As we begin to grapple with the unprecedented challenges arising out of the COVID-19 outbreak, a question that many employers are being faced with is this – what information can we disclose, and to whom can we disclose it, when some of it may constitute protected health information (PHI) covered by HIPAA?
As a general matter, the privacy restrictions mandated by HIPAA apply to covered entities and their business associates. Typically, this means medical providers and facilities. However, non-medical businesses may have some HIPAA obligations if they operate an onsite medical clinic or sponsor a group health plan that they are involved in administering. Outside of these categories, most businesses fall beyond the reach of HIPAA, practically speaking, for purposes of employee health-related disclosures (but note that there may be other state or federal laws – like the Americans with Disabilities Act – which limit disclosure of sensitive employee information).
Even if a business is involved in administering a group health plan or has an onsite clinic, HIPAA and its privacy regulations may apply, but only with respect to information disclosed by the group health plan or clinic in connection with their health care activities. As such, health information received by the employer directly from the employee and not through the plan or clinic will generally fall outside HIPAA’s protections.
As noted above, if your business, or a part of your organization, falls under the “covered entity” heading, HIPAA’s restrictions may apply to a potential disclosure. With that said, there are exceptions that may specifically apply to permit specific COVID-19 related disclosures. Among other examples, there is an exception under HIPAA relating to disclosures to prevent a serious and imminent threat to the patient or public. In recent guidance, the Department of Health and Human Services (DHHS) has stated that “[Covered Entities] may share patient health information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public.” Further, covered entities may disclose patient information to “anyone who is in a position to prevent or lessen the serious and imminent threat, including family, friends, caregivers, and law enforcement without a patient’s permission.” [See February 2020 Bulletin].
The fact that the current COVID-19 crisis would fall under this exception was confirmed again yesterday by DHHS in a bulletin directly addressing COVID-19 and HIPAA. [See March 2020 Bulletin.] The bulletin addresses a host of waivers of HIPAA’s privacy restrictions in the context of the current outbreak—most of which pertain to covered entities like hospitals and similar facilities—as well as potentially applicable exceptions that are generally available under HIPAA. However, from an employer’s perspective, the “serious and imminent threat” exception is highlighted as an appropriate option, and businesses subject to HIPAA can use this exception to make COVID-19 disclosures if intended to protect the health and safety of an employee or the public (including your workforce).