Updated: Apr 11
Can My Employer Disclose My Vaccine Status?
by Christian, civil trial attorney, RL Johnson
Any worker who has not received the COVID-19 vaccine and wonders whether it's legal for their
employer to publicly disclose their vaccination status should know their legal rights under the Health Insurance Portability and Accountability Act of 1996 (“HIPPA”).
Thus far—and notwithstanding pending court challenges and injunctions pertaining to mandates effecting certain federal employees and contractors—almost none of the five (5) federally enacted vaccination mandates have been ruled violative of the U.S. Constitution.
So, to the extent that an employee has not been vaccinated, the question becomes: Can My Employer Disclose my Vaccine Status?
HIPPA created national standards to prevent the disclosure of sensitive patient health information without the patient's consent or knowledge. HIPPA has three major sets of rules:
1. Privacy Rules;
2. Security Rules; and,
3. Breach Rules.
The Privacy Rule forbids an organization subject to its requirements (i.e., a "covered entity") from using or disclosing an individual's "protected health information" except as mandated or permitted by its provisions (45 CFR §164.502[a]).
Contrary to popular belief, HIPPA does not apply to most employers. That is, the HIPPA rules only apply to with HIPPA defines as “covered entities” as defined in the federal department of Health and Human Service’s regulations. Specifically, covered entities are:
Individual and group health plans;
A health care clearinghouse (e.g., a billing service, repricing company, or a community health management information system, etc.);
Health care providers such as physicians, hospitals and HMOs; and,
Business associates of covered entities.
45 CFR §§ 160.103 and 164.104[a].
"Protected health information" encompasses any individually identifiable health information held or transmitted by a covered entity in any form or medium, whether electronic, paper or oral (45 CFR §160.103).
Incidentally, HIPPA does not prohibit any person (e.g., an individual or an entity such as a public entity or a private business), including HIPAA covered entities and business associates, from asking you whether you have received a particular vaccine, including COVID-19 vaccines. See, e.g., 45 CFR §§ 160 and 164.
That said, just because an employer is not a “covered entity” under HIPPA does not mean that the employer is not bound by privacy considerations. That is to say, HIPPA does regulate requests for information from your employer’s group health insurance provider who is absolutely bound by HIPPA’s Privacy Rule. Thus, as a covered entity, your company’s group health insurance provider cannot disclose or share your protected health information to anyone except either:
as the Privacy Rule permits or requires; or
as you, the individual (or your personal representative), who is the subject of the information authorizes in writing. 45 CFR § 164.502(a).[i]
So, what happens if your protected health information is released unlawfully?
Well, the penalties are severe. In fact, a person who knowingly and wrongfully discloses individually
identifiable health information must be …
fined not more than $50,000, imprisoned not more than 1 year, or both [§ 1177(b)(1)]; or,
if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both [§ 1177(b)(2)]; and,
if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both [§1177(b)(3)].
Moreover, there are other federal laws, including the Americans with Disabilities Act of 1990 ("ADA"), the Family and Medical Leave Act of 1993 ("FMLA"), as well as certain state and local medical records access acts, that impose limitations on an employer’s access to, use, and disclosure of protected health information.
If you believe that your privacy rights under HIPPA have been violated you can file a complaint with HHS's Office for Civil Rights (“OCR”) using its Complaint Portal Assistant, the link to which I provide below.
HHS's Office for Civil Rights (“OCR”) is responsible for enforcing the Privacy Rule. OCR carries out this responsibility by investigating HIPPA complaints against covered entities, conducting compliance reviews and performing education and outreach to foster compliance.
[i] See, e.g., Arons v. Jutkowitz, 9 NY3d 393, 412-415; 880 N.E.2d 831, 850 N.Y.S.2d 345 (N.Y. 2007).
• Christian Legal Society
• The Library of Congress’ website:
• Civil Pro Se Forms
• Federal Rules of Civil Procedure
• Public Access to Court Electronic Records (“PACER”) system
Disclaimer: The information contained in this article is offered for educational purposes only and is not intended to substitute for legal advice and is not customized to your particular needs. Before undertaking self-representation, we urge you to consult with an attorney licensed to practice in your state.