Flu Shots in the Workplace: Do HIPAA Privacy Rules Apply?
By Barbara J. Zabawa, JD, MPH
The Center for Health & Wellness Law, LLC
Envision this scenario: Employer hires a vendor to offer flu shots to all employees. Employees write their name on a list that all other employees (and employer) can see. On the day of the flu shot clinic, employees who registered stand in a hallway waiting their turn, in view of other employees and their bosses. Does this situation violate the employees’ HIPAA privacy rights?
The answer is probably not. Why, you may ask? There are several reasons. First, we must assume that because this flu shot clinic is being offered to all employees through a vendor, that this clinic is not through the employer’s group health plan. Most group health plans are subject to HIPAA privacy rules because they are “covered entities” under HIPAA. There are three types of covered entities: 1) health plans (of which most group health plans are a part); 2) health care providers; and 3) clearinghouses. 45 CFR § 160.103. Employers by themselves do not fit within any of those categories, so they are not subject to HIPAA privacy rules.
Second, HIPAA privacy rules govern the use and disclosure of “protected health information” or “PHI.” HIPAA privacy rules exempt “employment records” from the definition of PHI. See 45 CFR § 160.103.
Third, the federal Department of Health and Human Services (HHS) issued a fact sheet about when and how HIPAA privacy rules apply to workplace wellness programs. Often, flu shot clinics may be part of a workplace wellness program. According to HHS, where a workplace wellness program is offered by an employer directly and not as part of a group health plan, the health information that is collected from employees by the employer is not protected by the HIPAA privacy rules. However, other federal or state laws may apply and regulate the collection and/or use of the information. See https://www.hhs.gov/hipaa/for-professionals/privacy/workplace-wellness/.
So, back to our scenario. The fact that employees register for the flu shot clinic and stand in the hallways waiting their turn does not violate their HIPAA privacy rights because the employer is not a HIPAA covered entity in this example.
But what if the flu shot was offered through the employer’s health plan to health plan enrollees? In that case, the health plan would be a HIPAA covered entity and would need to take steps to ensure the privacy of employees who participated in the flu shot clinic. Because it is the health plan that is administering the program, any health information collected would constitute PHI. If the employer in that scenario wanted individually identifiable information collected from the flu clinic, the health plan would need to ensure that the employer meets certain requirements under HIPAA before disclosing that information. Specifically, the employer would need the information for plan administration functions and it would need to modify its plan documents to restrict uses and disclosures of such information in accordance with HIPAA privacy requirements. 45 CFR § 164.504(f)(1).
One last question: what about the vendor in this case scenario? Is the vendor who delivers the flu shot subject to HIPAA privacy rules? Assuming the vendor consists of health care professionals, they may be subject to HIPAA privacy rules. Health care providers are “covered entities” under HIPAA if they transmit health information in electronic form in connection with a HIPAA covered transaction. 45 CFR § 160.103. Those transactions usually encompass submitting insurance claims for payment or submitting encounter information. If the health care professional administering the flu shot is not performing a HIPAA covered transaction after administering the flu shot, he or she would not be subject to the HIPAA privacy rules. That is most likely the case in this case scenario, so the employees’ HIPAA privacy rights would not be at stake.