HIPAA and COVID-19: What Businesses and Employers Need to Know About Privacy as They Combat COVIDReynaldo Villar | 01.12.2021
While HIPAA regulations do impact how employers handle protected health information, the good news is that businesses have some latitude when it comes to COVID-19.The need to protect workers and workplaces has raised questions among many HR professionals and business leaders about the impact of HIPAA (Health Insurance Portability and Accountability Act) on new health policies and protocols companies are instituting. These concerns mainly revolve around issues of privacy as organizations and businesses take more precautions. The good news is that HIPAA and other applicable regulations are not a significant hindrance to businesses seeking to safeguard the welfare of their employees and visitors to their facilities.
Common Precautions Being Used by BusinessesUntil we develop an effective vaccine against the coronavirus, employers have two primary obligations as they continue to operate their facilities during the COVID-19 crisis:
- Take active steps to prevent COVID-19 from entering the workplace
- Take precautions to prevent COVID-19 from spreading in the workplace if it does enter
- Positive tests for COVID-19 infection
- Exposure to someone who has been infected with COVID-19
- Presence of symptoms associated with COVID-19
Organizational COVID Protocols and PoliciesThese screening procedures go hand-in-hand with the COVID protocols and policies that businesses are creating and adopting to properly care for employees who may be flagged during the screening process. COVID protocols typically require individuals who have been flagged during the employee COVID screening process to self-isolate or self-quarantine. The period of isolation depends on what they were flagged for during the screening process. A positive COVID-19 test result may require up to two weeks of isolation. Basic symptoms may require the employee to stay home until they’ve been cleared to return. Anyone who was in contact with the infected or symptomatic person should be alerted to reduce the spread of infection. Work policies will guide leave, reporting, and return to work after medical clearance. Following these CDC-recommended procedures means employers also need to comply with health information privacy laws.
Public Health Threat and Company DiscretionBecause COVID-19 is a public health threat, employers generally have more discretion on obtaining health information that is usually be limited under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Americans with Disabilities Act (ADA), and other privacy laws (JD Supra, 2020). In addition to screening for symptoms, for example, the CDC urges employers to ask employees whether they have a positive COVID-19 test, any possible exposure from personal contacts, or travel to high-risk areas. The CDC also encourages employers to ask if an employee’s age or medical history places them at high risk. Labor and employment law experts confirm that employers can legally ask employees for this information (Littler, 2020; National Law Review, 2020). Businesses and employers are given more leeway because this information is considered critical for risk assessment and planning for business continuity. This leads to the additional question of whether or not businesses and employers are bound by federal HIPAA laws that require that protected health information (PHI) be kept private and secure?
What About HIPAA and Privacy?HIPAA is a set of national standards and laws to protect the privacy and security of certain types of health information and grants rights to individuals (HHS, 2017). HIPAA requires that PHI be kept private and secure by any “covered health entity” namely health providers, health plans, and health clearinghouses that process health information as well as any business associates that assist these organizations with their work (HHS, 2017). Two of the main components of HIPAA are the Privacy Rule and the Security Rule.
- The HIPAA Privacy Rule requires that protected health information be kept private and only disclosed when necessary to deliver care or to facilitate payment for services.
- The HIPAA Security Rule requires that health information be stored and transmitted securely. This is especially important with the shift to electronic health records, digital platforms, and expansion of telehealth.
Are Employers Required to be HIPAA-compliant?The short answer is that “it depends.” Businesses and employers are generally not subject to the HIPAA guidelines because they are not considered a covered entity like medical practices, hospitals, health insurers, and their business associates (HHS, 2017). However, employers with a self-insured health plan are subject to HIPAA laws (HHS, 2017; National Law Review, 2020). Although HIPAA laws do not apply to most employers, there are privacy requirements regarding employees’ health information under the Americans with Disabilities Act (ADA) and state laws (Hamilton, 2020; Littler, 2020). Employers who operate in multiple states need to investigate local mandates. The EEOC has confirmed that the ADA bans employers from discriminating against employees based on a medical condition, including COVID-19 (2020). And various legal experts have likewise confirmed that the ADA protects workers by requiring employers to keep the identities of employees who have symptoms or have tested positive for COVID-19 confidential (Hamilton, 2020; Littler, 2020; National Law Review, 2020). The only exception is when an employer is reporting the infection to a public health agency. It is important to note that employment records are not covered under HIPAA, even when those records include health information (HHS, 2017). Regardless, employers are required to keep medical information in a secure file that is separate from the personnel file to be compliant with the ADA (National Law Review, 2020).
Guidelines on COVID-19 and Employee PrivacyEmployers are required to follow health information privacy laws on COVID-19 matters as outlined by federal and state laws. The CDC recommends appointing a workplace coordinator to handle COVID-19 issues. This role can assist with compliance during screening, reporting, and recording of employee health information. Legal experts can offer specific guidance on employer liability. The CDC, OSHA, and federal laws offer the following guidelines for employers:
- Employers may screen employees for COVID-19 symptoms, including taking actual temperature checks
- Employers can ask anyone who has symptoms or who have been flagged during the screening process to leave the workplace
- Medical information about an employee must be kept confidential and stored separately from their personnel file
- Employers may choose to require a COVID-19 test only if it is necessary for the employees’ work – or if it places others at risk
- Employers cannot require antibody testing in order to allow an employee to return to work
- Employers must continue to follow occupational safety and anti-discrimination laws
- If an employer utilizes a self-insured health plan, they must follow HIPAA laws on PHI.