Many employers have asked employees to submit proof of a COVID-19 vaccination before returning to work in an office or other facility. According to the U.S. Equal Employment Opportunity Commission (EEOC), it is permissible to do so if exceptions are allowed for people with disabilities and those with sincerely held religious beliefs. The requirement also must comply with other applicable laws.

As an additional layer of protection, some employers may consider asking their human resources (HR) departments to confirm employees’ eligibility to return to work by checking COVID-19 vaccination claims submitted to their group health plans. Is such a step allowable?

Protecting PHI
An employer’s group health plan is considered a “covered entity” under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This means it is a separate legal entity from the employer.

HIPAA applies to protected health information (PHI) that is created, maintained, received, or transmitted by a group health plan. Because most plans are required to cover COVID-19 vaccinations as preventive services, they are likely to have information about employees’ receipt of COVID-19 vaccinations. This information is considered PHI.

PHI cannot be disclosed to a group health plan’s sponsor unless the privacy rule’s prerequisites for such disclosures have been met. Generally, employers may disclose PHI only to employees performing administration functions for the plan. A firewall must be established between employees performing plan administration functions and other employees, preventing PHI from being used or disclosed for employment-related purposes without the plan participant’s authorization.

Confirming an employee’s eligibility to return to work at a physical location is an employment-related function — not a plan administration function. So, a group health plan would be barred from disclosing vaccination-related PHI to an HR department unless the employees themselves authorize the disclosure. And employees (or other plan participants) cannot be required to sign authorizations allowing the employer to receive PHI from the group health plan as a condition of receiving group health plan benefits.

Interacting Directly
Rather than obtaining and retaining each employee’s authorization, a better approach to verifying employees’ vaccination statuses may be to have them provide proof of vaccination directly to the HR department using the COVID-19 vaccination record card approved by the Centers for Disease Control and Prevention. Because this direct interaction between the employee and HR does not involve the group health plan, employers can avoid violating the HIPAA privacy rule.

Other laws may apply when requiring employees to submit proof of vaccination or when addressing other COVID-19 matters arising in the workplace. The EEOC has provided extensive guidance on COVID-19 issues under the Americans with Disabilities Act and other employment laws. These laws must be considered separately from HIPAA as they may impose requirements even in situations where HIPAA does not apply.

Grappling with the Pandemic
In conclusion, employers generally should not use their group health plan’s records to verify employees’ vaccination statuses for any employment-related purpose. As your organization continues to grapple with the questions and challenges raised by the pandemic, work closely with a qualified employment attorney to determine the best course of action.