Employers may have HIPAA compliance concerns when using or disclosing employee health information to protect their workforce from the coronavirus. The HIPAA privacy rule requires “covered entities” to safeguard individuals’ protected health information (“PHI”) and sets limits on the uses and disclosures of PHI.

Although employers are not considered “covered entities” under HIPAA, their self-insured health plans (such as their self-funded medical plans and flexible spending accounts (FSA)) are subject to the law. In addition, employers with self-insured plans have access to their employees’ PHI. As such, employers must follow the HIPAA privacy rules when handling employee PHI.

This article discusses when employers can use and disclose PHI in relation to the coronavirus.

What is the HIPAA privacy rule?

The HIPAA privacy rule requires covered entities to protect individuals’ PHI and sets limits on the uses and disclosures of PHI.

What is PHI?

PHI is any individually identifiable health information created or received by a group health plan that relates to past, present or future health care or payment for health care.

Generally, medical information contained in employment records (and not accessed through the employer’s health plan) is not subject to HIPAA protections; however, other state and federal laws, such as the Americans with Disabilities Act (ADA), still require employers to keep this medical information confidential. For a more in-depth discussion of the ADA and the coronavirus, see our blog article.

How does the HIPAA privacy rule apply when an outbreak of infectious disease, like the coronavirus, occurs?

The Office of Civil Rights, Health and Human Services (HHS), recently released a bulletin that specifically addresses how to comply with the HIPAA privacy rule during the coronavirus outbreak. HHS emphasizes that the HIPAA privacy rule is not set aside during an emergency, but the rule does allow for the appropriate use and disclosure of information when necessary to treat a patient, to protect the nation’s public health, and for other critical purposes.

When can employers use and disclose PHI?

Employers who have access to PHI through their health care plans can disclose that information to certain individuals/entities under certain circumstances, as outlined below.

  • PHI can be disclosed without authorization:
    • to health care providers, if the disclosure is necessary to treat the individual (or another patient);
    • to a public health authority authorized to collect such information, such as the Centers for Disease Control (CDC) or state/local health care department, for the purpose of preventing or controlling the virus;
    • to a foreign government agency upon the direction of a public health authority; and
    • to individuals at risk of contracting or spreading the virus, if another law (such as a state law) authorizes the employer to notify these individuals and if done for the purpose of preventing or controlling the spread of the virus.
  • PHI can be disclosed with verbal authorization:
    • to an individual’s family members, relatives, friends, or other persons identified by the individual as involved in their care, for the purpose of notifying them of the individual’s location, general condition, or death. A prior authorization is unnecessary if the individual is incapacitated or unavailable and sharing the information is in their best interest; and
    • to disaster relief organizations, for the purpose of notifying family members of an individual’s location, condition or death. A prior authorization is unnecessary if doing so would interfere with the organization’s ability to respond to an emergency.
  • PHI can be disclosed to the media or public only with the individual’s written authorization.

If an employer does disclose PHI, they should make reasonable efforts to limit the information disclosed. Employers should only disclose what is the “minimum necessary” to accomplish the purpose.

As always, employers should consult with counsel to assess potential risk or to determine whether they can disclose PHI to third parties if the situation is unclear.

Additional Resources

The information and materials on this blog are provided for informational purposes only and are not intended to constitute legal or tax advice. Information provided in this blog may not reflect the most current legal developments and may vary by jurisdiction. The content on this blog is for general informational purposes only and does not apply to any particular facts or circumstances. The use of this blog does not in any way establish an attorney-client relationship, nor should any such relationship be implied, and the contents do not constitute legal or tax advice. If you require legal or tax advice, please consult with a licensed attorney or tax professional in your jurisdiction. The contributing authors expressly disclaim all liability to any persons or entities with respect to any action or inaction based on the contents of this blog.

Emerald Law – Emerald is a Client Compliance Consultant for Sequoia, where she works with our clients to optimize and streamline benefits compliance. In her free time, Emerald enjoys stand-up comedy, live music and writing non-fiction.