Q: Does the Health Insurance Portability and Accountability Act's Privacy Rule prevent me from asking employees about their vaccine status?

A: The answer is a relatively simple no. 

First, the HIPAA Privacy Rule does not apply to the employer-employee relationship.

It applies only to “covered entities,” such as health plans and healthcare providers, and to some extent those entities’ business associates. 

HIPAA regulates how and when a covered entity (such as a physician or hospital) may disclose or use protected health information about a patient.

HIPAA does not regulate how that entity collects or discloses information about employees. 

HIPAA does not prohibit any business—whether a manufacturer or a hospital—from inquiring about an employee’s vaccine status. 

HIPAA Privacy Rule

In addition, the HIPAA Privacy Rule does not prohibit:

  •  Any person from disclosing their own health information, including their own vaccination status.  
  •  A school, employer, store, restaurant, or entertainment venue from inquiring about an individual’s vaccination status, and does not prevent those entities from requiring vaccination proof to use their facilities. 
  • A business from requiring employees to disclose their vaccination status to the business’ customers.

An individual may ask their own doctor, service provider, or home health agency if their employees are vaccinated. HIPAA does not protect this information.

Confidential Information

HIPAA does not require disclosure, meaning an individual may decline to provide information about their own vaccine status, but that could result in consequences, such as loss of a job or loss of access to a facility.  

Generally speaking, the Privacy Rule does not regulate what information can be requested from employees as part of the terms and conditions of employment, including employee vaccine status.

An individual may decline to provide information about their vaccine status, but that could result in loss of a job or loss of access to a facility.

The documentation and confirmation about an employer’s vaccination records, once received, needs to be kept confidential.

There are certain situations where federal and state laws address terms and conditions of employment. 

Federal anti-discrimination laws do not, however, prevent an employer from requiring employees to be vaccinated against COVID-19 and to provide proof of such vaccination.


HR problems or issues? Email or call CBIA’s Diane Mokriski at the HR Hotline (860.244.1900) | @HRHotline.