General Surgery Coding Alert

Vaccine Mandates:

Consider HIPAA Impact on COVID-19 Measures

Published on Thu Nov 18, 2021

Know what action you can take.

If your surgery practice is considering a COVID-19 vaccination requirement for staff, you might be happy to hear that the feds recently issued a memo that will shed some light on what you can and can’t do.

Context: The Biden administration recently announced a comprehensive COVID-19 vaccination plan for the nation to combat the Delta variant. The plan titled the “Path Out of the Pandemic” includes several policies that are slated to impact Medicare providers.

Read on to see how a recently-published HHS Office for Civil Rights (OCR) Q/A can help you successfully navigate the rules.

Focus OCR’s Take on HIPAA Privacy Rule

OCR updated its online guidance on Sept. 30 with a fresh question-and-answer set on the who, what, when, and where of HIPAA privacy and COVID-19 vaccinations.

“We are issuing this guidance to help consumers, businesses, and healthcare entities understand when HIPAA applies to disclosures about COVID-19 vaccination status and to ensure that they have the information they need to make informed decisions about protecting themselves and others from COVID-19,” explains new OCR Director Lisa Pino in a release.

In the update, OCR reminds the HIPAA Privacy Rule doesn’t affect all organizations or staff records, but rather “only applies to HIPAA covered entities (health plans, healthcare clearinghouses, and healthcare providers that conduct standard electronic transactions), and, in some cases, to their business associates,” the agency emphasizes.

Breakdown: Though you will see only five HIPAA Q&As offered in the new COVID guidance, OCR provides covered entities (CEs) and their business partners (BAs) with a wealth of handy tips and examples for dealing with privacy concerns surrounding employee vaccinations.

Check Out Questions, One by One

The first question focuses on whether the Privacy Rule comes into play when CEs or BAs ask their staff if they’ve received the COVID-19 vaccination. According to OCR, it doesn’t.

The Privacy Rule neither regulates nor prohibits CEs and BAs from “request[ing] information from patients or visitors,” including asking about COVID-19 vaccinations, OCR maintains in Answer No. 1. However, CEs and BAs should note that the Privacy Rule “does regulate how and when a covered entity or its business associate may use or disclose information about an individual’s vaccination status,” the agency cautions.

Tip: For an example, OCR refers to this common scenario: a home health agency asks its employees if they’ve gotten the COVID vaccination. In this case, the Privacy Rule does not apply because the HHA is merely asking, not using or disclosing the information, the guidance says.

Take a look at what the other Q&As touch on and whether the Privacy Rule applies:

Personal disclosures of PHI: In the second Q&A, OCR reminds that the Privacy Rule doesn’t cover individuals’ disclosure of their own personal PHI to others. For example, if one of your employees tells another about their vaccination status, the Privacy Rule does not apply, OCR indicates.

Employment terms and conditions: Question No. 3 deals with employment records for CEs and BAs, which aren’t part of the Privacy Rule. That means that CEs and BAs can ask their workforce about COVID vaccination status and make the vaccine a requirement for work; however, other laws might factor in. “For example, federal anti-discrimination laws do not prevent an employer from choosing to require that all employees physically entering the workplace be vaccinated against COVID-19 and provide documentation or other confirmation that they have met this requirement, subject to reasonable accommodation provisions and other equal employment opportunity considerations,” OCR cautions.

Disclosure requirements: The fourth Q&A is a little tricky as it breaks down proof and disclosure of vaccination status upon employer request under the Privacy Rule. According to OCR, terms and conditions of employment aren’t covered by the Privacy Rule, “such as the ability of a covered entity or business associate to require its workforce members to provide documentation of their vaccination against COVID-19 or to disclose whether they have been vaccinated to their employer, other workforce members, patients, or members of the public.” However, state or other federal laws may apply, so CEs should review regulations before disclosures.

PHEs and PHI: HIPAA does permit disclosures of COVID-19 vaccination status for public health emergency (PHE) reasons. OCR gives examples across the spectrum of CE-types and BAs for references in Answer No. 5.

Reminder: Both state and employment laws do offer advice on the best way to document, store, and keep workforce vaccination and medical records safe and confidential. Storage of “personnel files” is explicitly covered “under Title I of the Americans with Disabilities Act (ADA),” OCR advises. The Centers for Disease Control and Prevention (CDC) and OSHA also provide insight on healthcare personnel (HCP) file maintenance and storage.

Resources: Review OCR guidance at www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-covid-19-vaccination-workplace/index.html.