Blog Header Vaccination Competency
  • Patients

HIPAA and Vaccination Status: Asking Patients About Vaccines

An explanation of what is covered under HIPAA Privacy Rule when it comes to asking your patients about their status on vaccinations.

Karen B. Everitt, JD | MICA

Karen B. Everitt, JD

03/26/2024

Physicians, other health care professionals, and their offices or practices often ask patients whether they have been vaccinated against specific diseases, such as COVID-19.  

  • Some patients may reply by asking, “Well, are you vaccinated?”
     
  • Other patients may answer by saying they do not have to provide that information because their vaccination status is protected by the Health Insurance and Portability and Accountability Act of 1996 (HIPAA). 

  • A member of Congress has even said that a vaccine status question itself would be a violation of a patient’s HIPAA rights.  

These exchanges do not have to result in conflict or ruined relationships. Instead, they create opportunities to build or fortify trust through patient education. 

The HIPAA Privacy Rule in a Nutshell 

Privacy regulations under HIPAA are collectively called the HIPAA Privacy Rule.1 The Privacy Rule governs uses and disclosures2 of protected health information (PHI) by physicians, clinics, hospitals, psychologists, dentists, chiropractors, nursing homes, pharmacies, and other clinicians who electronically transmit PHI as part of a defined transaction.3 The Privacy Rule also governs the business associates of these physicians, clinicians, and health care organizations.4 The Privacy Rule does not govern patients or their uses or disclosures of their own PHI. 

The HIPAA Privacy Rule and Vaccination Status 

Key terms related to vaccination status questions are “use” and “disclosure.”  

  • Use of PHI is the sharing, employment, application, utilization, examination, or analysis of PHI within the medical office, practice, or health care organization.5 

  • A disclosure is the release, transfer, provision of access to, or divulging, in any manner, of information outside the medical office, practice, or health care organization holding the information.6 

  • Physicians, clinicians, or practices asking a patient for their COVID-19 or other vaccination status is neither the “use” nor the “disclosure” of a patient’s PHI.  

  • HIPAA does not prohibit fact- and information-gathering related to the patient’s care or the safety of physicians, clinicians, and practices. Physicians, clinicians, or practice staff can ask patients or visitors whether they have received a particular vaccine, including COVID-19 vaccines.7 

  • Once the physician, clinician, or practice obtains or receives the patient’s answer to the vaccination status question, the physician, clinician, or practice is then positioned to “use” or “disclose” the information.  

  • Except in certain situations permitted or required by the Privacy Rule, physicians, clinics, hospitals, psychologists, dentists, chiropractors, nursing homes, pharmacies, and other clinicians must obtain the patient’s or patient’s representative’s authorization before using or disclosing patient’s vaccination status or other PHI.  

  • The Privacy Rule generally permits the use or disclosure of a patient’s vaccination status to the patient’s health plan when required to obtain payment for vaccine administration and public health authorities.8 

When the Patient Asks About the Clinician’s Vaccination Status 

When asked about their vaccination status, some patients turn the question on the inquiring physician, clinician, or practice staff, especially after reading or hearing about a physician or nurse who is not vaccinated against COVID-19. The HIPAA Privacy Rule governs physicians, clinicians, and practices as keepers of patients’ PHI but not as keepers of their own PHI. Physicians, clinicians, and practice staff may or may not choose to share their vaccination status. The patient asking about your vaccination status may be sincerely fact- or information-gathering to assess their own risk for COVID-19 or other infectious diseases. Your positive vaccination status may encourage the patient to pursue vaccination. 

Should Clinicians Terminate Patients Who Refuse to Vaccinate?  

MICA’s Risk Management Consultants are frequently asked whether the physician or clinician must continue to treat the patient if the patient has not been vaccinated and/or does not intend get vaccinated. Some physicians or clinicians may see the patient’s refusal to be vaccinated as a breakdown in the treatment relationship and believe the patient can have a more effective relationship with another physician or clinician. 

Before deciding to terminate the treatment relationship, the physician should carefully evaluate the acuity of a patient's medical condition, any special circumstances, and need for uninterrupted care.High acuity may necessitate continued treatment and tabling consideration of termination until after the patient stabilizes. Clinicians that decide to terminate should take reasonable steps to ensure continuity of care during the termination process to minimize the risk of an adverse outcome before the patient begins treatment with a new physician. For more information consult our guide on termination of physician-patient relationships, including sample letter templates. 

Acuity Considerations  

When deciding whether to terminate the relationship, clinicians should assess: 

  • Availability of appointments with other qualified physicians within a reasonable geographical location – the patient may have to wait several months to see a new physician
     
  • Refills or monitoring of medications – the physician should ensure the patient’s medication needs are met while the patient is transitioning to a new clinician
      
  • Need for follow up appointments, wound care, and monitoring post-hospitalization or surgery 
     
  • Pregnancy stage
     
  • Co-morbidities 
     
  • Medical, mental health, and surgical history  

The Termination Conversation and Documentation  

Appropriate termination of patient relationships should include: 

  • a discussion with the patient where the clinician explains the basis for the decision to terminate, 
     
  • documentation of the discussion in the medical record, and
     
  • a follow up letter sent to the patient summarizing the discussion, emphasizing the breakdown in the physician-patient relationship, and confirming the termination.   

Sometimes, a physician knows a reasonable conversation with the patient is not possible and sends a letter to the patient without having a discussion. In that case, the letter should include a simple and short explanation for ending the patient relationship.  

In addition: 

  • Physicians should edit any template-based termination letter to fit the specific patient and situation. 
     
  • In all cases, the physician (not staff) should sign the letter.  
     
  • The physician should remain available to provide emergency care or medication refills for a minimum of 30 days. 
     
  • The practice should put a copy of the letter in the patient’s medical record and notify appointment schedulers of terminations. 

Finally, in considering whether to terminate a patient relationship based on vaccination status, you may also wish to consider whether the relationship can be maintained by alternative means such as by telemedicine. Additionally, as noted by the response of some to vaccine mandates in employment, there is the risk that a patient will allege that their refusal to be vaccinated is due to religious belief, and the physician’s office engaged in religious discrimination by terminating the patient relationship.  

Health and Human Services Resources 

Correctly and respectfully answering patients’ HIPAA questions promotes the patient’s impression of your competence and care, further strengthening your relationship. The U.S. Department of Health and Human Services (HHS) issued HIPAA, COVID-19 Vaccination, and the Workplace to help ensure clear, unambiguous communication between physicians and clinicians, their practices, and their patients when dealing with the question of COVID-19 vaccinations as well as all other vaccinations. The frequently-asked-questions-and-answers affirm that the HIPAA Privacy Rule9 does not prohibit physicians, clinicians, or practices from asking patients whether they have received a particular vaccine. Physicians and practices are welcome to print HIPAA, COVID-19 Vaccination, and the Workplace to share with patients and their families and caregivers. 

[1]  The HIPAA Rules are the Privacy, Security, Breach Notification, and Enforcement rules. 

[2]45 CFR 160.103 defines “use,” “disclosure,” and “protected health information.” 

[3]  A defined transaction carries out financial or administrative activities related to health care. See 45 CFR 160.103 (definition of “covered entity” and “transaction”). Also reference. 

[4]  See 45 CFR 160.103 (definition of “business associate”). See also the HHS’ Direct Liability of Business Associates Fact Sheet. 

[5]  See 45 CFR 160.103 (definition of “use”).  

[6]  45 CFR 160.103 (definition of “disclosure”). 

[7]  See HHS’ guidance HIPAA, COVID-19 Vaccination, and the Workplace. 

[8]  See 45 CFR 164.506(c)(1) & 164.512(b)(1)(i). Disclosure is limited to the minimum information reasonably necessary to accomplish the stated purpose. See 45 CFR 164.514(d)(3) & (d)(3)(iii)(A). 

[9]  For more specific information and details, see HHS’ guidance HIPAA, COVID-19 Vaccination, and the Workplace.