Skip to main content
Menu

Resources

HIPAA and COVID-19

October 06, 2021 11360

Vaccination and Test Result Information

The Office for Civil Rights within the U.S. Department of Health and Human Services on Sept 31, 2021, released guidance for the public to clarify how HIPAA applies when businesses and employers request from customers and employees information on their COVID-19 vaccination status and test results. Highlights of the guidance provided by the Department of Health and Human Services include:

  • HIPAA does not prohibit any person from asking an individual whether they received a particular vaccine.
  • HIPAA does not prevent an individual from disclosing their vaccination status.
  • HIPAA does not prohibit an employer from requiring an employee to disclose their vaccination status. (California confidentiality law does prohibit employers from disclosing employee health information to unauthorized persons.)
  • HIPAA does prohibit a healthcare provider from disclosing an individual’s protected health information to an employer and other unauthorized entities.

Telehealth

OCR announced March 15, 2020, that "it will exercise its enforcement discretion and will waive potential penalties for HIPAA violations against health care providers that serve patients through everyday communications technologies during the COVID-19 nationwide public health emergency."

The communications technology should not be public-facing. Examples of non-public facing communications technologies include Skype, Apple Facetime and video chat via Facebook Messenger, Jabber, WhatsApp, and Google Hangouts. In normal circumstances, HIPAA requires a covered entity to have a business associate agreement with these platforms and to have included these technologies in its security risk analysis prior to utilization. Once the emergency ceases, a covered entity is expected to be in full compliance with the regulations.

To protect patient privacy during the emergency period, a dentist should converse with a patient in a private location and should confirm that the patient also is in a private setting or else agrees to receive teledental services in a public or semi-public setting. Use reasonable safeguards such as lowering the voice and not using a speakerphone. When investigating a complaint or incident that occurs at this time, OCR will consider all facts and circumstances when determining what constitutes a good faith provision of telehealth services.


 

Comments are only visible to subscribers.