Vaccine Status and HIPAA Privacy Rule: What Covered Entities Can Share

HIPAA Privacy Rule Applicability

Under the HIPAA Privacy Rule, “Covered Entities” include health plans, health care clearinghouses, and health care providers that conduct Electronic Standard Transactions. Vaccination status, when linked to an identifiable person, is Protected Health Information (PHI) in the hands of these entities.

“Business Associates” that create, receive, maintain, or transmit PHI for a Covered Entity (for example, a vendor operating an immunization registry or a cloud EHR) are directly liable under HIPAA and must follow a Business Associate Agreement. Their use and disclosure of vaccine status is limited to what the agreement and HIPAA permit.

HIPAA generally does not regulate employers, schools, or venues in their role as such. Information an employer collects directly from an employee is typically outside HIPAA unless the information is held by the employer’s group health plan (which is a Covered Entity) or its Business Associates.

Employer Inquiries

Employers may ask employees whether they are vaccinated or request proof. Doing so does not, by itself, implicate HIPAA because employers are usually not Covered Entities when acting as employers. However, the Americans with Disabilities Act requires treating vaccination records as Confidential Medical Information, restricting access and storage.

Keep questions focused on vaccination status or proof. Pre-screening questions about medical conditions or family history can trigger additional obligations under disability and genetic information laws. If the employer receives vaccination information from its group health plan, HIPAA rules for the plan apply and the employer’s use is limited by plan-sponsor restrictions.

Disclosure of Vaccination Status

Covered Entities may disclose vaccination status without “Individual Authorization” for limited purposes, subject to the minimum necessary standard (except for treatment):

• Treatment, payment, and health care operations.
• Public health activities to Public Health Authorities (for example, reporting immunizations or supplying data to an immunization information system).
• When required by law (such as state school-entry immunization laws).
• To avert a serious and imminent threat to health or safety, consistent with law and ethical standards.
• Workplace medical surveillance: a provider may disclose work-related medical findings (including vaccination) to an employer if the employer requested the evaluation for occupational health purposes and the worker is notified of the disclosure.

For other purposes—such as sending vaccination status to a non-health care employer or a third party—Covered Entities generally need a signed “Individual Authorization” from the person. Disclosures should share only what is necessary (for example, “COVID-19 vaccine received on [date]”) rather than full medical charts.

Confidentiality Requirements

Covered Entities and Business Associates must implement administrative, physical, and technical safeguards to protect vaccine status as PHI. This includes role-based access, encryption, audit logging, workforce training, and breach notification processes. When transmitting PHI as Electronic Standard Transactions, use the required formats and code sets and secure the transmission path.

Employers that collect vaccination information directly must treat it as Confidential Medical Information under the Americans with Disabilities Act: store it separately from personnel files, restrict access to those with a need to know, and protect it with reasonable security controls. Aggregate or de-identified reports should be used whenever individual identities are not required.

Covered Entity Disclosures

In practice, Covered Entities can share vaccination status in these common scenarios:

• With the individual or their personal representative upon request.
• With other treating providers to coordinate care or determine immunization schedules.
• With Public Health Authorities and state immunization registries as permitted by law.
• With schools or childcare facilities when required by state law and the individual (or parent/guardian) agrees as applicable.
• With an employer only in the narrow occupational health circumstances described above, or with the employee’s Individual Authorization naming the employer as recipient.

For each disclosure, apply the minimum necessary standard, document what was shared and why, and follow the Notice of Privacy Practices commitments.

State and Federal Laws

HIPAA sets a national privacy baseline. More stringent state privacy laws and immunization rules can apply and are not preempted. State immunization information systems, school-entry requirements, and record-retention rules may further limit or compel disclosures.

Beyond HIPAA, federal workplace laws matter. The Americans with Disabilities Act requires confidentiality and restricts medical inquiries; Title VII and related laws may require reasonable accommodations or prohibit discrimination based on religion or disability. Always align HIPAA compliance with these parallel obligations and applicable state law.

Documentation of Authorization

When a disclosure requires an Individual Authorization (for example, a provider sending vaccine status to a non-occupational employer), the authorization must be in plain language and include:

• A description of the information to be disclosed (for example, “proof of influenza vaccination and date”).
• The name or other specific identification of the person/entity authorized to disclose and the recipient.
• The purpose of the disclosure.
• An expiration date or event.
• Statements about the right to revoke, the potential for re-disclosure by the recipient, and whether treatment, payment, enrollment, or eligibility is conditioned on signing (if applicable).
• The individual’s signature and date (electronic signatures are permissible if consistent with law and policy).

Maintain a copy, honor revocations prospectively, and log the disclosure. Verify identity and authority before releasing information. Key takeaway: share only what is necessary, rely on clear legal permissions, and document each step.

FAQs

Can employers ask employees about their vaccination status without violating HIPAA?

Yes. Asking employees about vaccination status or requesting proof does not violate HIPAA because employers are usually not Covered Entities when acting as employers. However, the Americans with Disabilities Act requires treating the information as Confidential Medical Information, stored separately with limited access.

When can covered entities disclose vaccination status without authorization?

Covered Entities may disclose without Individual Authorization for treatment, payment, and health care operations; to Public Health Authorities; when required by law; to prevent or lessen a serious threat; and to an employer for workplace medical surveillance when the employer requested the evaluation and the worker is notified. Other disclosures generally require a signed authorization.

How must employers store vaccination information?

Store it as Confidential Medical Information: keep records separate from personnel files, restrict access to those with a need to know, secure them with appropriate safeguards (such as encryption and access logs), retain only as long as necessary under applicable law, and avoid sharing with coworkers or supervisors unless strictly required for job-related purposes.