be taken. 

HIPAA is implicated in the context of vaccinations when an employer asks an employee to provide medical documentation from that employee’s medical provider. There is a legal difference between requiring an employee to self-disclose by showing a vaccination card, and requiring the employee to have his or her doctor submit confidential medical information. In the first situation, a covered entity is not being asked or required to do something; the employee is. In the second situation, the situation in which a provider is being asked to provide information about COVID vaccination dates, eligibility, COVID test results, or any other protected health information related to COVID, HIPAA applies as it would in any other situation. This means that the employer may only obtain the information upon the patient’s providing written authorization allowing the provider to give the employer the information. The employer must also take care to ask the provider only what is needed by the employer to determine that an employee is not a safety or health threat to the employer’s business. Asking a provider for the time and date of vaccination suffices for this purpose. A provider who provides this information, and no more, has complied with HIPAA. 

Does Requiring Vaccination Violate the Americans with Disabilities Act?

Yes. Let’s change the facts slightly. Let’s say our hypothetical employer asks the provider to give the time and date information. Let’s say that the employer, because he or she is worried (honestly or not) about the spread of COVID in the office, ALSO asks the provider for information about the patient’s non-COVID-related medical exams. By asking these additional questions, the employer has gone too far.

What law has the employer potentially violated? Not HIPAA. The law that the employer may have violated is the federal Americans With Disabilities Act (ADA). This law prevents employers from discriminating on the basis of disability. Most employers will rarely admit outright that they are doing so. An employer will not tell an employee, “By making you undergo a complete medical exam, I am trying to determine whether you are disabled, because if you are disabled, you cannot work here.” To ensure employers are not given the opportunity to discriminate on the basis of disability, the ADA proverbially cuts employers off at the pass. The ADA prevents employers from requiring employees to submit to medical exams, or to ask detailed questions that would be asked during a medical exam.  

An employer who, out of concern for the health and safety of the workforce, asks an employee whether the employee has been vaccinated, or requires the employee to receive the vaccine and present an ID card is not, under the law, giving an employee a “medical exam” or asking “medical exam” questions. The employer is simply seeking information enabling it to determine whether an employee poses a direct safety or health threat to the workplace. The ADA does not prohibit asking for this information. 

An employer who, on the other hand, asks an employee questions pertaining to medical exams the employee has had in the last five years, is asking for more than is needed to make a “direct safety or health threat” determination. The employer is asking for information that could turn up information about a disability, which the employer can then use to discriminate. The ADA does not allow this.

By the same token, the ADA does not allow an employer to require a disabled person to be vaccinated (upon pain of being terminated) when the disability makes that employee ineligible for the vaccine. If, hypothetically, an employee is allergic to an ingredient of a vaccine, such that taking the vaccine would cause the patient to experience severe illness, the employer cannot require the employee to be vaccinated. To do so would be to discriminate on the basis of a disability. An employer may not, under the guise of “workplace health and safety,” take actions the employer knows will subject a disabled employee to harmful side effects that can be traced to the disability. 

HIPAA Vaccination Law: Must Employers Offer Reasonable Accommodations?

Employees who cannot be vaccinated because of a disability are entitled to request what the ADA calls a “reasonable accommodation.” A reasonable accommodation is an accommodation given by the employer that, on the one hand, allows the employee to perform the duties of his or her position, while, on the other hand, allows the employer to maintain a safe and healthful workplace. Examples of reasonable accommodations that can isolate the employee from the workforce to ensure workplace safety include telecommuting, temporary reassignment of marginal job duties, a temporary transfer to a different position, a modified work schedule or shift assignment, or extended paid or unpaid leave.

Employers are not required to provide reasonable accommodation when doing so would pose an “undue hardship.” Examples of accommodations that may cause undue hardship include accommodations that are costly, accommodations that compromise workplace safety or decrease workplace efficiency, and accommodations that infringe on the rights of other employees, or require other employees to do more than their share of potentially hazardous or burdensome work.

The issue of reasonable accommodations also comes up in the context of religious objections. Title VII of the Civil Rights Act of 1964 is a federal law that prevents discrimination on the basis of (among other things) religion. An employee who has a sincerely-held religious belief that vaccination conflicts with religious teachings, is entitled to request a reasonable accommodation. Examples of religious accommodations may include scheduling changes (arrivals, departures, floating/optional holidays, flexible work breaks and any other scheduling changes); voluntary shift substitutions and/or swaps; job reassignments, such as changes of position tasks and lateral transfers; and modifications to workplace practices, policies and procedures. 

HIPAA Vaccination Law: What About State Laws?

The above discussion relates to what federal law does and does not permit. States have a role to play in enforcement of employment laws, and enforcement of workplace health and safety regulations. As the COVID-19 vaccine has become increasingly available at the state level, a number of states are contemplating legislative measures. Some states are considering passing legislation to prevent employers from mandating vaccinations. These states are also considering passing laws to protect individuals who refuse vaccinations from being terminated. 

For example, proposed legislation in Kansas, Senate Bill 213, would prohibit employers from taking adverse action against employees who refuse to get the COVID-19 vaccine. An adverse action is defined as an ultimate employment decision involving hiring, firing, compensation, benefits, or the failure to promote or grant leave. The bill would impose a $1,000 fine for employers who violate this restriction. 

Maryland House Bill 1171 would prohibit an employer from terminating an employee solely on the basis of the employee’s refusal to receive a vaccination against COVID–19. To balance the scale, the Maryland House Bill provides that an employee waives the right to file a civil lawsuit against the employer if the employee has refused to receive a vaccination and the employee contracts COVID–19 in the course of employment. Proposed legislation in other states prohibits employers from terminating employees who refuse to be vaccinated without first offering reasonable accommodations.

Can Employers Require Employees to be Physically Present?

In the absence of a state or local law restricting the number or percentage of employees who may work on the employer’s premises, an employer may generally require an employee to come to work during the COVID-19 pandemic. The employer may require employees to wear masks and to engage in other social distancing measures.

Why can an employer do this? Again, under OSHA, employees are entitled to a safe workplace. While an employer may require physical presence at work, the employer remains obligated to provide a safe and healthful workplace. Employees who have concerns about the workplace being unsafe may bring these concerns to their employer. The employer may not retaliate against an employee for doing so. If the employer retaliates, the employee may file an OSHA whistleblower complaint. 

HIPAA Vaccination Law: What Can Medical Offices Ask Patients?

A medical office may ask patients whether they have received the coronavirus vaccine, just as a medical office may ask patients about whether they have received other vaccinations. HIPAA permits providers to ask such questions in order to carry out treatment. A thornier issue is whether a healthcare provider may refuse to treat a prospective patient who is unvaccinated. 

Unvaccinated individuals as a class are not a protected group under the law, in the way that, say, individuals 40 and over are (the Age Discrimination in Employment Act prohibits job termination based on someone’s age). If a doctor learns that someone is unvaccinated after that person is already a patient, the doctor is generally not prohibited from dismissing the patient. State medical professional responsibility laws generally require that a doctor who terminates a patient because the patient is not vaccinated, give the patient adequate notice and an opportunity to find other doctors, before dismissing the patient.

HIPAA Vaccination Law: What About Customers of Restaurants and Stores?

Many places of public accommodation, such as restaurants, sports stadiums, and stores, are concerned about whether they can ask patrons to submit proof of vaccination as a condition of receiving service, or as a condition of attending an event. Until April of 2021, no law prohibited a business from requiring proof of vaccination as a condition of receiving service. Recently, Florida Governor Rick DeSantis signed SB 2006 into law. Under this new law, private businesses may not require patrons or customers to provide any documentation certifying COVID-19 vaccination or post-infection recovery to gain access to, or service from, the business.  

SB 2006 and laws like it will likely be subject to legal challenges. Some businesses may regard SB 2006 as an illegal restriction on their right to choose who can come into the business for the safety and protection of staff, customers, and their family. Some businesses may believe that SB 2006 impedes their ability to protect themselves from lawsuits seeking to hold them liable for customers’ or employees’ COVID-19 infections.

HIPAA Vaccination Law: What About Masks?

While SB 2006 prohibits a business from requiring a customer to show a vaccination passport, the law specifically notes that businesses may still institute screening protocols consistent with authoritative or controlling government-issued guidance to protect public health. Essentially, the law prohibits vaccine passports on the grounds that requiring a customer to show a passport violates that person’s right to privacy.

The same “right to privacy” consideration does not exist with respect to masks. Current CDC guidelines permit individuals who have been fully vaccinated to go maskless in most indoor places. CDC guidance is, just as the name says, guidance. Federal and state lawmakers commonly act on the advice but generally are not required to. States are making their own determinations as to whether to follow the guidance. A state that has chosen not to embrace the “maskless” guidance just yet may still require the wearing of masks in indoor places. Regardless of whether the state requires wearing of a mask, individual businesses may require that customers wear masks. To date, there is no law that prohibits businesses from requiring individuals to wear masks, to ensure the safety of employees and other customers.