QUESTION: Due to COVID-19, our company is planning to take employees’ temperatures and ask them general health-related questions as they report to work each morning. Does HIPAA apply to the information we obtain from employees?
ANSWER: HIPAA’s requirements to safeguard protected health information (PHI) apply only to covered entities (health plans, health care clearinghouses, and most health care providers), not to employers acting in their capacity as employers. So, while the results of COVID-19-related temperature checks and health questions must be maintained confidentially, HIPAA does not apply to the COVID-19 information that your company collects from employees. (If your company were a HIPAA covered entity, a similar analysis would apply to information maintained in the company’s employment records.)
Of course, HIPAA does apply to PHI related to COVID-19 that is created, maintained, received, or transmitted by your group health plan. This PHI generally cannot be disclosed to the plan sponsor unless the privacy rule’s prerequisites for such disclosures have been met. For example, in most cases, the PHI could be disclosed only to employees performing administration functions for the plan and could not be used for employment-related actions. Therefore, it is important to carefully document the source of employees’ COVID-19 information.
The effect of other laws should also be considered. For example, the Americans with Disabilities Act (ADA) prohibits an employer from subjecting employees to disability-related inquiries and medical examinations, except under limited circumstances. Although temperature checks are considered medical examinations, EEOC COVID-19 guidance states that employers may screen employees entering the workplace by taking their temperatures and asking them about symptoms (such as fever and shortness of breath) that might indicate the presence of COVID-19. The EEOC’s guidance is specific to COVID-19 and is based on a finding that the presence of someone with COVID-19 or related symptoms in the workplace would pose a substantial risk of harm to others. Although HIPAA does not apply, the EEOC’s guidance notes that the ADA requires employers to safeguard the confidentiality of the medical information, which must be maintained in medical files separate from employees’ personnel files.
For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXII.A (“What Information Is Protected?”), XXII.B (“Which Entities Must Comply?”), and XXIII.C (“Sharing PHI and Electronic PHI With Plan Sponsors”).
Contributing Editors: EBIA Staff.
