Is it a HIPAA Violation to Request Certification of Vaccine Status?

There has been a great deal of uncertainty regarding the case of inquiring somebody if they have gotten a COVID-19 vaccine. Does it constitute a HIPAA violation, particularly with regards to employers asking their staff to give evidence of being vaccinated against COVID-19 to stop putting on a face mask in the office?

The Health Insurance Portability and Accountability Act (HIPAA) has conditions associated with privacy and uses and disclosures of protected health information (PHI). An individual’s vaccination status is considered as PHI. The HIPAA Privacy Rule restricts the use and disclosures of individuals’ PHI to those essential for treatment, billing, or healthcare procedures. Other uses and disclosures typically call for the provision of a written consent by the individual before the use and disclosure of their PHI. Therefore how does HIPAA relate with requests for proof of vaccine status?

HIPAA and Evidence of Vaccine Status

Vaccination information is considered as PHI and is under the coverage of the HIPAA Guidelines; nevertheless, HIPAA only applies to HIPAA-covered entities – healthcare providers, health plans, and healthcare clearinghouses – along with their business associates. When an employer asks a worker to present confirmation that they got vaccinated to permit that person to work without putting on a facemask, that is not a HIPAA violation because HIPAA doesn’t apply to employers.

It would likewise not be a HIPAA violation for an employer to question an employee’s healthcare provider for certification of vaccination. Nevertheless, the employee’s healthcare company would be violating HIPAA in case it discloses that information to their employer, except if the individual had given the authorization to do so.

Just as a company can order all workers to wear a uniform in the place of work, an employer may have a policy that necessitates employees to put on a facemask for the duration of a pandemic to safeguard other workers and to turn down entry to the place of work if a mask is not worn.

Inquiring about vaccine status won’t violate HIPAA however it is probable that other laws may be violated. For instance, demanding employees to expose additional health data such as the reason why they’re not vaccinated can possibly violate federal regulations in a few cases, though this wouldn’t be a HIPAA violation. It is additionally possible for states to introduce legislation that forbids employers from questioning workers concerning their vaccine status.

On May 18, 2021, reporters asked Rep. Marjorie Taylor Greene, (R-Ga) whether she had been vaccinated since she had declined to wear a mask on the House floor. In breach of House rules, a number of GOP members had rejected wearing a mask, although they were not vaccinated. Greene informed reporters that asking her regarding her vaccine status violates the HIPAA, however, this was not correct as reporters are not covered by HIPAA.

Disclosure of an Individual’s Vaccine Status by a Healthcare Organization

Healthcare organizations can inquire whether a patient was vaccinated because asking the question doesn’t violate HIPAA. It would be allowed for the healthcare organization to disclose vaccine status details with other covered entities or business associates, as long as the disclosure was allowed under the HIPAA Privacy Regulation – for treatment, invoicing, or healthcare treatments – or if approved by a patient.

Authorizations will not be necessary when sharing vaccine status data for “public health activities.” For example, a disclosure will be acceptable to “a public health authority that is approved by legislation to gather or acquire such details for the objective of averting or controlling disease, injury, or handicap, including although not restricted to, the reporting of disease, harm, vital activities,” and likewise for “the conduct of public health surveillance, public health investigations, and public health interventions; or, at the order of a public health authority, to an officer
of a foreign government agency that is acting in cooperation with a public health authority.

About Christine Garcia 1304 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at