- Many employers are or will be implementing new safety protocols to prevent the spread of novel coronavirus 2019 (COVID-19) at the workplace.
- Some employers are planning to screen employees for possible COVID-19 symptoms or exposure and are concerned about the Health Insurance Portability and Accountability Act (HIPAA).
- HIPAA’s privacy and security rules apply to “covered entities,” including employer-sponsored health plans. Employers who are not also covered entities (e.g., a healthcare provider is itself a covered entity) are not subject to these rules.
- HIPAA generally does not apply to employers in their capacity as employers, such as workplace safety activities. Therefore, health information collected by an employer for reasons unrelated to its group health plan – such as health screening results to return to work – is not PHI and is not subject to HIPAA.
- However, other federal and state laws may apply to using and disclosing employee medical information, and employers should carefully safeguard such information as a best practice.
Many employers are currently reopening, or preparing to reopen, worksite locations that were forced to close due to COVID-19 pandemic. With the return to work, many employers are implementing new safety protocols to prevent the spread of the virus at the workplace.
Some employers plan to screen employees for possible COVID-19 symptoms or exposure. The screenings may include individual temperature readings, health questionnaires and even antibody testing. Given the sensitive nature of this type of health information, employers are understandably concerned about their compliance obligations – and legal exposure – under the Health Insurance Portability and Accountability Act (HIPAA).
HIPAA’s privacy and security rules apply to “covered entities” – including employer-sponsored health plans – and certain health care providers and other entities. Covered entities must follow HIPAA guidelines to safeguard and maintain the confidentiality of protected health information (PHI).
Employers generally are not covered entities even though they might sponsor a group health plan that is a covered entity. Therefore, health information collected by an employer for employment purposes – such as workplace safety concerns – is not PHI and is not subject to HIPAA.
On the flip side, any testing or screening results (which will generally include PHI) provided by, or administered for, an employer group health plan could be subject to HIPAA. Also, HIPAA applies to a health care provider that may perform employee health screenings or testing. Consequently, employees must provide a written authorization to allow the provider to allow their PHI to be disclosed to employers.
Even if HIPAA does not apply to back-to-work testing, employers should note that other laws such as the Americans with Disabilities Act (ADA). The U.S. Equal Employment Opportunity Commission (EEOC), which enforces the ADA and other workplace anti-discrimination laws, has provided guidance and FAQs that may be useful for employers. Additionally, state privacy and confidentiality laws may also require special treatment of employee health information.
Aside from legal mandates, the best practice is to carefully safeguard and keep confidential employees’ personal health information and to strictly limit the use and such information for reasonable business purposes. Employers should consult with employment counsel before commencing health screenings at the worksite to understand the legal parameters that apply to their specific situation, strategy and location.
EPIC Employee Benefits Compliance Services
For further information on this or any other topics, please contact your EPIC consulting team.
Learn About Our Employee Benefits Compliance Services
EPIC offers this material for general information only. EPIC does not intend this material to be, nor may any person receiving this information construe or rely on this material as, tax or legal advice. The matters addressed in this document and any related discussions or correspondence should be reviewed and discussed with legal counsel prior to acting or relying on these materials.
Sign up for our Compliance Matters Newsletter
With this subscription, you’ll receive our monthly Compliance Matters newsletter, as well as special Compliance Alerts and invitations to our Compliance Webinars.