Question of the Week

Our hospital wants to require employees to submit documentation to Human Resources of their COVID-19 and flu vaccination status.  One employee complained that this is a HIPAA violation.  Is it?

No.  A hospital is acting in its role as an employer (not a covered entity/health care provider) when it asks employees to answer questions or provide documentation about their vaccination status.  Hospitals store such information in the employee’s employment record, not in the employee’s medical record.

HIPAA specifically excludes employment records from the definition of “Protected Health Information.”  The relevant definition states:  “Protected health information excludes individually identifiable health information…[i]n employment records held by a covered entity in its role as employer.”  45 C.F.R. § 160.103.

Thus, information that a hospital obtains when it asks an employee about vaccination status isn’t covered by HIPAA.  It follows that HIPAA isn’t violated if the hospital then discloses that information to managers and supervisors so they can enforce the hospital’s policies.

Although HIPAA doesn’t apply, the Americans with Disabilities Act (“ADA”) does govern information that a hospital holds in its role as an employer.  The regulations implementing the ADA state that information “regarding the medical condition or history of any employee shall be collected and maintained on separate forms and in separate medical files and be treated as a confidential medical record, except that:  (A) Supervisors and managers may be informed regarding necessary restrictions on the work or duties of the employee and necessary accommodations.”  29 C.F.R. § 1630.14.

It’s important to recognize that in some cases a hospital could hold information about vaccination status in its role as a covered entity/health care provider under HIPAA.  For example, a hospital might conduct a clinic by which it gives flu shots to members of the community.  HIPAA would apply to that information, because it was created by the hospital in its role as a provider of health care services.  Thus, the hospital could not disclose those vaccination records to a local third-party employer unless the individual signs a HIPAA authorization.

If you have a question about this issue, please e-mail Phil Zarone at