[ Wednesday, October 17, 2012 ]
Is an employee badge tag that says "I"ve been vaccinated for the flu" a HIPAA breach? That's been the topic of discussion on the AHLA HIT listserv of recent days. Many hospitals and other healthcare providers require their employees to get a flu shot; employees who refuse are either removed from patient contact or required to wear a surgical mask whenever around patients. (Why so many refuse to get a flu shot, I just can't imagine.) In order for hospital infection control people to easily determine whether a person should be wearing a mask, the hospital places a sticker on the badges of employees who DON'T need a mask. That way, if the Chief Infection Control Officer sees an employee without a mask and no sticker, he/she can write them up for violating policy.
Jeff [3:48 PM]
The question is, since the hospital administers the flu shot as a provider, and is a covered entity under HIPAA, is the information (that the employee got a flu shot) PHI, and therefore the hospital's disclosure of that PHI (by requiring the employees to wear a sticker saying they got the flu shot) an improper use/disclosure of PHI under HIPAA?
My contribution to the analysis is that the flu shot is required as an employment matter, and that whether the employee got the shot is information from the employee's employment record. Employment file data is, by definition, excluded from the definition of PHI, even if it is individually identifiable health information. Since it's not PHI, its disclosure is not a violation of HIPAA.
Hat tip: Vicki Wanjura
Blogger: HIPAA Blog - Edit your Template