OCR guidance on applicability of HIPAA to worker vaccination information: The OCR has issued guidance in the form of FAQs to help the public understand how HIPAA applies to questions about vaccination status posed to employees or customers. Generally, HIPAA does not apply: if the business asking the questions is not a HIPAA covered entity (generally, a healthcare provider or a health insurance plan), then the business isn't a covered entity at all, so HIPAA doesn't apply. If the business is a HIPAA covered entity but the information relates to its employees (for example, a hospital asking its employees whether they have been vaccinated), the information is likely "information . . . in employment records," which is a category of information that is specifically excluded from the definition of Protected Health Information (or PHI). Of course, if the business is a HIPAA covered entity and it is asking non-employees (its patients or visitors, for example), then the entity cannot use or disclose that information except for purposes permitted under HIPAA. However, if an airline, restaurant, or concert venue asks a customer for proof of vaccination, HIPAA is not implicated.
HIPAA only applies to covered entities (and their business associates), and only applies to PHI. Is the entity a covered entity, and is the information PHI? Unless both answers are "yes," then HIPAA does not apply. Simple as that.