As businesses have begun mandating vaccinations for employees and customers, many have heard a common response, in one form or another, “You can’t ask me that because of HIPAA.” In written form, these responses often invoke the protection of HIPPA, which is not a law. (These responses often echo the statements of certain elected officials, who presumably should know better.) Due to the myriad laws affecting both the type and timing of questions that may be asked of employees and customers, this statement gives many businesses pause as they seek guidance as to whether some other new law affecting their operations has been enacted without their knowledge. Fortunately, for nearly every business, subject to some specific exceptions, the response is that, no, HIPAA does not prevent you from asking your employees or customers about their vaccination status.
Why do so many people make this mistake? The Health Insurance Portability and Accountability Act (HIPAA) was enacted, among other reasons, to regulate the flow of healthcare information and address how personally identifiable information and protected health information (“PHI”) are maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft. The HIPAA Privacy Rule limits the uses and disclosures of PHI required for treatment, payment, or healthcare operations. As a result, the HIPAA Privacy Rule only applies to healthcare providers, health plans, and the business affiliates that they contract with in connection with treatment, payment, or healthcare operations. However, due to misunderstandings around the scope of the law, many have taken the HIPAA Privacy Rule to mean that no one may ask questions related to an individual’s medical conditions. That is simply not true. By its express terms, HIPAA does not apply to questions about medical conditions from private citizens, businesses, or the media.
If an employer asks an employee to provide proof that they have been vaccinated consistent with a workplace mandate, that is not a HIPAA violation. The United States Department of Health and Human Services (“HHS”), which enforces HIPAA, has provided explicit guidance to that effect. While an employee may refuse to provide information about their vaccination status to their employer, nothing in HIPAA prevents that employer from then terminating that employee if they have enacted an otherwise valid vaccination mandate.
Please note that, beyond questions about vaccination status, other medical inquiries by employers and businesses are still governed by the Americans with Disabilities Act. If you have questions about how to implement a vaccine mandate or the types of questions your business can ask its employees, please contact one of our attorneys at (410) 522-1020 to set up an appointment to discuss how your policies can be structured to meet your company’s goals.