A common question from clients in the midst of the COVID-19 pandemic is if and how HIPAA applies to them, and whether they are permitted under HIPAA to use or disclose information with respect to an individual’s COVID-19 diagnosis and/or related health information.
For most businesses, the answer is that HIPAA — the Health Insurance Portability and Accountability Act — will not apply.
The health information privacy and security requirements under HIPPA apply to a limited group of covered entities, as well as certain entities that provide services to these covered entities, referred to as business associates.
Covered entities are generally certain health care providers, health insurance plans/companies and health care clearinghouses. Most businesses do not fall in these categories. (See a Chiesa Shahinian & Giantomasi client alert for more information regarding entities subject to HIPAA here.)
A business that is neither a covered entity nor a business associate may nevertheless have indirect HIPAA obligations with respect to employee health information, but only in the context of the employer’s group health plan. Such obligations would only exist with respect to information disclosed from the group health plan to the employer, and such disclosures are only permitted in certain limited circumstances.
Since an employer is most likely to learn of an employee’s COVID-19 diagnosis or related health information directly from an employee, HIPAA group plan obligations would not likely impact the employer’s disclosure of such information. (For additional information regarding employer group health plan obligations, see a CSG client alert here.)
Even when HIPAA applies to an entity, it does not apply to all health information held by the entity. It would apply only to information held in the context of the health care or other functions that make the entity a covered entity or business associate.
In particular, HIPAA would generally not apply to health information that a covered entity or business associate has in its role as an employer. This distinction is particularly important for a covered entity that provides health care services to its employees, where the covered entity wears both a health care provider and employer hat.
Consider the following: If an employer is a covered entity MRI diagnostic center and has provided medical treatment to one of its employees, health information disclosed by the employee to the MRI center employer and held in the employee’s personnel file (such as disability leave information) would not be protected by HIPAA. Health information held in the employee’s patient file would.
Therefore, an employee’s COVID-19 diagnosis and/or related health information disclosed to the employer in the context of employment would not be protected by HIPAA. Furthermore, there are exceptions that permit an entity directly subject to HIPAA to use or disclose a COVID-19 diagnosis or related health information for public health purposes.
The Office for Civil Rights at the U.S. Department of Health and Human Services issued guidance to covered entities and business associates with respect to HIPAA privacy and COVID-19 in its February 2020 Bulletin, which addressed the various exceptions that may apply.
For additional information pertaining to the coronavirus outbreak, please visit CSG’s COVID-19 Resource Center.
Nicole DiMaria is a member and practice group leader of the Healthcare & Hospital Group at Chiesa Shahinian & Giantomasi P.C.