Home Health & Hospice Week

Do you know if staff vaccination status counts as PHI?

State and employer mandates for staff COVID-19 vaccinations may be stressing you out from a recruitment and retention standpoint. But you need to worry about it from a HIPAA compliance angle too.

Reminder: In May, the Equal Employment Opportunity Commission expanded its guidance on COVID vaccination mandates in the workplace. “The federal EEO laws do not prevent an employer from requiring all employees physically entering the workplace to be vaccinated for COVID-19,” but organizations must offer accommodations to staff that align with provisions outlined in Title VII of the Civil Rights Act and the Americans with Disabilities Act (ADA). Accommodations mentioned include face masks, social distancing, remote work, split shifts, COVID-19 testing, and even reassignment to another position.

In addition to state vaccination mandates, federal ones are now closing in on home health and hospice providers (see story, p. 307).

“If an employer asks an employee to provide proof that they have been vaccinated, that is not a HIPAA violation, and employees may decide whether to provide that information to their employer,” the Department of Health and Human Services says in a frequently asked question on Coronavirus. However, it gets a little more complicated after that data is collected.

Once COVID-19 vaccination info is “obtained ... the vaccination status data is considered confidential medical information and must be handled accordingly,” say attorneys Anna-Liisa Mullis and Christine A. Samsel with law firm Brownstein Hyatt Farber Schreck in online legal analysis.

As a covered entity (CE) or business associate (BA), you are covered by HIPAA — and your employees’ COVID-19 vaccination information is considered protected health information (PHI). That means the PHI falls under the HIPAA Rules’ governance.

“Employers would be well advised to provide advanced written disclosures to employees regarding the vaccination process, the legitimate business reason for same, and how the employer (or the group health plan) will use, store, and share (if at all) vaccination data of individual employees,” note attorneys with law firm Perkins Coie in online analysis.

Plus: Your agency should review state privacy laws as those can be much more stringent than HIPAA and could carry penalties for noncompliance. Remember, that the Centers for Disease Control and Prevention and Occupational Safety and Health Administration offer advice on the best way to compile and store staff medical records, including COVID-19 vaccination files.

Note: The EEOC guidance is at https://www.eeoc.gov/wysk/what-you-should-know-about-covid-19-and-ada-rehabilitation-act-and-other-eeo-laws#K.