COVID Vaccines: When is an Employee’s Vaccination Status HIPAA-Protected?

Whether an employee’s vaccination status is protected by HIPAA has been (or should be) on the minds of all human resources personnel as of late. This is especially true in the wake of the Department of Labor’s Occupational Safety and Health Administration (“OSHA”) impending rule that will likely require employers with 100+ employees to ensure their workforce is either vaccinated or regularly tested. While waiting for the OSHA rule to be finalized and released, employers should ensure they are familiar with the Privacy Rule’s application to vaccination status by asking questions like:

  1. Does the HIPAA Privacy Rule prohibit businesses or individuals from asking their customers whether they have been vaccinated? 
  2. Does the HIPAA Privacy Rule prohibit an employer from requiring a workforce member to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties?

Fortunately, the Department of Health and Human Services (“HHS”) recently addressed these and other frequently asked questions in new guidance. Below is a quick refresher on the HIPAA privacy rule, as well as the HHS response to these common questions. 


The HIPAA Privacy Rule generally applies to information categorized as protected health information (“PHI”). PHI includes almost all health information that identifies an individual – generally, information that relates to the past, present, or future physical or mental health condition of an individual, the provision of healthcare to an individual, or payments for healthcare. PHI can include not only traditional healthcare information, but even names, addresses, ages, etc. when connected to healthcare information.

However, not all healthcare information constitutes PHI. PHI generally only encompasses health information that is created, received, maintained, or transmitted by a covered entity or a business associate. So that begs the question – what entities are covered entities? Health plans are generally covered entities. HIPAA defines this broadly to include any individual or group plan that pays for the cost of medical care. So, when in the hands of a covered entity, an individual’s vaccination status will likely constitute PHI and be protected under the Privacy Rule. 

Importantly, HIPAA specifically excludes from PHI information held by the employer in its employment records. An employer who sponsors a group health plan generally wears two separate hats – it has different responsibilities when acting as an employer and when acting as a covered entity, i.e. the health plan. 

Even if certain information may not be PHI and protected by HIPAA, employers should also consider whether state law provides a stricter rule. While state laws may not be less restrictive than HIPAA requirements, they can provide additional restrictions. 


Given those basic rules, HHS answered these common questions for employers:

1. Does the HIPAA Privacy Rule prohibit businesses or individuals from asking their customers whether they have been vaccinated? 

No. HHS clarified that the Privacy Rule does not prohibit anyone from simply asking another whether he or she is vaccinated. When a business asks customers whether they are vaccinated, the business is likely not acting as a covered entity, i.e. the health plan. When the employer is not acting as the health plan, the Privacy Rule generally does not apply. 

Additionally, the Privacy Rule does not prohibit covered entities from simply requesting health information. Instead, the Privacy Rule is concerned with the manner in which covered entities use and disclose PHI in their possession. HHS gave some examples. The Privacy Rule does not apply when an individual:

  • is asked about their vaccination status by a school, employer, store, restaurant, entertainment venue, or another individual;
  • asks another individual, their doctor, or a service provider whether they are vaccinated;
  • asks a company, such as a home health agency, whether its workforce members are vaccinated.

The Privacy Rules also does not prohibit a person from disclosing his or her own vaccination status. HIPAA of course permits a person to disclose his own health status as he or she wishes. When an individual is discussing his own health information, he is most likely not acting as a covered entity or a business associate. 

2. Does the HIPAA Privacy Rule prohibit an employer from requiring a workforce member to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties?

No. Remember that the Privacy Rule does not apply to information held by the employer in its employment records – in contrast to information held by the health plan. The Privacy Rule does not prohibit an employer from requesting an employee’s vaccination status as part of the terms and conditions of employment. HHS also gave some examples here. The Privacy Rule does not prohibit a covered entity or business associate from requiring or requesting each workforce member to:

  • provide documentation of their COVID-19 or flu vaccination to their current or prospective employer;
  • sign a HIPAA authorization for a covered health care provider to disclose the workforce member’s COVID-19 or varicella vaccination record to their employer;
  • wear a mask – while in the employer’s facility, on the employer’s property, or in the normal course of performing their duties at another location;
  • disclose whether they have received a COVID-19 vaccine in response to queries from current or prospective patients.

Although these examples are generally permitted under the Privacy Rule, employers should be aware that other federal or state laws may also come into play when requiring employees to obtain vaccinations as a condition of employment and how employers must handle that information. For example, documentation on an employee’s vaccination status must be kept confidential and stored separately from the employee’s other personnel files pursuant to the Americans with Disabilities Act.

Coming Soon to a 401(k) Near You: SECURE 2.0

On May 5, 2021, the Ways and Means Committee in the U.S. House of Representatives showed a rare sign of bipartisanship by unanimously passing the Securing a Strong Retirement Act of 2021 – more commonly known as SECURE 2.0. The bill builds on a number of items that were included in the SECURE Act that passed in late 2019 and also includes many new retirement plan features. While a number of similar bills have been proposed since the original SECURE Act was passed, the fact that this bill unanimously passed committee is a good indicator that this one has legs.

The bill contains a number of provisions to encourage employees to save more, but it also contains a number of important revenue-raising changes (i.e. changes that accelerate taxation of retirement benefits). Below is a list of some important changes included in SECURE 2.0 that may make their way into law should the bill continue to progress so smoothly.

  1. Student Loan Repayments

SECURE 2.0 builds on the student loan relief that was included in the CARES Act in 2020 and more recently in the American Rescue Plan Act that passed earlier this year.

When employees make payments on student loans, SECURE 2.0 allows employers to treat those payments as if they were elective deferrals to the 401(k) plan and make “matching” contributions to the participant’s 401(k) account. Special nondiscrimination testing is permitted in the event too many non-highly compensated employees stop making traditional elective deferrals to the plan and instead make student loan payments.

The match would be permitted on “qualified student loan payments.” The student loan payments, plus actual elective deferrals to the 401(k) plan, cannot exceed the existing annual limit on deferrals ($19,500 in 2021), and student loan payments must be made for “qualified higher education expenses,” which is essentially the cost of attendance. Matching contributions for student loan payments must be made at the same rate as traditional elective deferrals, and the employees must otherwise be eligible to receive the match if they instead chose to make elective deferrals. Finally, the matching contributions for student loan payments must vest under the same schedule as other matching contributions.

  1. Expanding Automatic Enrollment

Automatic enrollment features would be required for new plans – any plans existing when the bill becomes law (if and when that may happen) would be grandfathered and not required to implement automatic enrollment. The automatic enrollment feature must be an EACA, meaning it would require permissible withdrawals by participants and be subject to the uniformity rule.

Each participant would initially be subject to a 3% automatic contribution, and that would increase by 1% each year up to at least 10%, but the employer could choose to increase the cap up to 15%. Of course, an employee could always affirmatively elect a different contribution. There are some exceptions for certain types of plans and employers.

  1. RMD Age Increases

The bill proposes to increase the age for required minimum distributions (“RMDs”) yet again. Recall that the original SECURE Act increased the RMD age from 70.5 to 72. SECURE 2.0 proposes to gradually increase the RMD age from 73-75 over the course of 2021-2032.

  1. Changes to Catch-Up Contributions

Currently, participants over the age of 50 are permitted to contribute elective deferrals in excess of the normal limit (in 2021, an extra $6,500). SECURE 2.0 increases the contribution limit to $10,000 for participants between age 62 and 65, and the limit would continue to be adjusted for cost of living changes. Additionally, catch-up contributions to IRAs would be indexed and increase with cost of living changes.

In a revenue-raising move, SECURE 2.0 requires all catch-up contributions to be designated Roth contributions – presumably to allow the government to reap the income tax benefits sooner than it otherwise would.

  1. Roth Matching Contributions

Participants would be given the opportunity to elect for employer matching contributions to be designated as Roth. While this may help participants in their tax planning strategy, this is also a revenue-raising mechanism (i.e. it requires taxation in the year of contribution rather than when the matching contributions are finally distributed likely years or decades later).

Again, this is just a small sample of the many changes included in SECURE 2.0. While this is not law yet, be on the lookout for this bill, or one very similar, to make its way to the full House, the Senate, and even the President’s desk by late summer or early fall 2021.

Contribution Limit for Dependent Care Assistance Programs Temporarily Increased

Earlier this month, the American Rescue Plan Act of 2021 (“ARPA”) became the latest COVID relief package passed by the federal government. ARPA, just like the many COVID relief packages that came before it, contains a number of changes that benefits professionals will want to become familiar with.

Only for 2021, ARPA allows employers to amend their dependent care assistance programs (“DCAPs”) to allow employees to contribute up to $10,500 for the tax year (or $5,250 for individuals married and filing separately). This is undoubtedly welcome relief to parents and caregivers who are likely to be returning to work in 2021 and unable to care for kids who may have not yet returned to school or other family members who continue to stay at home and need assistance. This change allows employees to pay for more of those increased dependent care costs with pre-tax dollars.

Employers generally maintain DCAPs as part of their cafeteria plans, which allow employees to contribute pre-tax dollars to a variety of qualified benefits. These contributions, in turn, reduce the employee’s taxable income. While employees are typically locked into their elections for the entire year, employees may be able to prospectively increase their DCAP election under previous IRS guidance released last month if the plan is so amended.

Prior to the ARPA change, the maximum amount that an employee could contribute to a DCAP and exclude from his or her gross income was $5,000 per tax year (or $2,500 for individuals married and filing separately).

A cafeteria plan that adopts these changes will be deemed to comply with the Code §§ 125 and 129 rules governing cafeteria plans and DCAPs. Employers may implement this change operationally now, but plans must be retroactively amended no later than the last day of the plan year in which the amendment is effective, and the plan must be operated consistent with the terms of the amendment on its effective date and ending on the date the amendment is adopted.

Employer health plans must pay the cost of a COVID-19 vaccine

As many have likely heard, multiple COVID-19 vaccine candidates have rapidly reached the final stages of development and are showing extraordinary effectiveness. The vaccines are beginning to be submitted to the FDA for emergency approval before hitting the market. This means that employers need to start thinking about how this will affect their workplace benefit plans now.

As my colleague Charlie Plumb recently wrote, employers are generally permitted to implement mandatory vaccine policies that require employees to be vaccinated before returning to the workplace. Assuming no disability or religious exception applies, the next question is this: Who has to pay for it?

Surprisingly, the answer is pretty simple: Employer-sponsored group health plans (whether fully- or self-insured) will be required to pay the full cost of the vaccine for employees covered under the plan with no cost-sharing (copay, coinsurance, deductible) to the employee.


As employee benefits professionals and insiders are inevitably aware, the Affordable Care Act (the “ACA”) already requires group health plans and insurers to cover certain “preventive care” items with no cost-sharing (also called first-dollar coverage), such as the flu vaccine. These items are generally listed on the website.

The typical process for an item to be classified as a “preventive service” starts with certain governmental groups, such as the CDC or the United States Preventive Services Task Force making a “recommendation” (although it is not as much a recommendation as a requirement) that an item should be classified as a preventive service. The item must then receive first-dollar coverage under a group health plan or policy starting with the first plan year that begins one year after the date the recommendation is made. Also, first-dollar coverage is generally only required when participants receive care from an in-network provider.


Because of the ensuing pandemic, Congress found this timeline unacceptable. The CARES Act modified the preventive service rules for the COVID-19 vaccine in early March before any sign of a vaccine was in sight. The CARES Act requires group health plans to provide first-dollar coverage of COVID-19 vaccines within 15 business days after the vaccine receives an “A” or “B” rating from the United States Preventive Services Task Force or receives a recommendation from the Advisory Committee on Immunization Practices of the CDC.

Just to reemphasize, plans generally have at least a year after a new item is added to the preventive services list to provide first-dollar coverage. But now, first-dollar coverage for a COVID-19 vaccine is required within 15 business days after the applicable governmental recommendations are made. Therefore, plan sponsors need to keep an eye out for these recommendations to ensure that their health plans are being administered properly (and are properly amended to reflect this requirement).


Also distinct from the traditional ACA preventive care rules, group health plans and insurers must pay the full cost of COVID-19 vaccines regardless of whether administered in- or out-of-network. In a joint interim final rule published by the Departments of Treasury, Labor, and Health and Human Services, plans and insurers are required to pay out-of-network providers a “reasonable” reimbursement rate in order to provide a “meaningful” benefit to participants and, presumably, to entice enough providers to administer the vaccine. A reasonable rate is generally the prevailing market rate, the Departments say. The Departments deem the amount paid under Medicare to be reasonable. Finally, providers who are participating in the CDC COVID-19 Vaccination Program are prohibited from balance billing (also known as surprise billing) vaccine recipients.


The big implication of these rules is that employers will have to bear the full cost of the vaccine for each employee covered under its health plan. To the extent an employer is going to mandate employees to become vaccinated before returning to the workplace, employers will have to weigh the cost of requiring employees to become vaccinated (when some employees might not have gotten the vaccine otherwise) against the costs of possible continued loss in productivity due to an ill workforce or employees working from home.

IRS Announces Relief for Certain Form 1094/1095 Reporting Requirements

In a similar move as in previous years, the IRS has issued relief from certain Form 1094-C and 1095-C reporting requirements under the Affordable Care Act (the “ACA”) relating to employee health plans, as well as relief from certain reporting-related penalties.

As a refresher, the ACA generally requires four forms to be produced each year, and the names are anything but intuitive:

  • Form 1094-B: This is essentially a transmittal form used by insurance carriers to report the individual statements (Form 1095-B) to the IRS.
  • Form 1095-B: This form is used to report certain statutorily-required information to the employee under a fully-insured policy about his or her coverage.
  • Form 1094-C: This is used by applicable large employers (“ALEs”) to report whether the employer offered minimum essential coverage and to transmit the employee statements (Form 1095-C) to the IRS.
  • Form 1095-C: Finally, this form is used by ALEs to report certain statutory-required information to employees about their employer-sponsored health coverage.

Which form your plan would be required to file or furnish depends on whether you are an ALE., and how you fill out the form and whether you offer fully-insured or self-insured coverage. Large employers who are self-insured are typically going to use just Forms 1094-C- and 1095-C.

Extended Deadline for Participant Statements:

The IRS has extended the deadline for furnishing Forms 1095-B and 1095-C to individuals. The typical deadline to report 2019 plan information is January 31, 2021. However, the new relief extends the deadline to March 2, 2021. The extension is automatic, and the IRS has indicated that no further extensions will be granted, and it will not respond to such requests.

No Extension for IRS Filings:

Be aware that this extension does not apply to the 1094-B and 1094-C filings with the IRS. The deadline for submitting these filings to the IRS will remain March 1, 2021 (since the original due date of February 28 falls on a Sunday), for paper filings and March 31, 2021, for those filing electronically. However, while the automatic extension does not apply to these deadlines, filers may still request an extension from the IRS.

Penalty Relief:

Recognizing that the main purpose of Forms 1095-B and 1095-C was to allow an individual to compute his or her tax liability relating to the individual mandate, and because the individual mandate has been reduced to zero, the IRS has granted relief from furnishing certain documents to individuals.

The IRS indicated that it will not assess penalties for failure to furnish a Form 1095-B if two conditions are met. First, the reporting entity must post a prominent notice on its website stating that individuals may receive a copy of their 2020 Form 1095-B upon request, along with an email address, physical address, and phone number. Second, the reporting entity must furnish the 2020 Form 1095-B to the responsible individual within 30 days of receipt of the request. The statements may be furnished electronically if certain additional requirements are met.

The same reporting relief does not extend to ALEs who are required to furnish Form 1095-C. This form must continue to be furnished to full-time employees, and penalties will continue to be assessed for a failure to furnish Form 1095-C. However, the relief does generally apply to furnishing the Form 1095-C to participants who were not full-time employees for any month of 2019 if the requirements above are met. This would typically include part-time employees, COBRA continuees, or retirees.

Note that while these requirements for furnishing the 1095-B and 1095-C to individuals has been modified, these forms must still be transmitted to the IRS along with their Form 1094 counterparts.

Good-Faith Relief for Errors in Reporting:

In the final piece of good news from the IRS, it announced relief from penalties for incorrect or incomplete information on any of these forms. This relief applies to both missing and inaccurate taxpayer identification numbers and birthdays, as well as other required information.

The reporting entity must be able to show that it made a good faith effort to comply with the reporting requirements. A successful showing of good faith will show that an employer made reasonable efforts to prepare for the reporting requirements and the furnishing to employees, such as gathering and transmitting the necessary information to the person preparing the forms.

However, the relief does not apply to reporting entities that completely fail to file or furnish the forms at all.

Finally, and importantly, the IRS has indicated that this will be the last year that it will provide this good faith reporting relief.

New IRS Guidance on Suspension of RMDs

And just as we thought that the new coronavirus guidance was beginning to slow down, the IRS proved us wrong.

On June 23, 2020, the IRS issued new guidance on the waiver of required minimum distributions (“RMDs”) from certain qualified retirement plans.

I. General Background

As a refresher, section 401(a)(9) of the Internal Revenue Code requires certain qualified retirement plans, including 401(k) plans, to make RMDs starting on the employee’s required beginning date. Back in December, the SECURE Act made a change to when RMDs are required to be made:

OLD RULE: Under the old rule, participants were generally required to start taking RMDs from a retirement plan by April 1 following the later of (a) the calendar year they reach age 70 ½; or (b) the calendar year they retire.

NEW RULE: Under the new SECURE Act rule, for people who attain age 70 ½ after December 31, 2019, the age for RMDs increases to 72. Individuals who attain 70 ½ on or before December 31, 2019 are not affected (i.e., the old rule continues to apply).

II. CARES Act Relief for RMDs

As you might remember, on March 27, 2020, the CARES Act waived RMDs otherwise required in 2020. However, because the CARES Act was not enacted until March 27 of this year, some people who took their RMD earlier in the year may have missed the boat on the waiver. However, as we were expecting, on June 23 the IRS issued guidance to provide relief for those individuals.

In the June 23 guidance, the IRS permits anyone who already who took an RMD in 2020 from certain plans to roll those funds back into the plan. Under the normal rules, rollovers must be made within 60 days from the date of a distribution, but last week’s new guidance extends this 60-day window for any RMD already taken this year to August 31, 2020. For example, if a participant received a single-sum distribution in January 2020, part of which was treated as ineligible for rollover because it was considered an RMD, that participant will now have until August 31, 2020 to roll over that part of the distribution. You probably should notify anyone who falls into this category of this extended deadline.

The waiver applies to the typical defined contribution plans, such as 401(k) and 403(b) plans, as well as IRAs. The relief does not apply to defined benefit plans.

The notice also provides rollover relief for additional payments that would not otherwise be eligible for rollover:

• Distributions to a plan participant paid in 2020 (or paid in 2021 for the 2020 calendar year in the case of an employee who has a required beginning date of April 1, 2021) if the payments would have been RMDs in 2020 (or for 2020) if it weren’t for the 2020 waiver.
• For a plan participant with a required beginning date of April 1, 2021, distributions that are paid in 2021 that would have been an RMD for 2021 but for the RMD waiver.

Therefore, the guidance waives the RMD for 2020 even if the employee’s required beginning date is April 1, 2021. For example, if an employee attained age 70 ½ before January 1, 2020, and retires in the 2020 calendar year, that employee’s required beginning date is April 1, 2021. Because of the CARES Act, the employee is not required to receive an RMD for 2020 before April 1, 2021 but nonetheless must still receive the RMD for the 2021 calendar year by December 31, 2021. If the employee receives a distribution during 2021, then that distribution is treated as an RMD for the 2021 calendar year to the extent the total RMD for 2021 has not been satisfied even if the distribution is made on or before April 1, 2021 (and, accordingly, is not eligible for rollover). However, because of the June 23 guidance, once the RMD for 2021 has been satisfied, any subsequent amounts distributed in 2021 that would otherwise not be eligible rollover distributions may be rolled over consistent with the rules provided in the guidance.