With employers planning for employees to return to work following COVID-19–related closures, there are sure to be questions about sharing employee medical information as it relates to COVID-19 (symptoms, test results, status) within the workplace and with public authorities. Now may be a good time to review what has changed about federal privacy rules in light of the COVID-19 pandemic—and what hasn’t.

Of course, much remains the same. The privacy, security, and breach notification rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) establish very specific requirements on the use and disclosure of protected health information (PHI) by a very narrow set of entities—primarily, health care providers and health plans, such as employer-sponsored health plans. It is worth remembering that employers, acting in their roles as employers, are not subject to HIPAA. Similarly, employment records (e.g., leave certifications, Americans with Disabilities Act accommodation requests, and fitness-for-duty certifications) and workers’ compensation records are not subject to HIPAA. Therefore, many of the questions being asked by employers as a result of the pandemic are not governed by HIPAA’s rules.

However, when an employer acts on behalf of its health benefit plan, which is a HIPAA covered entity, or when the employer itself is a health care provider, then employers should be aware of new COVID-19–related guidance on existing HIPAA privacy rules.

Disclosures of PHI to First Responders

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services released guidance on February 3, 2020, regarding disclosures of PHI to first responders such as law enforcement officials, paramedics, and public health authorities.

The guidance enumerates the circumstances under which a covered entity can share the name or other identifying information of an individual infected with or exposed to COVD-19. PHI can be shared with first responders in the following situations:

• “when the disclosure is needed to provide treatment” (such as to medical transport personnel);

• when state law requires reporting of confirmed or suspected cases;

• to notify a public health authority (such as the Centers for Disease Control and Prevention (CDC)) for purposes of preventing or controlling the spread of the disease;

• “when first responders may be at risk of infection” where the disclosure is authorized by law;

• “when disclosure of PHI to first responders is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public”; or

• when responding to a request by a correctional institution or law enforcement official with custody over an individual, if the request is related to health care treatment of the individual, safety, or the security or law enforcement of the correctional facility.

Except when required by law, a covered entity must make reasonable efforts to limit the information disclosed to the minimum amount necessary for the purpose of the disclosure.

Protecting Civil Rights During the COVID-19 Pandemic

In a bulletin released on March 28, 2020, OCR reminded covered entities of their civil rights obligations to protected classes under Title VII of the Civil Rights Act of 1964. These obligations include:

• providing effective communications to individuals who are deaf, hard of hearing, blind, have low vision, or have speech disabilities;

• providing access to programs and information to individuals with limited English proficiency;

• making emergency messages available in languages prevalent in the area and in multiple formats; and

• providing necessary accommodations to individuals with disabilities (while noting that accommodations are not required if they “fundamentally alter the nature of the program, pose an undue financial and administrative burden, or pose a direct threat” to health and safety).

OCR Enforcement Discretion for Public Health Disclosures by Business Associates

On April 2, 2020, the OCR issued a notification announcing that it would not impose penalties for certain HIPAA Privacy Rule violations by health care providers or their business associates for uses and disclosures of PHI made in good faith for the purposes of public health and health oversight activities during the pandemic.

OCR specifically states that business associates may provide data to health authorities including the CDC, Centers for Medicare and Medicaid Services (CMS), state and local health departments, and state emergency operations centers without risk of HIPAA penalties (HIPAA already permits health care providers to disclose PHI to health authorities). OCR’s enforcement discretion policy does not extend to any uses or disclosures of PHI by a business associate that are not for the purposes of public health or health oversight activities. Finally, the business associate must inform the covered entity within 10 days of the use or disclosure of its PHI.

OCR Enforcement Discretion for Telehealth Remote Communications

OCR also issued a notification of enforcement discretion for telehealth communications by health care providers. The agency is waiving penalties for HIPAA violations against health care providers communicating with patients through electronic information and telecommunications technologies during the COVID-19 pandemic. The policy applies to the provision of good-faith telehealth services and communications regardless of whether they directly relate to COVID-19. Communications technologies include widely available “applications that allow for video chats.” The enforcement discretion applies only to health care providers, and not to health insurers or health plans that merely pay for telehealth services.