The COVID-19 Pandemic – Does HIPAA Apply to My Business?

Last updated March 16, 2020

A common question from clients in the midst of the COVID-19 pandemic is if and how HIPAA applies to them and whether they are permitted under HIPAA to use or disclose information with respect to an individual’s COVID-19 diagnosis and/or related health information. For most businesses, the answer is that HIPAA will not apply.

The health information privacy and security requirements under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) apply to a limited group of entities, referred to as “Covered Entities,” as well as certain entities that provide services to Covered Entities, referred to as “Business Associates.” Covered Entities are generally certain health care providers, health insurance plans/companies and healthcare clearinghouses. Most businesses do not fall in these categories.

A business that is neither a Covered Entity nor a Business Associate may nevertheless have indirect HIPAA obligations with respect to employee health information but only in the context of the employer’s group health plan. Such obligations would only exist with respect to information disclosed from the group health plan to the employer, and such disclosures are only permitted in certain limited circumstances. Since an employer is most likely to learn of an employee’s COVID-19 diagnosis or related health information directly from an employee, HIPAA group plan obligations would not likely impact the employer’s disclosure of such information.

Even when HIPAA applies to an entity, it does not apply to all health information held by the entity. It would apply only to information held in the context of the health care or other functions that make the entity a Covered Entity or Business Associate. In particular, HIPAA would generally not apply to health information a Covered Entity or Business Associate has in its role as an employer. This distinction is particularly important for a Covered Entity that provides health care services to its employees, where the Covered Entity wears both a health care provider and employer “hat.” Consider the following: if an employer is a Covered Entity MRI diagnostic center and has provided medical treatment to one of its employees, health information disclosed by the employee to the MRI center employer and held in the employee’s personnel file (such as disability leave information) would not be protected by HIPAA while health information held in the employee’s patient file would. Therefore, an employee’s COVID-19 diagnosis and/or related health information disclosed to the employer in the context of employment would not be protected by HIPAA. Furthermore, there are exceptions that permit an entity directly subject to HIPAA to use or disclose a COVID-19 diagnosis or related health information for public health purposes. The Office for Civil Rights at the U.S. Department of Health and Human Services issued guidance to Covered Entities and Business Associates with respect to HIPAA privacy and COVID-19 in its February 2020 Bulletin, which addressed the various exceptions that may apply.

For additional information pertaining to the coronavirus outbreak, please visit CSG’s COVID-19 Resource Center.

This publication contains general information on recent legal developments and is not intended to provide legal advice for a specific situation or to create an attorney-client relationship. Attorney Advertising. Prior results do not guarantee a similar outcome.