Proposed state-mandated, employee vaccine passports violate people’s medical privacy and will probably require businesses to break federal HIPAA law


New COVID workplace restrictions, issued by Washington State Labor and Industries (L&I) late Friday (May 21), require employers to check employee vaccine documents before allowing relaxation of social distancing and mask requirements in the workplace. In other words, state leaders want Washington residents to show a vaccine passport in the workplace.

The obvious question on everyone’s lips is, “Isn’t this a violation of my medical privacy?”

There is no clear yes or no answer. 

Sharing personal medical data is your decision.

However, when it comes to the workplace there is a way a federal Health Insurance Portability and Accountability Act (HIPAA) violation of your medical privacy can occur. (5/26 Update - The vaccine passport mandate may also violate the Americans with Disabilities Act - ADA).

By notifying your employer that you don’t give consent for the employer to share your medical information and vaccine status with other parties (including L&I) and despite the lack of consent, the information is still shared, is where a HIPAA violation can occur.

In other words, you can decline to tell your employer whether you’re vaccinated and say you do not give consent to share that information with any other entities. If L&I asks the employer for a list of employees who are vaccinated, the employer has to respond that some employees have not given consent. For the employer to reveal private medical information would be a HIPAA violation, subject to potential fines and other federal penalties.

If the employer falls under the classification of a covered entity or business associate, then you have to follow HIPAA rules.

A “Covered Entity” is defined by HIPAA as health plans, health care clearinghouses, and certain health care providers. “A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.” In the case of Labor and Industries (L&I) requiring employers to store vaccine information for enforcement actions, this would make the employer a covered entity and a business associate under federal law.

L&I asking for the information is placing a business in a position of potentially violating HIPAA or losing its business license. This is based on the enforcement penalties that L&I says they will impose if you violate the rules L&I has put in place for COVID vaccinations.  Either way, enforcing the state’s vaccine passport rules will put the employer in legal jeopardy.

State officials should not be able to force workers to provide vaccine passports and should not make businesses and other organizations require employees to report private medical information. They should certainly not make workers display a special badge or credential that advertises a person’s private medical information for all to see.

This new proposal is about as workable, and popular, as the state’s failed effort last year to make businesses collect sensitive personal contact tracing information.  The state’s L&I rules to create a Washington state vaccine passport with information collected and enforced by businesses is a clear overreach of state government and should be repealed immediately.

Sign up for the WPC Newsletter