Health Insurance Portability & Accountability Act (HIPAA)

Employers should remain mindful that employees’ medical information is confidential and should not be shared with others. If an employee tests positive or presumptively positive for COVID-19, the employer should not—under any circumstances—identify such employee. However, the employer can, and should, advise coworkers that an employee has tested positive, and should then follow the steps discussed above under the ADA and OSHA sections, including immediately physically separating the employee who has tested positive.

As you know, patients’ medical and health information (called “Protected Health Information” or PHI) is protected by HIPAA. The COVID-19 outbreak is raising new questions about employees’ rights to privacy under HIPAA and the protection of coworkers, customers, and others. Here is a quick breakdown on how an employer can comply with HIPAA and still keep other employees, customers and other persons safe.

• HIPAA protects an employee’s PHI but is balanced to ensure that appropriate uses and disclosures of such information may be made—even without the employee’s consent—when necessary to treat the employee, to protect the nation’s public health, and for other critical purposes;
• More specifically, employers may disclose, without an employee’s authorization, PHI about the employee as necessary to treat the employee or treat a different patient, such as providing information to health care providers and first responders;
• Employers may also disclose, without an employee’s authorization, PHI about the employee to a public health authority, such as the Centers for Disease Control or a state or local health department that is authorized by law to collect or receive such information;
• Employers may also disclose, without an employee’s authorization, PHI about the employee at the direction of a public health authority to a foreign government agency that is acting in collaboration with the public health authority; and
• Finally, employers may disclose, without an employee’s authorization, PHI about the employee as necessary to persons at risk of contracting or spreading a disease or condition if other law, such as state law, authorizes the employer to notify such persons as necessary to prevent or control the spread of the disease or otherwise carry out public health interventions or investigations.

The employer that chooses to make any disclosure of PHI without the employee’s authorization must make reasonable efforts to limit the amount of information disclosed to that which is the “minimum necessary” to accomplish the purpose.

For additional information, please visit this link.