![]() ![]() To the extent a covered entity employer seeks an employee’s signed HIPAA authorization, it should also ensure it does not require the employee to sign the authorization before obtaining the COVID-19 vaccine from the covered entity employer and/or requiring the authorization as a condition to treatment or payment. In other words, the covered entity employer should obtain a signed HIPAA patient authorization from its employee before using or disclosing the employee’s COVID-19 vaccination record internally for employment-related purposes. If a covered entity employer wishes to obtain proof of its employee’s COVID-19 vaccination using the medical records maintained by the covered entity employer, the covered entity employer should treat itself the same as it would any third-party employer seeking similar information. Such actions could trigger a HIPAA violation, since the hospital provided the vaccination to the employee in the hospital’s capacity as a covered entity healthcare provider, meaning any subsequent use or disclosure of the patient’s COVID-19 vaccination record by the hospital would be subject to the restrictions of HIPAA, regardless of the patient’s employment status with the hospital. ![]() For example, if an employee obtains his or her vaccination from the hospital that also employs them, it might be tempting for the hospital to immediately send over the employee’s vaccination information to the HR Department and/or access the employee’s medical record to obtain proof of vaccination. However, this does not grant covered entity employers unrestricted access to their employees’ COVID-19 vaccination records. This means employee COVID-19 vaccination records voluntarily provided to an employer (including a covered entity employer) for employment purposes would technically be excluded from HIPAA rules governing the protection of PHI. Individually identifiable health information contained in the employment records held by a covered entity in its role as employer is excluded from the definition of PHI. In circumstances involving employee COVID-19 vaccination records, a covered entity needs to distinguish whether it is acting in its capacity as a covered entity (such as a health plan or a healthcare provider) or as an employer when it accesses or uses the employee health information. This could include a healthcare provider that administers the COVID-19 vaccine to its own employees or an employer-sponsored group health plan.Ĭovered entity employers must still exercise caution when they collect employee COVID-19 vaccination records, and ensure they do not inadvertently violate their HIPAA obligations with respect to their employees’ protected health information (“PHI”). ![]() What this statement doesn’t address: considerations and potential pitfalls for covered entity employers obtaining proof of COVID-19 vaccination from their employees. f an employer asks an employee to provide proof that they have been vaccinated, that is not a HIPAA violation, and employees may decide whether to provide that information to their employer. This has led to many questions and concerns about whether such a practice is permitted under various healthcare privacy laws, particularly the Health Insurance Portability and Accountability Act (“HIPAA”).Īt first glance, the Department of Health and Human Services’ (“HHS”) stance on HIPAA’s applicability to employer requests for COVID-19 vaccination records is fairly straightforward: As employees return to the workplace, an increasing number of employers are asking their workers to provide proof of their COVID-19 vaccinations. ![]()
0 Comments
Leave a Reply. |