Healthcare providers struggle to know if and when they may disclose a patient's COVID-19 status to an employer. The analysis differs somewhat depending on whether the healthcare provider is acting solely in its capacity as a healthcare provider of the patient, or if the healthcare provider also happens to be the employer of the patient.
I. If Healthcare Provider is NOT the Employer.
- HIPAA Limits. Although the rules may change as the pandemic intensifies,1 to date the Office for Civil Rights ("OCR") has repeatedly reaffirmed that there is no general COVID-19 exception to the HIPAA privacy rules; instead, "[i]n an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures." (OCR Bulletin: HIPAA Privacy and Novel Coronavirus (2/20) ("COVID-19 Bulletin"), available at https://www.hhs.gov/sites/default/files/february-2020-hipaa-and-novel-coronavirus.pdf). HIPAA generally prohibits healthcare providers from disclosing protected health information about a patient (including their COVID-19 status) to the patient's employer without the patient's authorization or an applicable HIPAA exception. (45 C.F.R. § 164.508(a)).2 In its recent Bulletins,3 HHS identified several potentially relevant exceptions including but not limited to the following; however, their application will depend on the facts surrounding the disclosure as well as applicable state law:
- Disclosures to Prevent a Serious and Imminent Threat. "Healthcare providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public consistent with applicable law and the provider's standards of ethical conduct." (COVID-19 Bulletin at p.4, citing 45 C.F.R. § 164.512(j)). This is potentially the most applicable exception in emergent situations, and the OCR seems willing to give it a fairly broad interpretation. For example, in the OCR's recent guidance allowing disclosures to first responders, the OCR stated:
HIPAA permits a covered entity, consistent with applicable law and standards of ethical conduct, to disclose PHI about individuals who have tested positive for COVID-19 to fire department personnel, child welfare workers, mental health crisis services personnel, or others charged with protecting the health or safety of the public if the covered entity believes in good faith that the disclosure of the information is necessary to prevent or minimize the threat of imminent exposure to such personnel in the discharge of their duties.
(OCR, COVID-19 and HIPAA: Disclosures to Law Enforcement, Paramedics, Other First Responders and Public Health Authorities (3/20), available at https://www.hhs.gov/sites/default/files/covid-19-hipaa-and-first-responders-508.pdf). Nevertheless, the OCR has stopped short of affirming that this exception applies in all COVID-19 cases; accordingly, there is some risk in relying on this exception when disclosing information to an employer, particularly without any evidence the patient intends to hide the diagnosis from the employer. Fortunately, however, "HIPAA expressly defers to the professional judgment of health professionals in making determinations about the nature and severity of the threat to health and safety." (Id.).
- Treatment. "Under the Privacy Rule, covered entities may disclose, without a patient's authorization, protected health information about the patient as necessary to treat the patient or to treat a different patient." (COVID-19 Bulletin at p.3, citing 45 C.F.R. §§ 164.502(a)(1)(ii), 164.506(c), and the definition of "treatment" at § 164.501). There may be circumstances in which a provider is justified in disclosing a patient's information to facilitate the treatment of another patient, although such situations may be rare in the employment context.
- Public Health Activities. HIPAA allows disclosures "[t]o a public health authority, such as the CDC or a state or local health department, that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease…. For example, a covered entity may disclose to the CDC protected health information on an ongoing basis as needed to report all prior and prospective cases of patients exposed to or suspected or confirmed to have Novel Coronavirus (2019-nCoV)." (COVID-19 Bulletin at p.3, citing 45 C.F.R. §§ 164.501 and 164.512(b)(1)(i)).4 The exception also allows disclosures "[t]o persons at risk of contracting or spreading a disease or condition if other law, such as state law, authorizes the covered entity to notify such persons as necessary to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations." (Id., citing 45 C.F.R. § 164.512(b)(1)(iv)). Accordingly, the provider may disclose the information to the employer if and to the extent state or local law authorizes such disclosures; otherwise, the provider should report COVID-19 cases to the local health department and let the health department contact the employer or others who may have been infected.5
- Authorization. A provider may disclose information to the employer if the provider has a valid HIPAA-compliant authorization from the employee authorizing the disclosures. (45 C.F.R. § 164.508). Furthermore, if the purpose of the provider's exam or test was to disclose information to the employer (e.g., a fitness-for-duty exam or a screening test), the provider may condition the test or exam on receipt of the authorization allowing the disclosure to the employer. (45 C.F.R. § 164.508(b)(4)(iii); 65 Fed. Reg. 82516 and 82658). The provider may not condition the treatment or require an authorization if the patient simply sought care for purposes unrelated to a disclosure to the employer. (45 C.F.R. § 164.508(b)(4)).
- Other Statutes. Providers must consider state laws in addition to HIPAA. To the extent that a state law is more restrictive than HIPAA, the provider must comply with the state law. Accordingly, if a state law prohibits the disclosure, the provider may not disclose the information even though HIPAA would otherwise allow it.
II. If Healthcare Provider IS the Employer.
- HIPAA Limits. In some cases, the healthcare provider who is testing or treating the patient is also the employer of the patient, i.e., the provider is testing or treating its own employees. In this situation, whether HIPAA applies depends on how the provider/employer obtained the information: whether the provider/employer obtained the information while acting in its capacity as a healthcare provider or health plan, or solely in its capacity as an employer.
- Information Obtained in its Capacity as a Healthcare Provider or Through the Employee Benefit Plan. If a healthcare provider obtained COVID-19 information about an employee through medical exams, tests or treatment provided by the healthcare provider/employer or by information obtained through the provider's employee benefit plan, then HIPAA applies to the information and the provider/employer may not use or disclose the information for employment-related purposes without the patient/employee's authorization or another HIPAA exception as described above. In its commentary to the Privacy Rule, the OCR explained the rule's operation:
a covered entity must remain cognizant of its dual roles as an employer and as a health care provider [or] health plan .... Individually identifiable health information created, received, or maintained by a covered entity in its health care capacity is protected health information. It does not matter if the individual is a member of the covered entity's workforce or not. Thus, the medical record of a hospital employee who is receiving treatment at the hospital is protected health, information and is covered by the [Privacy] Rule, just as the medical record of any other patient of that hospital is protected health information and covered by the Rule. The hospital may use that information only as permitted by the Privacy Rule, and in most cases will need the employee's authorization to access or use the medical information for employment purposes.
…. For example, drug screening test results will be protected health information when the provider administers the test to the employee, but will not be protected health information when, pursuant to the employee's authorization, the test results are provided to the provider acting as employer and placed in the employee's employment record. Similarly, the results of a fitness for duty exam will be protected health information when the provider administers the test to one of its employees, but will not be protected health information when the results of the fitness for duty exam are turned over to the provider as employer-pursuant to the employee's authorization.
(67 Fed. Reg. 53191, emphasis added). Applying the analysis to a COVID-19 patient/employee, if the provider/employer administers the test or treats the patient/employee, HIPAA prevents the provider/employer's use or disclosure of the information unless (1) the patient/employee authorizes the use or disclosure; (2) an appropriate HIPAA exception applies (e.g., to avoid a serious and imminent threat of harm, for treatment of other patients, or disclosures to public health authorities); or (3) HHS acts to allow disclosures during the COVID-19 pandemic.
- Information Obtained Solely as an Employer. In contrast to the foregoing situation, HIPAA generally does not apply to information obtained by a healthcare provider about its employees while the provider is acting solely in its capacity as an employer, and not as a healthcare provider or health plan. HIPAA defines "protected health information" to exclude information "held by a covered entity in its role as employer." (45 C.F.R. § 160.103). As the OCR has explained:
The Privacy Rule does not protect your employment records, even if the information in those records is health-related. In most cases, the Privacy Rule does not apply to the actions of an employer.
If you work for a health plan or a covered health care provider:
- The Privacy Rule does not apply to your employment records.
- The Rule does protect your medical or health plan records if you are a patient of the provider or a member of the health plan.
(OCR, Employers and Health Information in the Workplace, available at https://www.hhs.gov/hipaa/for-individuals/employers-health-information-workplace/index.html). The commentary to the HIPAA Privacy Rule includes the following:
Comment: One commenter asked for clarification as to how [HHS] would characterize the following items that a covered entity may have: (1) medical file kept separate from the rest of an employment record containing (a) doctor's notes; (b) leave requests; (c) physician certifications; and (d) positive hepatitis test results; (2) FMLA documentation including: (a) physician certification form; and (b) leave requests; (3) occupational injury files containing (a) drug screening; (b) exposure test results; (c) doctor's notes; and (d) medical director's notes.
Response: As explained above, the nature of the information does not determine whether it is an employment record. Rather, it depends on whether the covered entity obtains or creates the information in its capacity as employer or in its capacity as covered entity…. It is the function being performed by the covered entity and the purpose for which the covered entity has the medical information, not its record keeping practices, that determines whether the health information is part of an employment record or whether it is protected health information.
(67 Fed. Reg. 53191, emphasis added). Accordingly,
[w]hen the individual gives his or her medical information to the covered entity as the employer, such as when submitting a doctor's statement to document sick leave, or when the covered entity as employer obtains the employee's written authorization for disclosure of protected health information, such as an authorization to disclose the results of a fitness for duty examination, that medical information becomes part of the employment record, and, as such, is no longer protected health information. The covered entity as employer, however, may be subject to other laws and regulations applicable to the use or disclosure of information in an employee's employment record.
(Id. at 53192). As applied to COVID-19, if the healthcare provider obtained COVID-19 information about an employee solely through its function as an employer (e.g., an employee reported her test results or symptoms to a supervisor, or submitted COVID-19 as part of a request for leave), and not through rendering any healthcare to the employee or through information received through the employee benefit plan, then HIPAA would not apply to the information or the employer's use of the information. However, as the HHS commentary notes, other laws may apply as explained below.
- Employee Medical Examinations and Inquiries Under ADA and ADA and FMLA Confidentiality.
The Americans With Disabilities Act (ADA) generally prohibits medical examinations and inquiries of employees except when those examinations and inquiries are job-related and consistent with business necessity, which generally means when related to the employee's ability to perform the functions of the job.6 Faced with the unique challenges of the COVID-19 pandemic, the Equal Employment Opportunity Commission (EEOC) has issued guidance stating that employers are permitted due to the pandemic to question employees about whether they are experiencing symptoms of the virus and to take employees' temperature, even though such steps may violate the ADA's prohibitions on medical examinations and inquiries under usual circumstances.7 The agency has also approved sending employees home when they have symptoms and delaying start dates of applicants who have symptoms.
Information obtained through COVID-19 related examinations and inquiries remains subject to strict confidentiality requirements. The ADA and the Family and Medical Leave Act (FMLA) include identical confidentiality requirements applicable to employee medical information. Information resulting from a medical examination or inquiry conducted by or at the request of the employer, and any information obtained through FMLA certifications shall be maintained as confidential medical records in files separate from employee personnel files.8 Both laws limit access to employee medical information, limiting use of such information to the following circumstances:
(1) Supervisors and managers may be informed regarding necessary restrictions on the work or duties of an employee and necessary accommodations;
(2) First aid and safety personnel may be informed (when appropriate) if the employee's physical or medical condition might require emergency treatment; and
(3) Government officials investigating compliance with FMLA (or other pertinent law) shall be provided relevant information upon request.9
Courts have interpreted these confidentiality requirements to apply to functional capacity examinations, fitness for duty and return to work assessments, doctor's notes and workers' compensation injury records.
These requirements will make it tricky for employers to communicate about the COVID-19 diagnosis of an employee in the workforce. This challenge is exacerbated by the requirements of the Families First Coronavirus Response Act that employers carefully document and track the reasons for employees' use of paid leave under the Act because one of the qualifying reasons requires an employee to be experiencing COVID-19 symptoms.
When an employee is diagnosed with COVID-19, employers need to take actions to monitor and protect coworkers who had been in close contact with the ill employee. While the ADA and FMLA prohibit disclosing an employee's medical information, under these pandemic circumstances, we advise employers to notify coworkers who had been in close contact of the fact that one of their unnamed coworkers has been diagnosed with COVID-19, direct the employees to medical resources for advice about their health care, and explain the leave options available by law or employer policy.
III. Conclusion. Despite the COVID-19 crisis, healthcare providers and employers are still expected to comply with laws governing patient and employee privacy. Absent a state law that requires disclosure or a serious and imminent threat of substantial harm, healthcare providers should generally report COVID-19 cases to the local health department, then work with the health department in addressing such concerns in the workplace. In the meantime, providers should continue to watch for possible changes to privacy laws as the pandemic escalates.
We encourage you to visit Holland & Hart’s Coronavirus Resource Site, a consolidated informational resource offering practical guidelines and proactive solutions to help companies protect their business interests and their workforce. The dynamic Resource Site is regularly refreshed with new topics and updates as the COVID-19 outbreak and the legal and regulatory responses continue to evolve. Sign up to receive updates and for upcoming webinars.
1Section 3225 of the CARES Act directs HHS to issue guidance on sharing protected health information during the current COVID-19 crises. When issued, such guidance may affect disclosures to employers.
2See also 65 Fed. Reg. 82592 ("Covered entities may disclose protected health information about individuals who are members of an employer's workforce with an authorization."); id. at 82640 ("If the health care provider is a covered entity, then we require authorization for the provider to disclose protected health information to an employer."); OCR, Employers and Health Information in the Workplace, available at https://www.hhs.gov/hipaa/for-individuals/employers-health-information-workplace/index.html ("The Privacy Rule controls how a health plan or a covered health care provider shares your protected health information with an employer…. [I]f your employer asks your health care provider directly for information about you, your provider cannot give your employer the information without your authorization unless other laws require them to do so."). For more information about disclosing test results to employers, see https://www.hollandhart.com/hipaa-disclosing-exam-results-to-employers.
3See COVID-19 Bulletin; HHS, COVID-19 & HIPAA Bulletin: Limited Waiver of HIPAA Sanctions and Penalties During a Nationwide Public Health Emergency (3/20), available at https://www.hhs.gov/sites/default/files/hipaa-and-covid-19-limited-hipaa-waiver-bulletin-508.pdf); and OCR, COVID-19 and HIPAA: Disclosures to Law Enforcement, Paramedics, Other First Responders and Public Health Authorities (3/20), available at https://www.hhs.gov/sites/default/files/covid-19-hipaa-and-first-responders-508.pdf).
4Based on recent guidance from the OCR, business associates may also disclose protected health information for such public health activities even if their business associate agreement does not allow such. (HHS, Notification of Enforcement Discretion under HIPAA to Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19 (4/2/20), available at https://www.hhs.gov/sites/default/files/notification-enforcement-discretion-hipaa.pdf).
5HIPAA contains certain other exceptions that would permit disclosures to employers, but they likely would not apply in COVID-19 cases. For example, HIPAA allows disclosures to employers if the exam was performed as part of a medical surveillance of the workplace and the employer needs the information to report work-related injuries as required by OSHA, MSHA, or similar state laws. (45 C.F.R. § 164.512(b)(v)). In addition, HIPAA allows providers to disclose protected health information as authorized by and to the extent necessary to comply with workers compensation laws. (Id. at § 164.512(l)).
629 C.F.R. § 1630.14(c)
7What You Should Know About the ADA, the Rehabilitation Act, and COVID-19,
8FMLA: 29 C.F.R. § 825.500(g); ADA: 29 C.F.R. § 1630.14(c)(1).
For questions regarding this update, please contact:
Bradley T. Cave
Holland & Hart, 2515 Warren Avenue, Suite 450, Cheyenne, WY 82001
email: firstname.lastname@example.org, phone: 307-778-4210
Kim C. Stanger
Holland & Hart, 800 W Main Street, Suite 1750, Boise, ID 83702
email: email@example.com, phone: 208-383-3913
This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.