2021 LS&HC Horizons - Flipbook - Page 13
Life Sciences and Health Care Horizons 2021
13
U.S. privacy challenges in employer COVID-19 vaccination programs
As COVID-19 vaccinations become available,
employers are evaluating whether to provide,
or request proof of, employee vaccinations. In
addition to employment law considerations,
these programs have significant health privacy
implications.
Either by administering, or requesting
evidence of, vaccinations, employers will
collect employee health information (e.g.,
vaccine date/dose, medical conditions affecting
vaccination eligibility). However, employers
should avoid requesting information on family
medical history, as such is considered genetic
information restricted by the Genetic Information
Nondiscrimination Act (GINA).
Employee vaccine information should be
properly secured and separately maintained from
personnel files, and access should be restricted
to those with a need-to-know. Employers also
should evaluate their intended collection, use,
and disclosure (e.g., public health authorities) of
such information in light of the Health Insurance
Portability and Accountability Act (HIPAA),
GINA, and applicable state health information
privacy laws.
Employee health information held by an entity
in its capacity as an employer is not protected
health information under HIPAA. However,
any information collected directly from a health
plan or provider (e.g., pharmacy or hospital)
could be subject to HIPAA and require employee
authorization to allow disclosure to the employer.
In certain cases where the information is
necessary for the employer’s workplace safety
monitoring requirements and created at the
request of the employer, providing employees
with notice that information will be shared with
the employer may be sufficient. Requesting proof
of vaccination from employees directly, rather
than through a HIPAA-regulated entity, simplifies
the privacy challenges, although state privacy
laws may still apply. In addition, where employers
intend to pay for vaccinations other than through
an on-site medical clinic, this could create a health
plan subject to HIPAA. This would create HIPAA
compliance obligations with respect to the plan
and the employer as plan sponsor if receiving PHI
for plan administration.
Scott Loughlin
Partner, Washington, D.C.
scott.loughlin@hoganlovells.com
Melissa Levine
Counsel, Washington, D.C.
melissa.levine@hoganlovells.com
