Taking Care of HR Business
        A blog from the attorneys of Verrill

        Myth Buster: Employers, Vaccine Information, and HIPAA

        by Elizabeth T. Johnston on October 22, 2021

        With the nation’s ongoing focus on COVID-19 vaccinations, you may be hearing information—and misinformation—about your obligations under HIPAA, the federal Health Information Portability and Accountability Act. In this segment of Myth Busters, we address some common misconceptions about HIPAA and its applicability to employers and employee health information.

        Myth: My employees do not have to provide their COVID-19 vaccination status or proof of vaccination status because that information is protected by HIPAA.

        Truth: Employers may require an employee to provide their COVID-19 vaccination status and present proof of vaccination, such as a vaccine card, because HIPAA does not apply to these inquiries.

        HIPAA governs the use and disclosure of protected health information (PHI) held by certain “covered entities” in the health care space, including health plans, health care clearinghouses, and health care providers that conduct certain health care transactions electronically, as well as some “business associates” of those covered entities. For instance, when a physician submits electronically a medical claim to a patient’s health plan for payment, HIPAA is triggered because the physician is a covered entity disclosing a patient’s protected health information. In general, however, most employers outside of the health care industry are not covered entities or business associates and are therefore not subject to HIPAA.

        Nonetheless, employers should remain mindful of other state and federal laws that might apply when an employee discloses their vaccination status. For example, if an employee reveals that they are unvaccinated, an employer generally should not ask why, as it may elicit information about an employee’s disability or medical conditions in violation of the Americans with Disabilities Act (ADA). However, if the employee is subject to an employer-imposed or state or federal vaccination requirement, it may be necessary to explore the basis for the employee being unvaccinated to determine whether a reasonable accommodation to vaccination is necessary and possible.

        Myth: My organization is a healthcare entity/provider, so HIPAA applies to all employee medical information collected by my organization.

        Truth: While HIPAA will apply to your organization in its role as a healthcare provider, it will not apply to your organization when acting in its capacity as an employer. For example, if an employee has disclosed disability-related information for purposes of pursuing a reasonable accommodation or medical information relevant to a request for leave under the Family and Medical Leave Act (FMLA), that information would not be considered PHI that is subject to HIPAA protections. In addition, the U.S. Department of Health and Human Services (HHS) has recently confirmed that the HIPAA Privacy Rule does not prohibit a covered entity (e.g., a covered doctor, hospital, or health plan) or business associate from asking whether an individual (e.g., a patient or visitor) has received a particular vaccine, including COVID-19 vaccines, although it does regulate how and when a covered entity or its business associate may use or disclose information about an individual’s vaccination status.

        However, HIPAA would apply to other employee medical information collected by the organization in its capacity as a healthcare provider. For instance, if a hospital employee becomes a patient of that hospital, HIPAA would apply to the employee’s patient records, but not their employment records.

        Myth: I can disclose an employee’s vaccine status to other employees or customers because HIPAA does not apply to my organization.

        Truth: Not so fast—even if an employer is not subject to HIPAA, other laws limit disclosure of an employee’s health information. For example, the ADA requires employers to treat as a confidential medical record any medical information obtained through an employer’s disability-related inquiry, an employment-related medical examination (including from voluntary wellness programs), or by voluntary disclosure of the employee. Employers may only share the medical information in limited circumstances, such as to managers or supervisors who need to know an employee’s work restrictions and accommodations. Similarly, the FMLA requires employers to keep medical records and information private. If an employee needs leave for a serious medical condition or other qualifying reason, including one related to COVID-19 or vaccination, the employers should keep that information confidential consistent with FMLA obligations.

        Employers also need to be mindful of other state-specific privacy laws that might apply to protect personal information held by an employer from improper disclosure, theft, and/or misuse. Absent notification to and consent by an employee, disclosure of an employee’s vaccination status to third parties likely will constitute an unauthorized disclosure or breach under applicable state privacy laws. Nearly every state requires employers to notify employees when there has been an unauthorized disclosure of certain defined categories of personal information, including Social Security numbers. Recently, several states have expanded those laws to cover the disclosure of employee medical information. For example, the Maryland Personal Information Protection Act (PIPA) was amended effective January 1, 2018, to require businesses to “implement and maintain reasonable security procedures and practices” to protect against the unauthorized disclosure of employee “personal information,” including health information. Finally, recently implemented privacy laws may mandate notice in some form.

        Accordingly, an employer generally should not disclose an employee’s vaccination status—or any other employee health information—to other employees or a customer. In addition, employers should keep confidential all employee health information and store such information in a secure manner separately from the employee’s personnel file.

        For more information concerning your obligations as they relate to personal employee health information contact Liz, or another member of Verrill’s Employment and Labor Practice Group or Health Care Practice Group to further discuss.

        Taking Care of HR Business

        Human resource professionals, supervisors, and company executives are constantly confronted with a changing legal landscape. Verrill’s Taking Care of HR Business blog is designed to keep you informed about the latest and most significant legal developments that affect employers.

        Key Contact

        Subscribe

        Looking for more great content? Subscribe for regular legal updates and information delivered right to your inbox.

        Firm Highlights

        Alerts and Newsletters

        Maine’s New Employer Surveillance Law, 26 M.R.S. § 620-A

        Effective July 14, 2026 Maine employers that electronically monitor employees must comply with a new disclosure law effective July 14, 2026. Under...
        Press Releases

        Verrill Recognized by U.S. News as One of the Best Law Firms to Work for in 2026

        BOSTON, Mass., BANGOR and PORTLAND, Maine, GREENWICH and WESTPORT, Conn., – Verrill has been featured on U.S. News’ 2026 Best Companies to Work...
        Blog

        SECURE 2.0 Roth Catch-Up Rules and the 403(b) 15-Year Catch-Up: What Tax-Exempt Employers Need to Know

        Tax-exempt employers whose 403(b) plans offer catch-up contributions for participants age 50 and above should be well on their way to compliance with...
        Media Mentions

        Robert Keach Quoted in Law360 on SIMAD Summer Camp Bankruptcy Sale

        Verrill attorney Robert Keach was recently quoted in a Law360 article examining the Chapter 11 bankruptcy proceedings involving SIMAD Holdings and...
        Media Mentions

        Chris Tsouros Featured in Law360’s Coverage of Sports Real Estate Deals

        Verrill Partner Chris Tsouros was recently recognized in a Law360 article highlighting law firms involved in significant sports real estate projects...
        Blog

        What Maine’s New Employer Surveillance Law Means for Maine Employers

        Maine employers who monitor their workforce, whether through productivity software, GPS, call recording, or cameras, have a new compliance obligation...
        Blog

        Run Don’t Walk: The Implication of “While Supplies Last” Prize Promotions

        This month a big-chain grocery store has been offering daily mystery boxes during specific timed drops on a first-come, first-served basis, to users...
        Blog

        Maine’s Noncompete Statute is Reshaped for Health Care Workers: What You Need to Know

        Employers of individuals who are licensed under state law to perform, or provide, health care services in the State of Maine should be prepared for...
        Media Mentions

        Steven Davis Featured in the Environmental Business Journal

        Steven Davis, President of Verrill Strategic Consulting, was recently interviewed and featured in the Environmental Business Journal, Volume 39...
        Blog

        What is a Bonus for Purposes of ERISA?

        An ongoing dispute about a Department of Labor advisory opinion published last September raises a basic but unanswered question under the ERISA: What...
        Media Mentions

        Verrill Recognized by WMTW for Partnership Supporting Hunger Relief in Maine

        Verrill was recently featured in coverage by WMTW News 8 for its role in a collaborative effort to combat food insecurity across southern...
        Press Releases

        33 Verrill Attorneys, Across Four Offices, Recognized in the 2026 Chambers USA Guide

        BOSTON, Massachusetts, PORTLAND, Maine, WESTPORT, Connecticut, and WASHINGTON, D.C. – Verrill has been recognized as a Leading Firm in 14...