The coronavirus (COVID-19) pandemic has changed our lives in ways we couldn’t even imagine only a week ago, with new mandates and developments happening by the day, hour and sometimes even minute. Employers are trying to figure out how to handle everything that is being thrown at them and how they deal with issues related to the coronavirus in their workplaces.
One of the laws that employers are often concerned with and have questions about is the Health Insurance Portability and Accountability Act (HIPAA). The law was created to better protect employees’ health insurance when they change or leave a job and to ensure the privacy and security of individuals’ protected health information (PHI).
And although HIPAA does come into play for employers in certain situations, it’s a law that most people are familiar with – even if they’re not aware of it – because they often encounter a HIPAA form when they go to a doctor’s office.
HIPAA, along with a lot of misconceptions surrounding it, has been brought to the forefront of many HR professionals’ minds since the COVID-19 threat emerged. Here are seven frequently asked employer questions about HIPAA privacy and the coronavirus. Although HIPAA does a variety of different things, since most employers’ questions about the coronavirus and HIPAA revolve around its privacy rules, that’s what these FAQs will focus upon.
1. What are HIPAA’s privacy rules?
HIPAA’s privacy rules are designed to safeguard protected health information. More specifically, HIPAA’s Standards for Privacy of Individually Identifiable Health Information set standards for protecting an individual’s medical information while also allowing the flow of information necessary to provide high quality health care.
The privacy rules provide standards for:
- The use and disclosure of PHI; and
- Individuals’ privacy rights so they know and understand how their health information is being used.
2. What is PHI?
PHI is individually identifiable health information that is maintained or transmitted by a covered entity or its business associate in any form (i.e., electronic, oral or written). It includes demographic data that relates to:
- An individual’s past, present or future physical or mental health or condition;
- Health care provided to the individual; or
- The past, present or future payment for health care that identifies the individual.
Individually identifiable health information includes common identifiers, such as an individual’s name, address, date of birth and Social Security number.
3. When do HIPAA privacy rules apply to employers?
Three specific groups are considered covered entities under HIPAA:
- Health care providers;
- Health care clearinghouses; and
- Individual and group health plans that provide or pay the cost of medical care.
Health care providers include doctors, clinics, psychologists, dentists, chiropractors, nursing homes and pharmacies.
Health care clearinghouses process health information received from a third party from a nonstandard format to a standard format or vice versa (e.g., a billing service that is responsible for processing data).
The final group is the one where employers that aren’t in the health care field may be most likely to run into HIPAA since individual and group health plans include employer-sponsored health plans.
Additionally, HIPAA applies to business associates, which are third parties that perform services on behalf of covered entities involving the use and disclosure of PHI. Such activities may include:
- Claims processing;
- Billing services;
- Legal, accounting or consulting services;
- Utilization reviews; and
- Data analysis.
4. When would an employer encounter HIPAA privacy rules?
HIPAA does not specifically apply to employers when they are functioning in the role of employer. However, if an employer sponsors a health care plan for its employees, it may be required to comply with HIPAA privacy rules since the health plan is likely a covered entity.
This means, for example, if an employer acquires information about an employee being diagnosed with COVID-19 through its health plan, this information is generally going to be protected by HIPAA rules.
However, if a supervisor or HR representative finds out about an employee’s COVID-19 diagnosis because an employee calls in sick and reveals that information, then HIPAA would usually not be implicated. This is because the information did not come from the employer health plan, and the employer is not acting as a covered entity under HIPAA.
5. Does HIPAA still apply during an outbreak or pandemic?
Yes, HIPAA rules still apply during an outbreak or pandemic, but there may be some health disclosures that are allowed in certain circumstances.
6. During the COVID-19 pandemic, what types of health disclosures are allowed under HIPAA?
A recent bulletin from the US Department of Health and Human Services (HHS) provides some clarity on the application of the HIPAA privacy rules as they pertain to COVID-19. Under HIPAA, PHI may be used and disclosed “when necessary to treat a patient, to protect the nation’s public health, and for other critical purposes.”
According to the bulletin, PHI may be disclosed for the purpose of preventing or controlling disease, injury or disability, as well as at the direction of a public health authority (e.g., the CDC or a public health department) or to individuals at risk if authorized by law.
HIPAA also permits disclosures to family, friends and others identified by the patient as involved in the patient’s care and “as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death.” The bulletin notes, “This may include, where necessary to notify family members and others, the police, the press, or the public at large.”
Otherwise, written authorization remains a requirement for “affirmative reporting to the media or the public at large about an identifiable patient, or the disclosure to the public or media of specific information about treatment of an identifiable patient.” PHI that is disclosed must be limited to the minimum amount needed. However, covered entities may rely on public health authorities or public officials that requested information is the minimum necessary for the purpose when such reliance is reasonable under the circumstances.
7. Besides HIPAA, are there other privacy concerns during the COVID-19 pandemic?
Regardless of whether HIPAA applies to you as an employer, there are other privacy laws and considerations that should be taken into consideration while dealing with the coronavirus pandemic, including:
- The Americans with Disabilities Act (ADA) and similar state and local laws;
- The Genetic Information Nondiscrimination Act (GINA) and similar state and local laws;
- Data privacy laws, such as the California Consumer Privacy Act (CCPA);
- State laws regarding data breach security notification; and
- Other various state privacy laws.