The majority of mid-size to large employers sponsor self-insured health plans under the Employee Retirement Income Security Act (ERISA) and are considered covered entities under the Health Insurance Portability and Accountability Act (HIPAA), thereby subject to certain privacy and security requirements. This creates a tension in the current pandemic between employee privacy rights under HIPAA and public health considerations, including protection of the workforce. It is important to understand HIPAA requirements and plan a course of action before the first employee tests positive for the novel coronavirus (COVID-19).
While rich with relevant information, an employer cannot release or use information gathered through its self-insured plan (such as claim diagnosis or test results). An employer should ask or strongly encourage its employees to self-report a positive COVID-19 result, but under current law, employees cannot be forced to disclose test results, whether they have been tested or a COVID-19 diagnosis. However, employers should make it very clear that for public health reasons, anyone with a positive test result should notify those with whom they have come into contact. By notifying human resources (or some other central contact point) and having them provide an anonymous message, the positive individual's identity is protected, while others in the workplace who may have been exposed receive this information and can take appropriate precautions. Any positive COVID-19 test in the United States is reportable by the clinical laboratory or healthcare provider to the applicable state Department of Public Health. The public health department (or the local police department) will then generally notify employers that one of their employees tested positive (usually without divulging the name). Once an employer gets notified from the police or public health department or from the employee of a positive COVID-19 test result, the employer has an obligation to notify the other employees in that office that a colleague (without specifically naming the individual) tested positive and each person should seek medical care if symptoms develop.
Lastly, unless the law changes (like through a future executive order), an employer does not have an obligation to report to public health if an employee advises them about a positive test.
Unfortunately, employees with COVID-19 infections will be happening soon – now is the time to develop and implement the plan for handling the information and informing the work force.
 Employers that purchase or offer commercial insurance are not subject to HIPAA requirements.
For more Day Pitney alerts and articles related to the impact of COVID-19, as well as information from other reliable sources, please visit our COVID-19 Resource Center.
Day Pitney Data Privacy, Protection and Litigation co-chair William Roberts' discussion with attendees of the Connecticut Water Works Association workshop on being "Breach Ready," was featured in an article for In Flow- Line, the official publication for the CWWA.
Naju R. Lathia, White Collar and Commercial Litigation partner in the New Jersey office of Day Pitney and co-chair of Day Pitney’s Data Privacy, Protection and Litigation Practice Group, was featured in Diverse Lawyers Network newsletter for her South Asian Bar Association (SABA) North America Rising Star Award.