On September 30, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced that it issued guidance to clarify that the HIPAA Privacy Rule does not prohibit businesses from asking customers, clients or employees to disclose their COVID-19 vaccination status. OCR felt compelled to weigh in after chronic widespread ignorance of HIPAA requirements combined with rampant vaccine misinformation to create a perfect storm of nonsense.

HIPAA applies only to covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates, and not to stores, restaurants, stadiums, or other non-healthcare entities or individuals. HIPAA also does not cover employment records, even employment records held by covered entities or business associates in their capacity as employers.

Under existing federal guidelines, companies may require that their employees be vaccinated, subject to certain exceptions for medical reasons and religious beliefs, as discussed here. Additional federal standards on COVID-19 vaccines and testing for workplaces are expected soon, as discussed here.