Botdoc Blog

Beyond HIPAA: Personal Privacy Measures Every Organization Should Consider

Written by Laura Johns | Dec 21, 2021 6:15:32 PM

Since the start of the pandemic, COVID-19 has fundamentally changed the ways people socialize, shop, work, go to school, and more—and the Centers for Disease Control and Prevention (CDC) says that activities like these are safer if you’ve been vaccinated. 

That’s why as we head into 2022, the number of places that require proof of vaccination against the coronavirus is growing. From universities and grade schools to restaurants and biotech companies, many organizations are already requiring proof by showing a CDC-approved COVID-19 vaccination record card, which tracks which vaccine you were given as well as the date and the location where it was administered. However, since these cards contain sensitive personal data, many organizations are looking for resources on what they need to consider before collecting such private information.

We’re sharing the top three reasons why organizations need to protect personal information if they plan on requiring vaccination cards. 

1. HIPAA Requirements


According to the CDC, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a “federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.” The types of individuals and organizations that are subject to HIPAA include healthcare providers, health plans, healthcare clearinghouses, and business associates. 

Late in 2021, a former NY hospital employee was charged with violating the protected health information (PHI) of 13,000 patients. The employee was improperly accessing electronic medical records without role-based authorization. This is one of many instances where violations occurred last year, compromising patient privacy.

Because of HIPAA requirements, however, there has been some confusion about whether the HIPAA Privacy Rule prohibits businesses or individuals from asking whether their customers or clients have received a COVID-19 vaccine. And for good reason: criminal violations of HIPAA can lead to substantial fines. However, the U.S. Department of Health & Human Services has clarified that the HIPAA Privacy Rule does not “regulate the ability of covered entities and business associates to request information from patients or visitors. Rather, the Privacy Rule regulates how and when covered entities and businesses associates are permitted to use and disclose protected health information (PHI) (e.g., PHI about whether an individual has received a COVID-19 vaccine) that covered entities and business associates create, receive, maintain, or transmit.” 

This means that organizations who are requiring proof of vaccination need to be mindful about how they are receiving, storing, and transmitting any protected health information. For example, if you are a school administrator collecting the vaccination proof of teachers and students, are people submitting them simply via email? Are any photos or copies of vaccination cards stored confidentially? 

2. IT Security

Organizations that are requiring vaccines need to ensure that their IT teams can in turn ensure the confidentiality, integrity, and availability of all electronically protected health information. This means going beyond a shared Google Drive folder that contains the vaccination records of every single employee. Whether an organization has a file transfer system that isn’t quite cutting it or doesn’t have a file transfer system at all, it’s likely they will need to enhance their digital capabilities in order to mitigate risk. 

One powerful way organizations can achieve this is by using a “sending” technology rather than a “sharing” one when it comes to their file transfer system. With a “sharing” technology, both parties simultaneously exchange data, documents, and more. However, it requires that the end-users use a variety of things—such as a pin, password, login, application, or software—in order to join that “sharing” environment. With file “sending” technologies, however, only one party needs to be on the system in order to chat, sign, pull or push information, and more—all without creating friction in the user’s experience by forcing them to create a pin, password, or account. By using a more convenient process such as this one, employees are less likely to disregard risk or compliance requirements, which may cause them to use insecure channels such as email instead. 

3. HR Confidentiality

Beyond HIPAA requirements, businesses have the professional responsibility to protect the personal privacy of their employees, clients, and/or students. Collecting and storing vaccine information gets especially tricky, however, since many organizations still have remote or hybrid work environments. Some organizations may still choose to mandate the vaccine for all employees who are not exempt due to religion or disability. Some organizations may take a hybrid approach and require the vaccine for those who have returned to the office or cannot fully socially distance themselves in the workplace.

Whatever your approach, the process of collecting vaccination proof needs to protect any personal information. Even if an organization is not subject to HIPAA, any private information must be protected (encrypted) in transit and at rest and have limited access. Since COVID vaccinations can be a sensitive and even controversial topic in the workplace, HR teams should take the necessary steps to minimize frustrations, fears, and conflicts about collecting vaccinations records. 

The BotDoc Solution

When it comes to such a crucial and sensitive topic such as COVID vaccination records, people can easily get stressed. Your organization can get ahead of these difficulties, however, by using a file transfer system that makes it a breeze for employees to file vaccination records, manage them, and retrieve them. 

Botdoc is the first-ever easy, remote, and secure file transport service that works via text messaging and email with end-to-end encryption. Our solution is always simple to use because the consumer experience is everything to us. With Botdoc, there are no pins, no passwords, no logins, no accounts, no apps, and no software to download.

Interested in learning more about BotDoc? Let’s start a conversation today.