The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has finally addressed the most talked-about concerns. Which is the application of the HIPAA privacy rules on the Covid-19 vaccine disclosure. In a recent official statement, the federal agency has issued complete guidance to aware healthcare consumers_when they can request information about whether or not a person has received a COVID-19 vaccine.
According to this, HIPAA Privacy Rules only apply to the covered entities and business associates. Such as; health plans, health care clearinghouses, and providers that frequently exchange health information. Meanwhile, the employers or employment records have an exemption from the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy rules.
OCR Director Lisa Pino while talking about the latest HIPAA guidelines said that: the recent guidelines intend to help the public, businesses and health care entities_over their rights to request or disclose the information about COVID-19 vaccination status. It will ultimately ensure the availability of the right information, and people need to make insightful decisions about protecting themselves and others from COVID-19.
Key Takeaways of the OCR Guidelines
For the convenience of our readers, we have compiled the key points of the guidelines and answers to frequently asked questions_about the workplace guidance on HIPAA privacy & COVID-19 vaccination disclosure.
HIPAA Privacy Rule Doesn’t Prohibit Businesses or Individuals
Any individual, business, including HIPAA, covered entities, and business associates are allowed to ask_whether or not the individual has received the vaccine. As per details, the covered entities and business associates don’t prohibit requesting information from patients or visitors. On the other hand, they have to follow the privacy rules, when it comes to use and disclose protected health information (PHI). Which also includes; PHI about whether an individual has received a COVID-19 vaccine. Moreover, the HIPAA Privacy Rule doesn’t apply when an individual:
- Is asked about the vaccine status by the employer, school, entertainment venue, store, restaurant, or another individual.
- Ask another individual, their doctor, or a service provider whether they are vaccinated.
- Asks a company, such as a home health agency, whether its workforce members are vaccinated.
- Other state or federal laws address whether individuals are required to disclose whether they have received a vaccine under certain circumstances.
Customers or Clients Can Disclose Vaccine Information
Individuals have the full right to disclose whether they have been vaccinated against COVID-19. They are allowed to reveal their own health information. It applies only to covered entities and, to some extent, their business associates. Hence, consumers can tell another person i.e colleagues or business owners about the status of getting vaccinated_against the ongoing pandemic, caused by the coronavirus.
Privacy Rule Doesn’t Apply on Employment Records
The Privacy Rule does not apply to employment records. Regardless of whether the record is being held by the covered entities or business associates. It’s pertinent to mention here that the HIPAA privacy rule doesn’t regulate the types of information requested from employees. And don’t address the terms and conditions of employment that an employer may impose on its workforce.
On the other hand, there are several other federal laws that regulate the terms and conditions of employment. For instance, according to the federal anti-discrimination law, an employer is allowed to ask the employees physically entering the workplace to be vaccinated against COVID-19. This rule doesn’t prevent employers from asking employees to provide appropriate documentation or other confirmation. That they have met this requirement, subject to reasonable accommodation provisions and other equal employment opportunity considerations.
However, documentation, in order to confirm the vaccination against Covid-19, is bound to be kept confidential and stored separately_ from the employee’s personnel files under Title I of the Americans with Disabilities Act (ADA).18. In order to get additional information about the key provisions of the HIPAA privacy rule, you can visit the official website of the Department of Health and Human Services.
An Overview of the HIPAA Privacy Rule
As the US healthcare industry is rapidly shifting towards digital ways to collect, keep and exchange patient’s health records. It has become more crucial than ever before to take the appropriate measures_in order to protect the highly confidential information from theft, unauthorized access and other hacking attacks. Therefore, the U.S. Department of Health and Human Services (HHS) has established regulations to ensure the protection and privacy of the Protected Health Information (PHI). This rule has set clear standards for the;
- Ways PHI can be shared.
- What and when PHI is shared?
- Under which circumstances, it can be used or disclosed.
The health care records are being governed by the HIPAA Privacy Rule and the Security Rule. However, these entities are covered by the privacy rules;
- Health Care Providers.
- Health Plans.
- Health Care Clearinghouses.
- Business Associates.
- Business Associate Contract.
Protected Health information is the consumer’s identifiable information. Such as; name, gender, age, date of birth, address, phone number, social security number, insurance ID number, laboratory results and billing data. Medical records including biometric identifiers, including finger, retinal and voiceprints or any other characteristics that can identify a person are also included in the identifiable information. Before moving ahead, it would be great to bring your attention to the fact that due to this sensitive information. The healthcare industry has become a prime target for cyberattacks from the past few years. Therefore, it’s crucial for providers to adopt secure and protected ways to receive, store, or transmit health data.
Whether you are using Electronic Health Records or EMR, make sure that your systems are fully HIPAA compliant. Because failure to ensure compliance can land medical practitioners in serious trouble. Such as heavy fines, imprisonment or other civil or criminal penalties.
Medical Billing Benefits is an authentic healthcare news wire. That doesn’t let its leaders lag behind the latest happenings in terms of medical coding, billing, federal/state laws, that govern the entire industry. Subscribe to our newsletter to be notified about any upcoming health care reforms.