As more employers roll out workplace vaccination policies that require employees to share their vaccination status and/or COVID test results, there’s a lot of confusion surrounding the role of HIPAA in this effort. Do employers need to comply with HIPAA policies when collecting and storing employee vaccination and testing data?

In this article, we’ll explore employers’ responsibilities in safeguarding employees’ COVID-19 vaccination and testing data. But first, let’s answer the most burning question:

Does HIPAA apply to employee vaccine tracking?

No. HIPAA requirements do not apply to employers or any technology they use to track their employees’ vaccination data in this situation because they are not a covered entity under HIPAA. Any vaccination or testing data an employer collects is considered employee data, rather than patient data.

To explain why, let’s dive a bit deeper into how HIPAA works.

What is HIPAA? What is a covered entity?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a United States federal law that ensures the protected health information (PHI) of the patient is not disclosed to anybody without the consent of the patient or the patient’s authorized representative.

There are four covered entities of HIPAA. According to HIPAA, a covered entity is an individual, institution, or organization that is involved in the transaction of protected health information. This transaction may be related to healthcare status, enrollment, treatment, insurance, and payment.

The covered entities of HIPAA are:

  • Healthcare providers: Including doctors, nursing professionals, hospitals, clinics, pharmacies, and other entities that transmit patients’ health information electronically.
  • Health plans: Including insurance companies, government insurance agencies that pay for programs such as Medicaid and Medicare, health maintenance firms, and military health programs, and veteran’s health programs.
  • Healthcare clearinghouses: Entities that act as intermediaries between healthcare providers and health insurers. These clearinghouses process non-standard health information and convert it into the standard that meets the HIPAA regulations.
  • Business associates: Individuals or companies that have access to, store, and disseminate the patients’ health information.

All covered entities of HIPAA must comply with the HIPAA Security Rule that safeguards the patient’s electronically stored health information. To comply with the HIPAA Security Rule, covered entities should execute the following responsibilities:

  • Ensure the confidentiality of patients’ protected health information.
  • Detect threats and protect the information against these threats.
  • Restrict the impermissible uses and disclosures of the data.
  • Ensure compliance by workforce.

Employers are not considered one of the four covered entities under HIPAA. Any vaccination or testing data shared with an employer is considered employee data, not patient data for which the HIPAA privacy rule applies.

Regardless of HIPAA, keeping employee data secure is still crucial

Although employers need not worry about HIPAA compliance, they aren’t completely off the hook. Just like any other employee data, employers still have a general responsibility to keep their employees’ COVID-19 vaccination and testing data confidential and secure.

Failing to safeguard employee data – whether it’s contact information, social security numbers, or COVID-19 vaccination and testing data – can have a serious, life-changing impact on employees. In a recent study conducted by Kaspersky, nearly 48% of small and medium-sized businesses (SMBs), where a minimum of one data breach happened in the previous year, reported the incidents harmed the overall work experience of employees.

In addition to lowering employee morale, poor management of employee data can result in major repercussion for employers in the form of PR debacles and legal problems. Organizations that don’t follow legal guidelines for safeguarding data could face legal action from their employees. For example, employee data is legally protected under the California Consumer Privacy Act (CCPA). A data breach or poor management of employee data could result in lawsuits from employees in the State of California.

To avoid these issues, employers need to identify a secure way to collect, store, and maintain employee COVID-19 vaccination data and test results. The most efficient and secure way to do this is to implement a vaccine tracking solution that takes the privacy and security of employees’ health information seriously.

When researching vaccine tracking solutions, employers should look for applications that:

  1. Are hosted in a secure cloud SOC2 environment. According to the American Institute of CPAs (AICPA), SOC2 is a compliance standard that meets the five trust service principles, which include security, availability, processing integrity, confidentiality, and privacy).\
  2. Meet the international and industry-specific compliance standards such as ISO/IEC 27001:2013, and NIST SP 800-53.
  3. Allow administrators to define the user roles and allow the data access to only a few authorized people.

Why should I be tracking my employees’ vaccination status?

With all the complexity that comes with ensuring the security of employee vaccination and test data, some employers may wonder if it’s even worth the effort.

Tracking vaccination status and safeguarding the employee data related to COVID-19 vaccination or testing with the help of a vaccine tracking application can benefit the organization in several ways.

Watch the full webinar.

Here is a list of several reasons why organizations should be tracking employee COVID-19 vaccination status.

Avoid lawsuits

There is a growing number of COVID-related workplace lawsuits being filed by employees under the OSH Act's General Duty clause, which states that employers are responsible for providing employees with a generally safe workplace. Implementing a solution now can help prevent COVID-related workplace liability lawsuits by reducing an employers’ general liability for unsafe workplaces. The OSH Act is not dependent on mandates.

Improved incident reporting

As reported by scientists of the University of Hong Kong, the Omicron variant can spread 70 times faster than the Delta variant. Left unchecked and unmonitored, the virus can spread very quickly in workplaces. Without vaccination records and weekly testing reports of unvaccinated employees, it can be incredibly difficult to make informed decisions impacting the daily operations and staffing of your workplace. Tracking vaccinations helps employers manage incidents and instill greater confidence for employees concerned about COVID transmission in the workplace.

Reduce manual processes and data entry

Collecting vaccination data from each employee and manually entering it into a system can be an administrative nightmare, especially for companies that operate in multiple states with varying vaccination policies.

The best way to automate this process is to implement a tracking application, such as the BP Logix Vaccine Tracker, that allows employees to easily upload vaccination proof and test results from desktops, smartphones, and tablets. A vaccine tracker solution helps the organization reduce the dependency on manual processes and data entry, improving the speed at which the organization identifies the unvaccinated employees, gathers proof of vaccination, and complies with any established policies or governmental mandates.  

Keep employees’ health data safe and secure

It is the responsibility of the organization to safeguard the employee’s health data. Manual processes can lead to data leakages and make the organization vulnerable to penalties and lawsuits. A vaccine tracker solution rolled out via secure cloud deployment (SOC2/3) helps organizations safeguard employees’ health data.

Keep track and keep safe with BP Logix

HIPAA makes sure that its covered entities, including healthcare providers, health plans, healthcare clearinghouses, and business associates don’t disclose the protected health information of patients to anybody without their consent.

Though employers don’t need to comply with HIPAA privacy rules while collecting, storing, disclosing, and disseminating employee vaccination and testing data in this COVID-19 situation, they may still want to implement a vaccine tracking solution to eliminate the chances of employee’s health data breach and manual oversight.

Employers should choose a vaccine tracking solution that can be hosted in a secure cloud SOC2, meet international compliance standards, and allow data access to only a few authorized people.

Effectively track employee vaccination information and comply with COVID-19 vaccination mandates with the help of the BP Logix Vaccine Tracker application.



Take a tour of the app and request your demo today.

Catie Leary

Written by Catie Leary

Strategic Marketing Manager at BP Logix