November 2, 2021

Volume XI, Number 306

New Articles

November 02, 2021

DOL’s Wage and Hour Division Issues Final Rule Regarding Tip Credits... by: Jonathan M. Kelly and Faith C. Whittaker
Why I Believe Professor Kim Is Asking The Wrong Question About... by: Keith Paul Bishop
New FTC Policy Statement Targets Dark Patterns by: Hunton Andrews Kurth’s Privacy and Cybersecurity
Pick Your Poison by: Theodore F. Claypoole
FTC Finalizes Updated Safeguards Rule Under GLBA to Dramatically... by: Benjamin William Perry and Courtney M. Achee
Senate Zeros in on Big Tech with Latest Antitrust Reform Bill by: Michael W. Scarborough and M. Kevin Costello
Beer Dispute Still Brewing: Federal Circuit Ruling Leaves Fate of... by: Mary Kate Brennan
The Trademark Blues: TTAB Proceedings Do Not Preclude Subsequent... by: Gene Markin
Five Immediate Steps to Take in Preparation for China’s New... by: Elizabeth (Liz) Harding and L. Hannah Ji-Otto
OCR Issues Clarifying Guidance on HIPAA, COVID-19 Vaccinations, and... by: Jennifer Orr Mitchell and Jared M. Bruce
Biden Administration to Open New For-Profit Immigrant Detention... by: Raymond G. Lahoud
US Federal Labor Viewpoints – Week of October 25, 2021 by: Stacy A. Swanson
Havoc Continues to Wreck Automotive Industry by: Jeffrey A. Soble
Updated Guidance from the FATF Regarding a Risk-Based Approach for... by: Daniel L. McAvoy and Stephen A. Rutenberg
EEO-1 Reporting Portal to Close November 15, 2021 by: Laura A. Mitchell
Potential Impact of EPA’s PFAS Strategic Roadmap on CERCLA Cleanups by: Caleb J. Holmes and Kaitlyn R. Maxwell
Nota Bene Episode 150: Building an AI Risk Management Framework with... by: Michael P.A. Cohen and Siraj Husain
‘No-Poach’ Agreements – EU Catching up With the US on Anti-... by: Marga Caproni and Oliver Geiss
Time Is Money: A Quick Wage-Hour Tip on … New York’s New Rule on... by: Edward M. Yennock
DOL Formally Reinstates ‘20%’ Rule, Adds ‘30-Minute’ Rule Setting... by: Justin R. Barnes and Jeffrey W. Brecher
FDA Guidance: Temporary Marketing Permits by: Food and Drug Law at Keller and Heckman
Massive Ringless Voicemail Class Action Allowed to Proceed in State... by: Eric J. Troutman
November 2, 2021: Foley Weekly Automotive Report by: John R. Trentacosta and Ann Marie Uetz
Price Gouging Litigation Continues Apace by: Christopher E Ondeck and John R Ingrassia
Contractor to Pay $188,879.59 to Settle Claims That Owner Falsified... by: Danielle L. Dietrich
As the PFAS Panic Continues, EPA Tries to Keep Up with the States by: Jeffrey R. Porter
EPA Increases Environmental Justice- Related Reviews and Enforcement by: Jonathan H. Schaefer
Law of the Land - Real Estate Litigation Newsletter November 2, 2021 by: Mariana Korsunsky and Kevin P. O'Flaherty
Eleventh Circuit Vacates Hunstein I, But Still Holds Mail Vendor... by: Kristin L. Bryan
Securities Litigation Update: Divided Ninth Circuit Permits Direct-... by: Jason M. Halper and Ellen Holloman
Turning Back the Clock on Corporate Individual Accountability: DOJ... by: Nathan J. Muyskens and Jared E. Dwyer
The Promise and Potential Pitfalls of Provisional Patent Applications by: Brent E. Matthias
ESG’s Unintended Consequence – Lawsuits by: John Gardella
DOJ Announces New Policies Addressing White Collar Criminal... by: Gregory G. Marshall and Erin K. Sullivan
Lessons Learned from The OFSI Annual Review: 2020 - 2021 by: Michael E. Ruck and Rosie Naylor
Computer Software Employees and Physicians Overtime Exemption Rates... by: Nicole M. Shaffer and Stephanie Joy M. Tañada
New Federal Contractor COVID-19 Vaccine Mandate FAQs Provide... by: Laura A. Mitchell and F. Christopher Chrisbens
Iowa Strengthens Medical and Religious Exemptions From Vaccine... by: Christine Bestor Townsend and Eric L. Mackie
Second Circuit Holds that Expanding FSIA to Criminal Cases Would Not... by: Lucas Kowalczyk and Seetha Ramachandran
A New Friend: Court Reconsiders Denial of MSJ on ATDS Issues and... by: Eric J. Troutman

November 01, 2021

October 31, 2021

Article By

Jennifer Orr Mitchell

Jared M. Bruce

Dinsmore & Shohl LLP

Publications

Related Practices & Jurisdictions

All Federal

OCR Issues Clarifying Guidance on HIPAA, COVID-19 Vaccinations, and the Workplace

Tuesday, November 2, 2021

Questions abound as to whether HIPAA comes into play when COVID-19 vaccination information is provided to employers. Recently, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued clarifying guidance on the applicability of the HIPAA Privacy Rule in the context of COVID-19 vaccination information provided to employers.

This guidance is to remind the public that the HIPAA Privacy Rule generally does not apply to employers or employment records, which includes health care providers in their roles as employers. The HIPAA Privacy Rule applies only to health care providers and health plans (and their business associates) in their roles as health care providers or payers – not in their roles as employers. The guidance emphasized that the HIPAA Privacy Rule does not prohibit anyone, including health care providers, health plans, and their business associates, from asking whether an individual has received any vaccine, including the COVID-19 vaccine.

While the HIPAA Privacy Rule regulates a health care provider or health plan’s ability to use and disclose protected health information (PHI), it does not regulate the ability to collect protected health information from employees, patients and visitors within the context of seeking COVID-19 vaccination status. Also, to eliminate any confusion, the guidance states that the HIPAA Privacy Rule does not apply when employers, schools, stores, restaurants, entertainment venues, or other individuals inquire about any individual’s vaccination status. It also does not apply when individuals ask companies about the vaccination status of their employees.

Health care providers and health plans that are required to comply with HIPAA are permitted to disclose PHI for a number of reasons, including treatment, payment, operational and public health activities. For example, a health care provider may relay an individual’s vaccination status to a public health authority for purposes of comparing the effectiveness of different COVID-19 vaccinations. Additionally, a health care provider is permitted to disclose PHI relating to an individual’s vaccination to the individual’s health plan as necessary to obtain payment for the administration of a COVID-19 vaccine.

Importantly, OCR clarified that in the current COVID-19 environment, a health care provider is permitted to disclose PHI relating to an individual’s vaccination status to the individual’s employer for purposes of surveillance of the spread of COVID-19 within the workforce, so long as all of the following conditions are met:

Health care services were provided to the individual at the request of the individual’s employer or as a member of the employer’s workforce;
The PHI disclosed consists of findings concerning work-related illness or workplace-related medical surveillance;
The employer is required to have the information to comply with legal obligations under the Occupational Safety and Health Administration (OSHA), the Mine Safety and Health Administration (MSHA), or state laws having a similar purpose; and
The individual is provided written notice that the PHI related to the medical surveillance of the workplace and work-related illnesses will be disclosed to the employer.

Within the guidance, OCR also emphasized that the HIPAA Privacy Rule does not apply to employment records. Nothing in the HIPAA Privacy Rule prevents employers from requesting documentation of COVID-19 vaccination or requesting employees wear masks while on the employer’s property or when performing work-related duties. While other state and federal laws address whether employment may be conditioned on vaccination status and regulate confidentiality and storage of employee health information, HIPAA does not.

In a press release, OCR Director Lisa Pino stated, “we are issuing this guidance to help consumers, businesses, and health care entities understand when HIPAA applies to disclosures about COVID-19 vaccination status and to ensure that they have the information they need to make informed decisions about protecting themselves and others from COVID-19.”

The OCR guidance is available here.

*Ashley Durner, who contributed to this article, is a Law Clerk and not licensed to practice.

Related Legal Headlines

Immigration and Compliance Briefing: Fall Travel & COVID-19 Policy Update

Najia S. Khalid

EEOC Updates Religious Accommodation and Vaccine Mandate Guidance

Michael S. Arnold

The Keeping Workers Safe Act Introduced: Will OSHA Violations Be Widely Disseminated?

Karen Tynan

Senate Confirms President Biden’s Nominee to Head OSHA

Michael T. Taylor

TRENDING LEGAL ANALYSIS

DOL’s Wage and Hour Division Issues Final Rule Regarding Tip Credits and Dual Jobs

Dinsmore & Shohl LLP

Why I Believe Professor Kim Is Asking The Wrong Question About Gatekeepers

Allen Matkins Leck Gamble Mallory & Natsis LLP

New FTC Policy Statement Targets Dark Patterns

Hunton Andrews Kurth

Pick Your Poison

Womble Bond Dickinson (US) LLP

About this Author

Jennifer Orr Mitchell

Partner

Jennifer is a Partner in the Health Care Practice Group and leads the firm’s HIPAA Privacy and Security practice and initiatives. In her HIPAA practice, she works with clients to minimize the risk of privacy and data security issues, assisting with all aspects of HIPAA privacy and security compliance, governance, audits/investigations, breach analyses, training and strategic planning. She has a thorough understanding of federal and state privacy and confidentiality laws and has served as a health care privacy expert witness.

Within the...

jennifer.mitchell@dinsmore.com

513-977-8364

www.dinsmore.com

Jared M. Bruce

Associate

Jared focuses his practice on various health care law matters, including regulatory compliance, transactional matters and cybersecurity. His prior experience includes serving as in-house counsel for a large non-profit managed care plan.

He drafts and negotiates complex health care-related contracts involving information technology (software licenses and professional service agreements), provider agreements, data sharing agreements and Business Associate Agreements. Jared’s practice includes advising payers, hospitals and providers on compliance...

jared.bruce@dinsmore.com

513-832-5454