HIPAA Considerations When an Employee Tests Positive for COVID-19
The majority of mid-size to large employers sponsor self-insured health plans under the Employee Retirement Income Security Act (ERISA) and are considered covered entities under the Health Insurance Portability and Accountability Act (HIPAA), thereby subject to certain privacy and security requirements.[1] This creates a tension in the current pandemic between employee privacy rights under HIPAA and public health considerations, including protection of the workforce. It is important to understand HIPAA requirements and plan a course of action before the first employee tests positive for the novel coronavirus (COVID-19).
While rich with relevant information, an employer cannot release or use information gathered through its self-insured plan (such as claim diagnosis or test results). An employer should ask or strongly encourage its employees to self-report a positive COVID-19 result, but under current law, employees cannot be forced to disclose test results, whether they have been tested or a COVID-19 diagnosis. However, employers should make it very clear that for public health reasons, anyone with a positive test result should notify those with whom they have come into contact. By notifying human resources (or some other central contact point) and having them provide an anonymous message, the positive individual's identity is protected, while others in the workplace who may have been exposed receive this information and can take appropriate precautions. Any positive COVID-19 test in the United States is reportable by the clinical laboratory or healthcare provider to the applicable state Department of Public Health. The public health department (or the local police department) will then generally notify employers that one of their employees tested positive (usually without divulging the name). Once an employer gets notified from the police or public health department or from the employee of a positive COVID-19 test result, the employer has an obligation to notify the other employees in that office that a colleague (without specifically naming the individual) tested positive and each person should seek medical care if symptoms develop.
Lastly, unless the law changes (like through a future executive order), an employer does not have an obligation to report to public health if an employee advises them about a positive test.
Unfortunately, employees with COVID-19 infections will be happening soon – now is the time to develop and implement the plan for handling the information and informing the work force.
[1] Employers that purchase or offer commercial insurance are not subject to HIPAA requirements.
For more Day Pitney alerts and articles related to the impact of COVID-19, as well as information from other reliable sources, please visit our COVID-19 Resource Center.
Recommended
Day Pitney Technology Counsel Laura Land Himelstein's arrival to the firm was featured in the Law360 article, "In-House Tech Atty Returns to Private Practice at Day Pitney." She has joined Day Pitney in both the technology, telecommunications and outsourcing and the data privacy, protection and litigation practice groups, based in the firm's New York and Stamford offices.
Day Pitney Press Release
Day Pitney Alert
Day Pitney Alert
Day Pitney Press Release
Day Pitney Cybersecurity, Healthcare and Technology (C.H.A.T.) Newsletter – September
Day Pitney Press Release
Day Pitney Litigation Partner Naju Lathia was featured in the article, "NJ, Attys Brace For Tech 'Evolution' in Litigation."
Day Pitney is proud to announce that two of our Connecticut-based attorneys and our Litigation department have been recognized by the Connecticut Law Tribune as part of their second annual New England Legal Awards. According to the publication, the awards recognize exceptional attorneys and firms from Connecticut, Maine, Vermont, New Hampshire, Massachusetts and Rhode Island across various legal domains.