The Effect of COVID-19 on HIPAA and other Employer Confidentiality Obligations.

As most are aware, HIPPA (the Health Insurance Portability and Accountability Act) imposes certain confidentiality obligations on companies that fall within its coverage.  However, even if an employer does not fall within HIPAA’s coverage, they still have an obligation to protect their employees’ confidential health information.  Some of those obligations (both HIPAA and non-HIPAA) have been affected by COVID-19 and the discussion below describes how.

HIPAA

Under HIPAA, an individual’s health status related to testing positive for COVID-19 is considered Personal Health Information (“PHI”).  HIPAA covered entities, which include health plans, health care clearinghouses, and health care providers who electronically transmit any health information may not disclose PHI unless permitted by HIPAA. (Self-insured employee health plans maintained by an employer are covered entities under HIPAA.)

With respect to COVID-19, permitted disclosures under HIPAA include disclosure of positive COVID-19 test results to public health authorities but only to the extent that information is relevant and within their purview.  In March 2020, the Health and Human Services Office of Civil Rights (“OCR”) provided more specific information about this by clarifying that a covered entity my disclose the PHI of an individual who has been infected with or exposed to COVID without obtaining the individual’s authorization to first responders (i.e, law enforcement, paramedics, public health authorities) under the following circumstances:

1. As necessary to provide treatment;
2. For public health purposes to public health authorities;
3. As required by law;
4. To prevent or lessen a serious and imminent threat to health and safety; and
5. For health and safety purposes related to a correctional institution’s or law enforcement official’s lawful custody of an inmate or other individual.

Business associates, i.e., service providers to HIPAA covered entities that need access to PHI to perform the services for which they are engaged, are also prohibited from using or disclosing PHI except as necessary to perform those services.  However, in April 2020, the OCR clarified this prohibition when it announced that, for as long as the COVID-19 emergency continues, it would not impose penalties under HIPAA for unauthorized uses and disclosures of PII by HIPAA business associates who make such uses or disclosures:

a) in good faith and

b) for public health purposes related to COVID-19 (e.g., public health activities, public health oversight.)

Business associates are, however, required to inform the relevant covered entity of the use or disclosure within ten calendar days.   Examples of permissible disclosures under this announcement would include disclosure of information to the Centers for Disease Control (“CDC”) to help prevent the spread of COVID-19 and/or disclosures to the Center for Medicare or Medicaid Services to assist in oversight of or assistance to health care systems’ response to COVID-19.

ADA

The Americans with Disabilities Act (“ADA”) requires employers that obtain medical information through inquiry and examination to maintain it in a confidential medical file kept separate from personnel file.  During the COVID-19 emergency, the CDC and EEOC have encouraged employers to question employees about travel, exposure or symptoms related to COVID-19.  However, they have cautioned that medical information should be treated as confidential.  If a positive case of COVID-19 is identified in the workplace, employers are encouraged to investigate exposure of others without disclosing individual names or other Personally Identifiable Information (“PII”). However, the ADA does not prohibit disclosure to state, local and federal health departments.

Based upon the above, it is clear that if you are a HIPAA-covered entity or an entity that has obtained confidential health information about its employees, prohibitions on disclosures of this information may be somewhat relaxed because of the health emergency presented by COVID-19.  As always, before disclosing any protected information, you should speak to a lawyer to confirm that the disclosure does not and will not violate your confidentiality obligations under HIPAA and/or any other law.   

The information presented here is for general educational purposes only. It does not constitute legal advice and does not create an attorney-client relationship.