What you Need to Know about HIPAA and the COVID Vaccine

The COVID-19 pandemic has changed the world as we know it. It has affected our ability to travel, our work lives and our personal lives. HIPAA and COVID and how the US law will evolve in a post-COVID world is an interesting question. 

The creation of the COVID vaccine has meant that some elements of our lives can return to normal.

Despite this, there have been many conspiracy theories around the vaccine’s intention. Whilst most of these are pure conjecture, there are some legitimate privacy concerns being raised by the vaccine. 

To help move our lives back to normal, some nations and even cities have deployed a “vaccine passport”. This would be an individual tool to demonstrate a persons’ vaccine status. These could be used for the workplace, clubs and bars, or access to large events. 

Vaccine passports have already begun to be implemented across Europe and in big cities like New York. Those that are vaccinated are able to show their COVID-19 vaccination status on entry to large events, like sports or concerts. 

However, this new solution has raised questions about data privacy. Those in countries without passports want to know what the future relationship between HIPAA and COVID information looks like. Here’s what you need to know about the COVID vaccine, and the security of personal health data.

Vaccine Passports

Vaccine passports are already being implemented in many nations. However, some governments have yet to bite the bullet. This includes the United States. 

In March 2021, the city of New York introduced the “Excelsior Pass”. It was developed by the tech company IBM, who are firm believers in the success of vaccination passports. 

This was meant as a tool to encourage a safe re-opening of the city. These passes could also be used to show negative test results. Around 1 million people downloaded the pass, but overall uptake was limited.

The passports were created as a simple solution for individuals to demonstrate that they are vaccinated against COVID-19. Typically, these are held on your phone or other electronic devices, and within your healthcare records. 

The passport will inform the recipient whether you’ve had your vaccinations, how many, what type you received, and when.

In countries where they have been implemented, they are used to access potential COVID-19 hotspots. You may show your vaccination passport to access clubs, bars, sporting events and concerts. They are intended to be used as a method for keeping the public safe at spreadable events. 

In New York, the Excelsior Pass could be presented at any organization that required the pass.

Primarily, both governments and the public are concerned about the safety of their data. They are worried about their protected health information being used negatively and without authorization. 

The public has demonstrated concern about the potential impact of vaccination passports on their jobs, and their daily lives. For instance, if they are not vaccinated, will this information work against them in job applications or social settings?

Ultimately, a further understanding of HIPAA and COVID vaccination passports is required. Privacy regulations will guide what information is available, or accessible, and how the data can be used.

What COVID Information can be Stored?

The regulations regarding COVID and data security are still relatively unclear. As nations focus on tackling the epidemic, data privacy has not been the priority. 

However, as we learn to live with the COVID-19 virus, laws and regulations have to adapt. For now, HIPAA regulations dictate the kind of information that can be stored regarding COVID health status.

According to HIPAA, there is no regulation preventing organizations from requesting your status. This includes the workplace, events, or other social settings. Therefore, organizations have the right to ask to see a COVID passport. 

However, the key term here is consent. Organizations have the right to request your vaccination status, or your COVID passport. Individuals also have the right to refuse that request. 

As with any protected health information, it can only be used and stored with prior patient authorization.

The privacy rule does not regulate an individual or organizations ability to request information. It simply dictates how it may be used, once given, depending on the entity. Therefore, whether your COVID vaccination status is stored is entirely up to the individual.

For example, under the privacy rule, an employer can request your vaccination status. However, other employment regulations prevent them from using the information to discriminate and dictate appropriate data storage. 

Who has Access to Vaccination Status?

So, an organization can only access and store your vaccination status with your permission. However, there are some instances where you might have already given permission.

By receiving the COVID-19 vaccine, you have already given permission for healthcare authorities to store that information. This might have been given to your physician, or just your electronic healthcare records through a vaccination centre. 

Therefore, your vaccination status, and information about when and where you received them, is naturally accessible by healthcare organizations. For instance, if you move physicians or visit multiple hospitals, they will need access to view your healthcare records.

Consider what other healthcare services you have previously given authorization to. If you purchase prescriptions online, then the online service has access to your records. 

Any services that utilize healthcare records will have access to your vaccination status. However, information stored by healthcare providers and facilities does fall under HIPAA. Therefore, they are prevented from sharing this information with external parties, by HIPAA law.

Employers, social events, and other external sources cannot request information from healthcare providers. For example, your employer cannot request PHI from your physician. Your COVID vaccination status falls under PHI in this instance.

COVID Information that isn’t Protected by HIPAA

Ultimately, whether COVID vaccination statuses are covered by HIPAA is entirely based on who is storing that information. It may not be fully clear until the courts have finished their work. 

Healthcare providers and organizations are covered entities, therefore they must store information safely, and cannot share it. They are bound by HIPAA. This also extends to business associates of healthcare providers.

HIPAA also dictates that individually identifiable data must be protected. Therefore, they cannot share specific vaccination statuses’ outside of the necessary or authorized healthcare organizations.

Employers and other organizations may not be covered entities but it again depends on the situation. Therefore, their stores of personal data are not protected by HIPAA specifically. However, other regulations, like the Americans and Disabilities Act, dictate how vaccination information must be stored, instead.

Aside from healthcare organizations, the individual is entirely in control of their vaccination status, and who can access it. Consider what organizations need to know about you, and your COVID vaccinations. If your organization has access to individual covid vaccination records, ensure you know the appropriate laws for data safety.

At Vertrical, we understand the need for security when handling patient or user data during tech development. Our projects are built with compliance in mind, thanks to our teams of compliance experts. Get in touch today to ensure maximum data protection in your next digital health project.