When Does HIPAA Apply to Covid-19 Related Employee Information?

A recent Summit Webinar features a common question that employees have as they plan for a return to onsite work, “What COVID related employee medical information falls under HIPAA?” 

HIPAA applies to protected health information (PHI). It involves individually identifiable information from an employer’s health plan records. It is not PHI when an employer gets medical information directly from an employee or provider. Here are some examples to illustrate the difference:

It is PHI 
The employer gets a list of employees from their TPA who have been vaccinated
An employer pulls a claims report to see who tested positive for COVID 

It is not PHI
The employer conducts temperature checks on employees
The employer asks employees to provide proof of vaccination  

Why It Matters
HIPAA imposes all kinds of requirements on employers. There are requirements to report a breach of PHI. Employers are also restricted in how they can use PHI. For example, you can use PHI for plan administration for things like claims adjudication or case management. You cannot use it for non-health plan or for employment related purposes at least without authorization. 

It is important to remember that, just because information is not PHI, doesn’t mean that it doesn’t need to be protected or kept confidential. Other laws will probably come into play, such as the Americans with Disabilities Act. 

View the Summit Webinar Replay: Answering Employers’ Top Compliance Questions. 

Subscribe to the Pulse Newsletter