The legality of asking about an employee's vaccination status


Stephen Scott
BridgeTower Media NewsWires

Raising kids during the pandemic is very much like running a business during the pandemic; it is a constant balancing act of keeping masks on, minimizing exposure, and trying to limit emotional outbursts.  But as anyone who has had a “threenager”­­ – or a rogue employee – knows, sometimes kids say the darnedest things.

Just recently, my son lobbed the following phrases at me: 1, “Oh God” (to my putting his shoes on the wrong feet); 2, “Go straighter” (after I sliced my tee shot); and 3, “No deal, ever” (in response to my proposal that he eat the whole donut, and not just the frosting). While all of these phrases cause momentary panic, the feeling is fleeting (or at least it was fleeting until being reminded of his “isms” at parent-teacher night).

Employers, unfortunately, do not get the benefit of society laughing at a spicy 3-year-old. Employers have to live with the consequences of what it and its employees say. That brings us to the million-dollar question on most employers’ minds: “Are you fully vaccinated?”

This seems to have become a question that employers want to pose to their workers, but confusion abounds regarding the legal contours of this deceptively dangerous question. Many employers continue to wonder about the legal implications of asking an employee’s vaccination status. While the EEOC has confirmed that you can lawfully ask employees for their vaccination status without violating federal anti-discrimination laws (provided the question is limited to a yes-or-no response), what about other privacy laws? Specifically, what about the often-misunderstood HIPAA, seemingly cited by anyone who disagrees with any sort of COVID-19 safety protocols?

The goal of this article is to untangle myths from reality and provide employers with practical – and legally correct – guidance on this subject

What is HIPAA and to whom does it apply?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), was enacted on Aug. 21, 1996. Sections 261 through 264 require the U.S. secretary of Health and Human Services (HHS) to publicize standards for the electronic exchange, privacy and security of health information. To implement this requirement, the HHS issued what became known as the “Privacy Rule.”

The Privacy Rule addresses the use and disclosure of individually identifiable health information, which is referred to as “protected health information” (PHI) by organizations that are subject to the Privacy Rule. Those organizations, which fit into only three categories, are referred to as “covered entities.”

HIPAA has entered popular culture in recent times thanks to misguided individuals who believe the law somehow creates a magic force field exempting them from complying with many pandemic-related requirements. Most recently, many employees have incorrectly cited “HIPPA” (as commonly misspelled on the internet) as grounds for withholding their vaccine status from their employers.

The HHS recently issued guidance putting many HIPAA-related pandemic misconceptions to rest. Perhaps the most common misconception about HIPAA is that it applies to all businesses and employers. It does not. As noted above, the Privacy Rule governs only “covered entities.” They are:

• health plans;

• health care clearinghouses; and

• health care providers that conduct standard electronic transactions (and, to some extent, certain business associates of covered entities).

If you do not fall into one of these categories, HIPAA does not apply to you at all. And even if you do fall into one of these categories, the Privacy Rule does not apply to employment records, including employment records held by covered entities or business associates “in their capacity as employers.”

What does the HIPAA Privacy Rule protect?

The Privacy Rule regulates how and when covered entities are permitted to use and disclose PHI that covered entities create, receive, maintain or transmit. The rule does not prohibit an employer or business, including HIPAA covered entities, from asking whether an individual has received a particular vaccine, including COVID-19 vaccines. The rule does regulate, however, how and when a covered entity may use or disclose information about an individual’s vaccination status.

Since most employers are not covered entities under HIPAA, the Privacy Rule does not regulate whether one can ask about an individual’s vaccination status or how one can use or disclose that information once obtained.

Isn’t COVID-19 vaccination status confidential information?

Yes. Documentation or other information regarding an individual’s vaccination status is confidential medical information under the Americans with Disabilities Act (ADA) and some state privacy laws. This means that you must treat this information as confidential and store it separately from the employee’s personnel file.

The federal requirement to treat vaccination status as confidential information does not, however, prevent employers or businesses from asking their employees or their visitors whether they have been vaccinated against COVID-19.

Can we ask whether employees and customers are vaccinated?

Yes, HIPAA does not prevent employers and businesses from asking their employees and visitors whether they have been vaccinated against COVID-19 and for proof of such vaccination. Once an employer has the information, it must be treated as confidential, meaning that it is not shared with others except under limited circumstances and, as noted, is not even kept in an employee’s personnel file.

Ultimately, there are plenty of questions an employer should not ask employees or customers. To list them all would require more space than can be devoted to this article, and likely be as redundant as my son explaining a “PAW Patrol” episode. The reality is that most of you know when a question does not pass the smell test. Despite keyboard warriors arguing otherwise, HIPAA does not prevent employers and businesses from asking their employees and visitors whether they have been vaccinated against COVID-19 and for proof of such vaccination.


Stephen Scott is an associate in the Portland office of Fisher Phillips, a national firm dedicated to representing employers’ interests in all aspects of workplace law. Contact him at 503-205-8094 or smscott@fisher