HIPAA Vaccination Law: A Guide

As COVID-19 vaccinations are now available to most of the adult U.S. population, employers are concerned that requiring vaccinations, asking whether an employee has been vaccinated, or demanding to see a vaccination card, may violate HIPAA.

HIPAA Vaccination Law

Generally, an employer may require an employee to be vaccinated as a condition of keeping his or her employment. Generally, an employer may ask an employee if the employee has been vaccinated. Generally, an employer may require the employee to show the employer a COVID vaccination card. Generally, a place of public accommodation, such as a restaurant or movie theater, may require a customer or patron to provide proof of vaccination.

Employment Relationships and Privacy Laws

In the United States, unless an employee has a specific contract of employment with an employer, the employee is said to be an “at-will” employee. What this means is that an employee may resign at any time. It also means that an employer may terminate someone’s employment whenever the employer wishes to, and for any reason. 

There are limits to the “at-will” rule. An employer may only terminate an employee for a lawful reason. Example: I am an employer. One of my “at-will” employees has a disability. The employee’s work performance has been sub-par, for reasons having nothing to do with the disability. The law allows me to terminate this employee for the sub-par work performance. The law does not allow me to terminate the employee because he or she is disabled. To do so would violate the federal Americans With Disabilities Act. In this instance, even though the employee’s relationship is “at will,” the employee has been unlawfully terminated.

Since employees are “at will,” the question becomes whether requiring a vaccination violates a specific law. 

There are two possible legal suspects. Employers have asked whether requiring vaccination, asking about vaccination, and demanding to see a vaccination card, are unlawful under:

  • The Americans With Disabilities Act
  • Title VII of the Civil Rights Act of 1964

Does Requiring Vaccination Violate HIPAA: HIPAA Vaccination Law and OSHA?

No. HIPAA was designed to give patients greater control over the privacy and security of their health information. Employers who are not covered entities or business associates are not bound by the HIPAA Privacy Rule in the first instance, and as such, HIPAA does not bar employers from requiring, asking about, or demanding proof of vaccination. Some employers are covered entities. Some are business associates. 

In general, covered entities must safeguard the privacy of patient health information. Business associates who access patient PHI on covered entities’ behalf must safeguard that information as well. However, if someone is simply an employee of a covered entity, and is not a patient of the covered entity, the HIPAA regulations do not prohibit that covered entity from asking whether the employee has been vaccinated. Employers may ask employees questions about whether they are ill. Such questions can be asked when the illness in question is COVID-19.  

The Occupational Safety and Health Act (OSH Act) requires employers to furnish a safe and healthful workplace to employees. An employer who treats COVID-19 as if it does not exist – an employer who allows patients with COVID to remain in the workplace, and who does not ask employees if they have received an antibody test or a COVID test – is not taking measures to provide a safe and healthful workplace. Requiring an employee to be vaccinated, asking about whether an employee has been vaccinated, and requiring proof of vaccination in the form of a vaccination card, are all measures taken to provide a safe and healthful workplace. One law, HIPAA, does not prevent these measures to be taken, and another law, OSHA, encourages these measures to be taken. 

Let’s Simplify Compliance

Do you need help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance