As the Coronavirus Disease 2019 (COVID-19) pandemic grows, employers and others may be wondering how the public health emergency created by the outbreak affects information protected under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The short answer: All HIPAA protections continue to apply. Accordingly, employer-sponsored health plans, which are “covered entities” subject to HIPAA, must continue to adhere to HIPAA’s privacy and security rules and may not use or disclosure protected health information (PHI) in a manner not already provided for under HIPAA in the absence of an applicable exception issued by the U.S. Department of Health and Human Services. As a reminder, PHI that an employee obtains when carrying out an administrative function for the plan generally cannot be shared with the employer.  For example, if in the process of performing auditing activities for the employer-sponsored health plan, an employee learns that the plan has provided coverage for the COVID-19 treatment for an employee’s child, that information is PHI and the employee is prohibited from sharing that information with the employer.

The U.S. Department of Health and Human Services Office for Civil Rights recently issued a Bulletin to remind covered entities of their continuing compliance requirements and the circumstances under which PHI may be disclosed without an individual’s authorization, including:

  • Treatment, when necessary to treat the patient or a different patient by one or more health care providers.
  • Public health activities, including disclosure to a public health authority such as the U.S. Centers for Disease Control and Prevention, disclosure to a foreign government agency at the direction of a public health authority, or disclosure authorized by state law to persons at risk of contracting or spreading a disease.
  • Disclosures to family, friends, and others who are involved in an individual’s care or as necessary to identify, locate, and notify family members, guardians or others responsible for the patient’s care.
  • Disclosures to prevent a serious and imminent threat to the health and safety of a person or the public, which are consistent with applicable law or the provider’s standards of ethical conduct.

It is important to remember that not all health information is subject HIPAA.  For example, if an employee is requesting a leave of absence and discloses that the reason for the leave is to care for a family member who has tested positive for COVID-19, that information is not protected under HIPAA.  This is because the source of the information is not the health plan and the employer is not a covered entity; but rather, has the information in its capacity as an employer.  However, the employer will want to confirm that another privacy law does not restrict the use or disclosure of such information.

Employer-sponsored health plans and related personnel must, therefore, continue to follow the HIPAA rules and ensure their business associates continue to maintain compliance and, prior to making any disclosures, carefully review the applicable HIPAA disclosure rules and coverage exceptions.