Employers may have HIPAA compliance concerns when using or disclosing employee health information to protect their workforce from the coronavirus. The HIPAA privacy rule requires “covered entities” to safeguard individuals’ protected health information (“PHI”) and sets limits on the uses and disclosures of PHI.
Although employers are not considered “covered entities” under HIPAA, their self-insured health plans (such as their self-funded medical plans and flexible spending accounts (FSA)) are subject to the law. In addition, employers with self-insured plans have access to their employees’ PHI. As such, employers must follow the HIPAA privacy rules when handling employee PHI.
This article discusses when employers can use and disclose PHI in relation to the coronavirus.
What is the HIPAA privacy rule?
The HIPAA privacy rule requires covered entities to protect individuals’ PHI and sets limits on the uses and disclosures of PHI.
What is PHI?
PHI is any individually identifiable health information created or received by a group health plan that relates to past, present or future health care or payment for health care.
Generally, medical information contained in employment records (and not accessed through the employer’s health plan) is not subject to HIPAA protections; however, other state and federal laws, such as the Americans with Disabilities Act (ADA), still require employers to keep this medical information confidential. For a more in-depth discussion of the ADA and the coronavirus, see our blog article.
How does the HIPAA privacy rule apply when an outbreak of infectious disease, like the coronavirus, occurs?
The Office of Civil Rights, Health and Human Services (HHS), recently released a bulletin that specifically addresses how to comply with the HIPAA privacy rule during the coronavirus outbreak. HHS emphasizes that the HIPAA privacy rule is not set aside during an emergency, but the rule does allow for the appropriate use and disclosure of information when necessary to treat a patient, to protect the nation’s public health, and for other critical purposes.
When can employers use and disclose PHI?
Employers who have access to PHI through their health care plans can disclose that information to certain individuals/entities under certain circumstances, as outlined below.
- PHI can be disclosed without authorization:
- to health care providers, if the disclosure is necessary to treat the individual (or another patient);
- to a public health authority authorized to collect such information, such as the Centers for Disease Control (CDC) or state/local health care department, for the purpose of preventing or controlling the virus;
- to a foreign government agency upon the direction of a public health authority; and
- to individuals at risk of contracting or spreading the virus, if another law (such as a state law) authorizes the employer to notify these individuals and if done for the purpose of preventing or controlling the spread of the virus.
- PHI can be disclosed with verbal authorization:
- to an individual’s family members, relatives, friends, or other persons identified by the individual as involved in their care, for the purpose of notifying them of the individual’s location, general condition, or death. A prior authorization is unnecessary if the individual is incapacitated or unavailable and sharing the information is in their best interest; and
- to disaster relief organizations, for the purpose of notifying family members of an individual’s location, condition or death. A prior authorization is unnecessary if doing so would interfere with the organization’s ability to respond to an emergency.
- PHI can be disclosed to the media or public only with the individual’s written authorization.
If an employer does disclose PHI, they should make reasonable efforts to limit the information disclosed. Employers should only disclose what is the “minimum necessary” to accomplish the purpose.
As always, employers should consult with counsel to assess potential risk or to determine whether they can disclose PHI to third parties if the situation is unclear.
Is information collected from COVID-19 related inquiries or medical examinations administered by employers protected by HIPAA?
Some employers may decide to screen employees for COVID-19 or symptoms of COVID-19 before permitting them to enter their workplace. Screening may include COVID-19 related inquiries, temperature tests, and COVID-19 tests. The medical information collected by employers would not necessarily implicate HIPAA because the information would not necessarily be provided through the employer’s group health plan, though employers may want to take similar precautions. On the other hand, this information would be protected under the Americans with Disabilities Act (ADA). The ADA requires employers who collect medical information from their employees to do the following:
- Store all medical information separate from employees’ personnel files (which includes results of COVID-19 testing, temperature logs, statements of a COVID-19 diagnosis, and answers to COVID-19 related inquiries);
- Limit access to medical files; and
- Keep medical information confidential (unless subject to a permitted disclosure exception).
For more on the compliance considerations surrounding employer administered COVID-19 related inquiries and medical examinations, see our blog article.
- HHS Bulletin: HIPAA Privacy and Novel Coronavirus
- The HIPAA Privacy Rule
- ThinkHR COVID-19 Resources
- Leave Program Considerations in Light of COVID-19
- California Agencies Release Guidance on COVID-19
The information and materials on this blog are provided for informational purposes only and are not intended to constitute legal or tax advice. Information provided in this blog may not reflect the most current legal developments and may vary by jurisdiction. The content on this blog is for general informational purposes only and does not apply to any particular facts or circumstances. The use of this blog does not in any way establish an attorney-client relationship, nor should any such relationship be implied, and the contents do not constitute legal or tax advice. If you require legal or tax advice, please consult with a licensed attorney or tax professional in your jurisdiction. The contributing authors expressly disclaim all liability to any persons or entities with respect to any action or inaction based on the contents of this blog.