HIPAA Compliance and Collecting Employee Vaccination Data

a group of people working at the office and wearing masks

In 2022, many businesses will implement safety measures to reduce the risk of COVID within the workplace. This might include compiling information on the vaccination status of your staff.

Although President Biden’s vaccine mandate was recently struck down by the Supreme Court, business leaders still have valid reasons to ask their workers if they are vaccinated. This information can help to keep your staff and their families safe, as well as reduce the risk of losing large sections of your workforce to COVID isolation.

Of course, vaccination status qualifies as medical information, leaving many businesses to worry about whether their collection process is HIPAA compliant.

The Health Insurance Portability and Accountability Act (HIPAA), passed in 1996, is a vital piece of legislation that protects the medical information of US citizens. The law was created to improve the flow of healthcare information between medical practices and insurance providers. The HIPAA Privacy Rule, in particular, requires healthcare practitioners and their business associates to follow stringent privacy policies in order to keep protected health information (PHI) safe. What’s more, the Security Rule also requires health data to be transferred securely.

So, how does HIPAA apply to businesses collecting COVID vaccination data?

Can I ask staff for their vaccination status under HIPAA?

Although vaccination status is considered PHI, the majority of employers can request this information from their staff. HIPAA rules only apply to medical organizations like healthcare providers and associated businesses. So, in a normal business setting, you are entitled to ask for vaccination information from your workers. You can also generally ask for such information during the hiring process.

What would be a violation is if a medical professional disclosed vaccination information to an employer without the individual’s consent. However, if your business operates a self-insured health plan, you do need to follow HIPAA guidelines.

While many employers can request vaccination statuses from their staff, there are other hurdles to address. For example, the Equal Employment Opportunity Commission (EEOC) stipulates that employers across the US can’t press staff about why they didn’t get their vaccine. What’s more, staff also don’t necessarily have to answer the question about their vaccination status in the first place.

Furthermore, you also need to consider the state, or states, that you’re operating in. Several US states- such as Florida and Texas – have laws that prohibit businesses from asking about vaccination status. What’s more, whether the employee wants to share their proof of vaccination or not, gaining access to proof of vaccination information also varies between states, which can make the process much more difficult. We suggest you familiarize yourself with the current legislation for the states in which you operate.

Collecting vaccination records in a safe way

While in most cases business leaders can request vaccine information, it’s important to know that you need to collect and store such information securely. In other words, you can ask for the information, but you need to make sure that information remains private.

There are several key practices that business leaders should follow when dealing with employees’ PHI data. Should you decide to go ahead and collect vaccination data, here are the things to keep in mind:

  • Open up a dialogue – It’s important for businesses to be transparent about why they’re asking for vaccination information. You need to start by opening up a discussion among your team. Being open about why you are requesting this data, and how it can help the business, can help you build trust among your staff. By removing any surprises, your team is also more likely to be open to answering your questions. What’s more, building confidence is also a good way to spread awareness of the importance of effective vaccination protocols.
  • Keep vaccine questions private – The actual process of asking staff members about their vaccination status should be carried out in a private setting and away from other staff members. What’s more, you should limit the amount of information you’re asking for to the bare minimum for safety.
  • Be aware of confidentiality rules – Vaccination data about your employees need to be kept separate from their personal files. Under the Americans with Disabilities Act, this data is classed as confidential.
  • Encryption and handling – As with any confidential data, vaccination details should be encrypted. This reduces the risk of a data breach or hacking. What’s more, access to this information should be limited to a select few people who are trained and authorized to handle it.

Consider investing in a HIPAA-compliant monitoring platform

As you can see, collecting this type of data requires careful planning and execution. The best way to ensure this is carried out correctly is to consider a third-party data platform that can collect and manage this information securely. There are numerous HIPAA-compliant monitoring platforms – including the one that All Clear provides – that can streamline the entire collection and storage process. These monitoring platforms bring all of the important information into one, secure place, and the information is easily accessible through a secure mobile app.

The bottom line…

As we see employees finally returning to their offices in 2022, it is more important than ever for businesses to look after employees’ well-being. The practices outlined above can help you provide the best possible support when it comes to COVID safety. The last thing any business needs at this point is to lose additional productivity to the pandemic.