We’ve received some questions from clients on how to store and process vaccine status information from their workforce and how HIPAA applies. OCR released some guidance on different scenarios and the HIPAA Privacy Rule applies, if at all.

Additionally, here is a general outline on how your healthcare organization should handle storing vaccine information:


  • If your organization is administering the vaccine directly then you would manage those records as PHI information.
  • If you are requesting that your employees prove that they have received vaccinations and they request this information via normal medical records request and then provide that to your organization as proof, that is a PII record and would be handled as such.
  • If your organization is requiring vaccinations and also administering that vaccine, then the records would be both PHI and PII. PHI that you gave the shot(s) in your EMR and then when you placed a record in the employee file it also takes on the PII attributes for that record.
    • Also, in this case your organization would need to release the record per normal policy and request the released record be able to be place into the employee’s file.