QUESTION: An employee who called in sick reported to her supervisor that she had tested positive for COVID-19, and the supervisor notified Human Resources. Does HIPAA prohibit Human Resources from notifying coworkers who had contact with the employee so they can get tested?
ANSWER: HIPAA’s requirements to safeguard protected health information (PHI) apply only to covered entities (health plans, health care clearinghouses, and most health care providers), not to employers acting in their capacity as employers. So, HIPAA does not apply when employees self-report COVID-19 information to their supervisors or to Human Resources. (If your company is a HIPAA covered entity such as a physician’s office, a similar analysis applies to information maintained in the company’s employment records.)
Conversely, HIPAA does apply to COVID-19 information that is created, maintained, received, or transmitted by your company’s group health plan. This is PHI that generally cannot be disclosed to the plan sponsor unless the privacy rule’s prerequisites for such disclosures have been met. For example, in most cases, the PHI may be disclosed only to employees performing administration functions for the plan and cannot be used for employment-related actions. A firewall must be established between employees performing plan administration functions and all other employees to protect against the use or disclosure of PHI for employment purposes. Thus, if an employee inside the firewall learns that a particular plan participant has submitted claims to the health plan for COVID-19 treatment, then that information cannot be used for employment purposes without the participant’s authorization.
It is important to note that other laws may impose confidentiality requirements even when HIPAA does not apply. For example, the Americans With Disabilities Act requires that all medical information about a particular employee be kept confidential and stored separately from the employee’s personnel file. This requirement applies to medical information related to COVID-19, such as employees’ statements that they have (or think they have) the disease. According to EEOC guidance, employers should make every effort to limit the number of people who know the names of employees with COVID-19. Due to the complexity of these laws, you should review their application with legal counsel.
For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXII.A (“What Information Is Protected?”), XXII.B (“Which Entities Must Comply?”), and XXIII.C (“Sharing PHI and Electronic PHI With Plan Sponsors”). See also EBIA’s Group Health Plan Mandates manual at Section XVI (“COVID-19: Mandated Coverage and Other Requirements”). You may also be interested in our upcoming webinar “Learning the Ropes: An Introduction to HIPAA Privacy & Security” (live on 7/7/21).
Contributing Editors: EBIA Staff.