HIPAA Compliant Vaccine Tracking with OnTask
Published: August 20, 2021
After hearing recent claims that answering personal questions about vaccination status violates HIPAA, you may feel concerned that your company policy on vaccination records fails to comply with the law. Are you as an employer legally allowed to request such records under the Health Insurance Portability and Accountability Act? And if it is in fact legal, how can you have total confidence you are acting in compliance with privacy regulations protecting your employees (and yourself)?
Here are a few key things to keep in mind as you ensure your company’s policies and activities surrounding health records are fully compliant.
What is Protected Health Information?
Protected Health Information (PHI) consists of information disclosed in medical records that reveals a person’s identity. PHI is given by patients who are undergoing a healthcare service, like diagnostics and treatment.
What Are Some Examples of Protected Health Information?
There is a lot of confusion surrounding what is and what is not considered to be protected health information. Under HIPAA laws, health data must be two things:
- Easily identifiable by the patient at hand
- Have been disclosed or covered during the course of treatment or diagnosis.
The following are some examples of PHI:
- Billing information from a doctor or hospital
- Email to a doctor’s office, hospital or pharmacy about a prescription medication or treatment needed.
- Doctor’s office appointment scheduling notes and confirmation
- Any test results
- Phone records
What Is Not Considered Protected Health Information?
If the data does not directly help identify a patient, it is usually not considered PHI. Some examples of health data that is not recognized as PHI includes:
- Calories burned throughout the day or after a workout
- Steps logged by a pedometer
- Blood sugar level readings
- Heart rate monitor results
Still, in these cases, it’s still possible to reveal patient information through account and usernames, so it’s always best to review compliance laws and updates before proceeding with this health data.
What HIPAA Is (and Isn’t)
It’s true that HIPAA covers protected health information (PHI), which includes vaccination records. But it actually doesn’t protect individuals from being asked to reveal their health records. It also doesn’t prevent employers from requiring employee vaccination.
Rather, it prohibits healthcare organizations and their business associates from revealing patient records to unauthorized parties without the patient’s permission. Businesses that are not in healthcare and do not qualify as “business associates” are not actually covered by HIPAA regulations at all. And generally speaking, these requirements regulate patient records – not employee records.
That said, when in doubt, it is safer to keep records that are HIPAA compliant. Beyond this, other privacy laws (such as the Americans with Disabilities Act) still require careful handling of employee health data.
The 5 Main HIPAA Rules
With the constant changing of federal laws surrounding vaccines and requirements for employers, you might wonder why HIPAA stays critically important.
It’s because HIPAA rules and regulations provide a framework for organizational uses and disclosures of protected health information, how to keep employee PHI safe, and what to do in the event of a PHI breach. WIth five key HIPAA components—privacy rules, security rules, and breach notification rules—there’s a lot to keep in mind, and even more to keep track of.
But we’re all about making tracking easier, so we’ve helped you break down the HIPAA rules and regulations:
1. The Privacy Rule
Under HIPAA, the Privacy Rule protects patient PHI and medical records, and establishes federal access standards for health care providers and patients across the board. The Privacy Rule also sets privacy standards for a company and organization’s HIPAA policies and release forms. It places limitations and conditions on the multiple uses and disclosures of patient information that can and cannot be made without patient consent. It also gives patients the right to obtain a copy of their medical records, inspect them for errors, and request that corrections be made to their file.
2. The Security Rule
While the HIPAA Privacy Rule deals with paper and electronic-based PHI, the Security Rule focuses specifically on Electronic Protected Health Information (ePHI). The security rule sets forth the national standards to protect patient ePHI that is created, received, used or stored by covered entities.
3. The Identifiers Rule
HIPAA requires businesses and covered organizations to protect PHI through identifiers that safeguard vulnerable data, like social security numbers. You’ll likely have a Standard Unique Employer Identifier to link to employees, which is considered the same as the federal employee identification number (EIN) on your end of year taxes.
4. The Breach Notification Rule
Breaches and data leaks happen more often than we’d like to think. Cybercriminals can sell patient PHI on the black market for up to $250 per file. What makes this crime even more devastating is that this data, unlike stolen banking info, is much more difficult to recover. Keep your records safe to begin with through your written policies, and employee training (more on that later) as well as by reporting data breaches. These actions go a long way in protecting employee information in the long run.
5. The Enforcement Rule
Let’s say an organization or covered entity denies an employee the right to see their file shares valuable ePHI, neglects important identifiers, or fails to report a breach. They can be found liable under HIPAA’s Enforcement Rule, and pay serious fines.
Protecting PHI doesn’t mean just protecting vulnerable employee data. It also means safeguarding your organization from breaking HIPAA’s enforcement rules, which penalize business associates, covered entities and other organizations that fail to comply with the above laws.
With these rules constantly changing, it may be tedious for your organization to keep up, especially when you’re working on ushering employees back into the office. It’s becoming more and more common for HR teams to rely on a system to automate the hard work for them which, in turn, keeps this valuable information safe.
Vaccine records, like other sensitive employee data, should be treated as protected information regardless of HIPAA coverage. The ADA classifies these records as confidential medical records and requires strict compliance with ADA laws when storing them.
A compliant records system must:
- Store employee medical information securely and separately from personnel files
- Keep those medical records strictly confidential (even if not about a disability)
- Secure the records from unauthorized access
Any system that falls within HIPAA compliance likely will also comply with ADA regulations (but check for yourself to be certain).
Training Employees in Compliance Regulations
The best records system in the world still needs the support of properly-trained employees. A single poorly trained person with the right access can wreak havoc on the confidentiality of sensitive information. To this end, proper training – to include regular refreshers and updates as regulations change – is paramount.
A well-organized training system allows you to:
- Centralize learning materials
- Easily facilitate reminders and follow-ups
- See and manage team workflows
- Know who has completed assigned tasks
Nothing is left to chance and the collaboration process is painless. It ensures your training strategy is well-controlled and planned, so that nothing falls between the cracks and the people with access to sensitive data know how to properly handle it.
This bears repeating: no system for storing confidential data is secure until everyone with access is well-versed in their compliance responsibilities.
How OnTask Helps with Vaccine Record-Keeping
- Create customized workflows to collect vaccine information
- Automate employee follow-ups based on questionnaire responses
- Track employee form completion from a dashboard
- Customize compliance training assignments and automate reminders
It’s the definition of elegance: the same tool that simplifies your records-keeping and training also ensures it remains compliant at all times.
Implementing a Compliant, Efficient, and Human-Centered Vaccination Policy
Although employee and patient privacy laws such as HIPAA or the ADA must be carefully considered, it is entirely possible to implement a strong vaccination policy while fully respecting them.
By adopting a secure, well-organized system and ensuring your teams’ compliance training is up-to-date, you go beyond merely meeting minimum requirements. You also work to ensure potentially nervous employees can feel respected and secure in sharing sensitive personal health data with the company. This can go a long way in getting everyone on-board in the company and minimizing resistance to the policy.
Of course, technological solutions are only as good as the relationships they facilitate. At a human level, the best way to reduce friction over sensitive policy changes is to carefully focus on reciprocal, truly responsive relationships. In being intentionally communicative and responsive, leadership can greatly support a healthy, transparent work culture and actively build trust. This is imperative to an effective COVID safety policy. And though not a replacement for the human side of relationships, OnTask can help with this, too.
Through workflow automation, it offers teams one more tool to facilitate crucial conversations and feedback surrounding difficult new policies.
Need help building your employee vaccination program? Contact us.