April 5, 2020

April 03, 2020

Subscribe to Latest Legal News and Analysis

April 02, 2020

Subscribe to Latest Legal News and Analysis

What Employers Need to Know About HIPAA

As the COVID-19 pandemic continues to affect everyday business operations across the country, employers are confronting a variety of issues on how to handle these disruptions. The intent of this Legal Update is to educate employers about under what circumstances they are permitted to disclose information related to an employee’s or patient’s positive test for COVID-19 under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Americans with Disabilities Act (“ADA”).

It may be difficult in some circumstances to discern whether health information was received by an employer through its ordinary status as an employer or through its status as a self-insured health plan. Employers should take care in making this determination based on the facts and circumstances of each situation and seek legal counsel as needed.

Covered Entities under HIPAA

  • HIPAA defines “Covered Entities” to generally include health care providers, health plans, and health care clearinghouses.

  • Covered Entities may not disclose protected health information (“PHI”) unless permitted by HIPAA. An individual’s health status related to testing positive for COVID-19 is considered PHI.

  • One permitted disclosure under HIPAA is that Covered Entities may disclose PHI to public health authorities to the extent relevant to the authority and purview of public health authorities. This includes disclosing positive test results for COVID-19 to state and local health departments, HHS, or the CDC as appropriate.

  • Covered Entities may not disclose PHI to the media.

  • Unless an employer is otherwise a Covered Entity as described above, it is not subject to HIPAA’s restrictions on disclosures of PHI.

Confidentiality under the ADA

  • The ADA requires employers that obtain medical information through inquiry or examination to maintain it in a confidential medical file and keep it separate from the employee’s personnel file.

  • Employers have been encouraged by the CDC and EEOC to question their employees regarding travel, exposure, or symptoms related to COVID-19. Any medical information disclosed as part of this dialogue should be treated as confidential.

  • If a positive case is identified in the workplace, the employer is encouraged to investigate the exposure of others in the workplace without disclosing the name of the individual or any personally identifiable information about the person.

  • The confidentiality requirements under the ADA do not prohibit disclosure to state, local, or federal health departments.

Employers with a Self-Insured Health Plan

  • Notwithstanding the discussion above regarding employers, a self-insured employee health plan maintained by an employer is a Covered Entity under HIPAA (i.e. the plan itself, not the employer, although we acknowledge this distinction is difficult to make for most employers). As a result:

    • If the employer obtained the information through its status as a plan (i.e., as the payer for the employee’s health care services), then such information is PHI and subject to HIPAA (see first bullet above for Covered Entities).

    • If the employer receives the information in the ordinary course (e.g. voluntary disclosure by the affected employee), then the second bullet above regarding employer permitted disclosures is applicable.

©2020 von Briesen & Roper, s.c

TRENDING LEGAL ANALYSIS


About this Author

Ryan Siehr, von Briesen Law Firm, Milwaukee, Corporate and Health Care Law Attorney

Ryan Siehr is an attorney in the Business Practice Group and serves as chair of the Health Information Privacy and Security Section. Ryan advises hospitals, multi-institutional health care systems, physician groups and specialty providers regarding a variety of transactional health care related matters, including acquisitions, physician agreements, and equipment and office space leasing arrangements. Ryan focuses on assisting these entities with HIPAA compliance, including developing policies and procedures and negotiating business associate, data use, trading partner,...

414- 287-1595