Medicare Compliance & Reimbursement

HIPAA:

Know the Facts on the Privacy Rule, COVID Vaccinations, and Workplace Requirements

OCR offers a pandemic-inspired HIPAA update with new Q&As.

If you’re wondering whether impending COVID vaccination requirements impact HIPAA at your organization, you’re not alone. Due to intense interest on the subject, the feds have released fresh guidance for healthcare workers.

Background: Last month, the Biden administration announced a comprehensive COVID-19 vaccination plan for the nation to combat the Delta variant. The plan titled the “Path Out of the Pandemic” includes several policies that are slated to impact Medicare providers (see Medicare Compliance & Reimbursement, Vol. 47, No. 18).

At press time, the Centers for Medicare & Medicaid Services (CMS) hadn’t released an interim final rule on the implementation of the plan for affected providers. The Occupational Safety and Health Administration (OSHA), the small agency in the Department of Labor entrusted with designing an Emergency Temporary Standard (ETS) on the plan, also hadn’t issued its guidance on vaccination and testing rollouts for organizations with 100 or more employees.

However, the HHS Office for Civil Rights (OCR) did issue fresh insight on the intersection of HIPAA and COVID testing and vaccination mandates for workers in light of the action plan.

Check Out OCR’s Take on HIPAA, Privacy, and Vaccination Mandates

OCR appreciates the pressures and confusion both workers and employers feel as the public health emergency (PHE) stretches on. And that’s why the agency updated its online guidance on Sept. 30 with a fresh question-and-answer set on the who, what, when, and where of HIPAA privacy and COVID-19 vaccinations.

“We are issuing this guidance to help consumers, businesses, and healthcare entities understand when HIPAA applies to disclosures about COVID-19 vaccination status and to ensure that they have the information they need to make informed decisions about protecting themselves and others from COVID-19,” explains new OCR Director Lisa Pino in a release.

In the update, OCR reminds that the HIPAA Privacy Rule doesn’t affect all organizations or staff records, but rather “only applies to HIPAA covered entities (health plans, healthcare clearinghouses, and healthcare providers that conduct standard electronic transactions), and, in some cases, to their business associates,” the agency emphasizes.

Breakdown: Though there are only five HIPAA Q&As offered in the new COVID guidance, OCR provides covered entities (CEs) and their business partners (BAs) with a wealth of handy tips and examples for dealing with privacy concerns surrounding employee vaccinations.

The first question focuses on whether the Privacy Rule comes into play when CEs or BAs ask their staff if they’ve received the COVID-19 vaccination. According to OCR, it doesn’t.

The Privacy Rule neither regulates nor prohibits CEs and BAs from “request[ing] information from patients or visitors,” including asking about COVID-19 vaccinations, OCR maintains in Answer No. 1. However, CEs and BAs should note that the Privacy Rule “does regulate how and when a covered entity or its business associate may use or disclose information about an individual’s vaccination status,” the agency cautions.

Tip: For an example, OCR refers to this common scenario: a home health agency asks its employees if they’ve gotten the COVID vaccination. In this case, the Privacy Rule does not apply because the HHA is merely asking, not using or disclosing the information, the guidance says.

Take a look at what the other Q&As touch on and whether the Privacy Rule applies:

  • Personal disclosures of PHI: In the second Q&A, OCR reminds that the Privacy Rule doesn’t cover individuals’ disclosure of their own personal PHI to others. For example, if one of your employees tells another about their vaccination status, the Privacy Rule does not apply, OCR indicates.
  • Employment terms and conditions: Question No. 3 deals with employment records for CEs and BAs, which aren’t part of the Privacy Rule. That means that CEs and BAs can ask their workforce about COVID vaccination status and make the vaccine a requirement for work; however, other laws might factor in. “For example, federal anti-discrimination laws do not prevent an employer from choosing to require that all employees physically entering the workplace be vaccinated against COVID-19 and provide documentation or other confirmation that they have met this requirement, subject to reasonable accommodation provisions and other equal employment opportunity considerations,” OCR cautions.
  • Disclosure requirements: The fourth Q&A is a little tricky as it breaks down proof and disclosure of vaccination status upon employer request under the Privacy Rule. According to OCR, terms and conditions of employment aren’t covered by the Privacy Rule, “such as the ability of a covered entity or business associate to require its workforce members to provide documentation of their vaccination against COVID-19 or to disclose whether they have been vaccinated to their employer, other workforce members, patients, or members of the public.” However, state or other federal laws may apply, so CEs should review regulations before disclosures.
  • PHEs and PHI: HIPAA does permit disclosures of COVID-19 vaccination status for public health emergency (PHE) reasons. OCR gives examples across the spectrum of CE-types and BAs for references in Answer No. 5.

Reminder: Both state and employment laws do offer advice on the best way to document, store, and keep workforce vaccination and medical records safe and confidential. Storage of “personnel files” is explicitly covered “under Title I of the Americans with Disabilities Act (ADA),” OCR advises. The Centers for Disease Control and Prevention (CDC) and OSHA also provide insight on healthcare personnel (HCP) file maintenance and storage (see Medicare Compliance & Reimbursement, Vol. 47, No. 6).

Resources: Review OCR guidance at www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-covid-19-vaccination-workplace/index.html.