Employee Experience
Navigating PII, PHI, HIPAA and COVID Workforce Vaccination & Testing Requirements
With the new executive mandate enforcing COVID-19 workforce vaccination and testing requirements for many businesses across the US, how can you ensure compliance while also navigating PHI, PII, and HIPAA requirements?
In this blog, we delve into the most frequently asked questions in relation to compliance, vaccination, and testing requirements, and what you can do to best prepare your business and people.
Since the pandemic started, companies across every industry have had to concern themselves with the personal health information (PHI) of their employees.
And for many, this is new and confusing territory.
From performing daily symptom screens and contact tracing employees who may have been exposed, to requiring employees to share vaccination records or COVID test results, HR leaders, frontline managers, and corporate risk now have to navigate increasingly complex processes.
Over the past 18 months, Qualtrics has developed and implemented multiple solutions for workplace safety and public health. This includes end-to-end COVID testing systems for states to symptom checking and contact tracing used at hundreds of colleges, school districts, and companies.
In that time, several important questions about employee privacy and protected health information (PHI) have consistently come up. And with the recently announced US COVID vaccination and testing requirements, the volume of and urgency to address these questions has only increased.
This blog asks and answers the most frequently asked questions to help teams navigate the complex world of employee privacy and COVID vaccination, testing and symptom attestation.
** This list of questions and answers will be updated regularly to provide the most up-to-date guidance.
Frequently asked questions:
1. What is the difference between PII and PHI?
What is PHI?
PHI (protected health information) is any health information that can be tied to an individual. This is only important if your organization is in an industry that is covered by HIPAA privacy and security rules.
What is PII?
PII (personally identifiable information) is any data that could potentially identify a specific individual — regardless of whether it is used for healthcare purposes.
2. What is HIPAA?
HIPAA (The Health Insurance Portability and Accountability Act) requires covered entities to implement safeguards to ensure the confidentiality, integrity, and availability of protected health information.
3. Who are covered entities under HIPAA?
Covered entities are those that provide healthcare, healthcare operations, and payment for healthcare services, e.g. hospitals, providers, insurance companies, clinics, etc.
Please see this reference on covered entities from the U.S. Department of Health and Human Services (HHS) for more information.
4. If my company collects health information - including COVID vaccination information - from employees is this protected information?
According to the HHS, if an employer asks an employee to provide proof of vaccination or test results that is not a HIPAA violation. Employees, however, may decide whether or not to provide that information to their employer.
5. What if my employees receive vaccines or test results through an onsite clinic?
If you provide an onsite clinic and/or administer a self-insured health plan, you are subject to ‘partial compliance’ and are required to provide certification that the employee’s PHI will be safeguarded and not used for employment-related actions.
For more information on HIPAA and how it applies to employers, please see this reference.
6. How can my organization comply with the mandate?
To comply, you must require your employees to submit proof of their vaccination status or produce a weekly negative test result as a condition of continued employment. Exemptions to this include individuals with disabilities and religious grounds.
Currently, the mandate only applies to employers with 100 or more employees.
7. How does Qualtrics — and the Vaccination & Testing Manager — support PII, PHI, and HIPAA requirements?
As a HITRUST certified system, Qualtrics is approved to upload, transfer and securely store PII and PHI. As a business, we work with hundreds of healthcare providers and insurers who are HIPAA entities to help ensure they are compliant.
In addition to being HITRUST and FEDRAMP certified, the Qualtrics Vaccination & Testing Manager allows employees to confidently share information knowing that:
- Their information is viewer restricted.
- Their information is kept confidential and separate from other personnel records as recommended by the EEOC.
- They don’t need to download an app or other technology in order to share their information.
- The data can be deleted after a set period of time as prescribed by law.
Trust and transparency are critical components of the employer-employee relationship. We’re here to help companies across every industry to maintain these key features as we all navigate through this future of work.
To learn more about recent guidance on COVID-19 disclosures in the workplace, we highly recommend reading:
HIPAA, COVID-19 Vaccination, and the Workplace from the U.S. Department of Health and Human Services