Employers sponsoring health plans need to be mindful of privacy concerns under Health Insurance Portability and Accountability Act (HIPAA).
The U.S. Department of Health and Human Services (HHS) recently published a bulletin reminding covered entities and business associates that the HIPAA Privacy Rule is still in effect during an outbreak of an infectious disease or other emergency situations. The HIPAA Privacy Rule protects individual Personal Health Information (PHI) and contains limitations on a covered entity’s ability to use and disclose information from a health plan to unwanted parties. HIPAA applies to health plans, business associates of covered entities, health care providers, and health care clearinghouses.
HHS’ bulletin highlights that HIPAA does allow disclosure of the minimum amount of protected health information (PHI) under certain circumstances, such treatment of the patient, to protect the nation’s public health, or where disclosure is necessary to prevent a serious and imminent threat to the health and safety of a person or the public. For any other reason than these listed, written authorization is required. An authorization is a detailed document that gives covered entities permission to use PHI for specified purposes.
Employers need to be mindful upon learning an employee, or dependents, is infected with COVID-19. Depending on circumstances as to how the information is obtained, different laws apply. If the information is obtained through administration of the employer-sponsored health plan, such as under a claim or diagnosis, then the HIPAA Privacy Rule will apply. The plan cannot release the information without authorization from the individual. If the employer learns an employee or dependent is infected in connection with its role as an employer, say via a sick leave request, the employer should be aware of employment-related laws, such as the Americans with Disability Act (ADA) or Family Medical Leave Act (FMLA,) which has separate confidentiality requirements.
According to the CDC,
if an employee is confirmed to have COVID-19, employers should inform fellow employees of their possible exposure to COVID-19 in the workplace but maintain confidentiality as required by the Americans with Disabilities Act (ADA). Employees exposed to a co-worker with confirmed COVID-19 should refer to CDC guidance for how to conduct a risk assessment of their potential exposure.”
Co-workers of the employee should be provided information that they may have been exposed to the virus, but the employer should not disclose that individual’s name, even if under the circumstance employees can figure out for themselves who the employee is.