COVID-19: What Employers Need to Know About HIPAA
Mar 23 2020
As the COVID-19 pandemic continues to affect everyday business operations across the country, employers are confronting a variety of issues on how to handle these disruptions. The intent of this Legal Update is to educate employers about under what circumstances they are permitted to disclose information related to an employee’s or patient’s positive test for COVID-19 under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Americans with Disabilities Act (“ADA”).
It may be difficult in some circumstances to discern whether health information was received by an employer through its ordinary status as an employer or through its status as a self-insured health plan. Employers should take care in making this determination based on the facts and circumstances of each situation and seek legal counsel as needed.
Covered Entities under HIPAA
- HIPAA defines “Covered Entities” to generally include health care providers, health plans, and health care clearinghouses.
- Covered Entities may not disclose protected health information (“PHI”) unless permitted by HIPAA. An individual’s health status related to testing positive for COVID-19 is considered PHI.
- One permitted disclosure under HIPAA is that Covered Entities may disclose PHI to public health authorities to the extent relevant to the authority and purview of public health authorities. This includes disclosing positive test results for COVID-19 to state and local health departments, HHS, or the CDC as appropriate.
- Covered Entities may not disclose PHI to the media.
- Unless an employer is otherwise a Covered Entity as described above, it is not subject to HIPAA’s restrictions on disclosures of PHI.
Confidentiality under the ADA
- The ADA requires employers that obtain medical information through inquiry or examination to maintain it in a confidential medical file and keep it separate from the employee’s personnel file.
- Employers have been encouraged by the CDC and EEOC to question their employees regarding travel, exposure, or symptoms related to COVID-19. Any medical information disclosed as part of this dialogue should be treated as confidential.
- If a positive case is identified in the workplace, the employer is encouraged to investigate the exposure of others in the workplace without disclosing the name of the individual or any personally identifiable information about the person.
- The confidentiality requirements under the ADA do not prohibit disclosure to state, local, or federal health departments.
Employers with a Self-Insured Health Plan
- Notwithstanding the discussion above regarding employers, a self-insured employee health plan maintained by an employer is a Covered Entity under HIPAA (i.e. the plan itself, not the employer, although we acknowledge this distinction is difficult to make for most employers). As a result:
- If the employer obtained the information through its status as a plan (i.e., as the payer for the employee’s health care services), then such information is PHI and subject to HIPAA (see first bullet above for Covered Entities).
- If the employer receives the information in the ordinary course (e.g. voluntary disclosure by the affected employee), then the second bullet above regarding employer permitted disclosures is applicable.
von Briesen & Roper Legal Update is a periodic publication of von Briesen & Roper, s.c. It is intended for general information purposes for the community and highlights recent changes and developments in the legal area. This publication does not constitute legal advice, and the reader should consult legal counsel to determine how this information applies to any specific situation.