As the Coronavirus Disease 2019 (COVID-19) pandemic grows, employers and others may be wondering how the public health emergency created by the outbreak affects information protected under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The short answer: All HIPAA protections continue to apply. Accordingly, employer-sponsored health plans, which are “covered entities” subject to HIPAA, must continue to adhere to HIPAA’s privacy and security rules and may not use or disclosure protected health information (PHI) in a manner not already provided for under HIPAA in the absence of an applicable exception issued by the U.S. Department of Health and Human Services. As a reminder, PHI that an employee obtains when carrying out an administrative function for the plan generally cannot be shared with the employer. For example, if in the process of performing auditing activities for the employer-sponsored health plan, an employee learns that the plan has provided coverage for the COVID-19 treatment for an employee’s child, that information is PHI and the employee is prohibited from sharing that information with the employer.
The U.S. Department of Health and Human Services Office for Civil Rights recently issued a Bulletin to remind covered entities of their continuing compliance requirements and the circumstances under which PHI may be disclosed without an individual’s authorization, including:
- Treatment, when necessary to treat the patient or a different patient by one or more health care providers.
- Public health activities, including disclosure to a public health authority such as the