Colleagues, the COVID Vaccine, and HIPAA

As the vaccination roll-out is well underway for our colleagues and community members, this is a great time for some important privacy reminders.

  • When receiving a COVID vaccine, colleagues are considered patients. This means they should be afforded the same privacy protections under HIPAA as all other patients.
  • Receiving a COVID vaccine is not mandatory for colleagues which is different from flu vaccine.
  • A colleague must complete a Trinity Health release form in order for the organization to share their photo that was taken while getting a vaccine.
  • There are many community members cycling through our COVID vaccination clinics. It is very likely that the colleagues working the clinics will see people they know. Receiving a vaccination at a community clinic is considered protected health information (PHI) which should not be shared with others for personal purposes.
  • If a colleague or community member shares that they received their vaccine in a personal capacity, this is not considered PHI. 
  • If you learn that a colleague or community member received a vaccine while working in the clinic or providing care, this is PHI and should not be disclosed.

Is this a HIPAA violation?

  • A coworker at lunch tells you that she did not have any side effects after getting her second vaccination. You share that information with your mother to calm her fears about getting the vaccine.

Answer: No, this is not a HIPAA violation. The information was not learned during the course of your job. It was shared by the coworker presumably as part of a friendship. The coworker is free to share any of her own medical information with anyone she chooses.

  • In the COVID vaccination clinic one colleague loudly asks another colleague what time Dr. Jane Doe came in for her vaccine.

Answer: Yes, this is a HIPAA violation.  Everyone in the clinic heard that Dr. Jane Doe had an appointment and received her vaccination. Even though the doctor is a colleague, she is a patient for purposes of receiving the vaccination and the fact that she received a vaccination would be considered PHI. The colleague should have gotten up and quietly asked for the information so it couldn’t be heard by everyone in the room to protect the information.

  • While registering patients at the COVID vaccination clinic a colleague sees her neighbor. The colleague goes home and tells her husband that their neighbor Nick received his vaccine today.

Answer: Yes, this is HIPAA violation. This is PHI which should not be disclosed without authorization from the patient.

Another important reminder is to check MyChart or follow your RHM’s procedure for obtaining COVID test results. Personal use of the electronic health record outside of MyChart is not allowed. It is also never appropriate to check test results for another person, unless you’re a member of the patient’s care team or have a legitimate business reason to do so.  We appreciate your commitment to the privacy of our patients.