As employers have worked to limit the spread of COVID-19, leaders must constantly balance workplace safety and employee privacy. Though some privacy laws have certain flexibilities during a global pandemic, organizations must still follow certain procedures when collecting and using employee health information like COVID test results. But what and when are you allowed to disclose to ensure everyone’s safety?
Who Has to Follow HIPAA?
Lawmakers passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996 to protect patient privacy and prevent the disclosure of health information without the patient’s consent. Though the pandemic has made complying with this law more difficult for many overburdened healthcare organizations, it’s still important to understand and follow the HIPAA rules.
HIPAA applies to “covered entities,” which are health care providers, health plans, organizations that process health information called health care clearinghouses and business associates of the covered entities. This would include employers that use a self-insured health plan. If you receive an employee’s health information as a self-insured health plan rather than as an employer, those test results are subject to HIPAA regulations.
A workplace testing program might also qualify as a group health plan. This means employers using their health plan to collect health information like COVID test results would also need to follow HIPAA. It can be a fine line when determining whether you as an employer are subject to HIPAA. Some Human Resources employees may be engaging with information subject to HIPAA, like collecting test results sent from a lab. Others who are making decisions about staff returning to the office based on those test results may not need to follow HIPAA, but they should be aware of other privacy laws.
Covered entities must develop privacy policies, train their workforce and take action if any employee violates these policies. Even if you are not a covered entity, you will likely need to train employees involved in any COVID testing or monitoring on these privacy policies.
HIPAA and COVID Testing Rules
Under HIPAA, covered entities cannot share protected health information (PHI) like someone’s COVID test results except in certain situations, such as public health activities. This means an organization can disclose COVID test results to public health authorities like state and local health departments or federal agencies. Covered entities can also disclose PHI for treatment and notification purposes or to prevent a serious safety threat, such as notifying individuals who may have been exposed to the virus. Covered entities are also required to notify patients in advance that they will disclose information for public health reasons in a Notice of Privacy Practices.
Don’t forget — HIPAA also applies to electronic health records. Covered entities are responsible for ensuring any electronic information, including COVID test results, are protected against security threats. BRIO’s COVID testing platform is HIPAA-compliant and secures data for employee privacy.
Receiving employee COVID test results
Even if your organization is not a covered entity, HIPAA still impacts your ability to receive your employees’ health information. Patients have to give written consent for a healthcare provider to share test results with you. We also recommended you receive written consent from the employee to share their test results if you plan to use them for contact tracing.
The only time a HIPAA-covered entity can disclose an employee’s test results to an employer without the employee’s permission is when the employer requested the test for work-related illnesses to comply with federal or state regulations. For COVID-19, this exception might apply to health care facilities to comply with government-mandated safety reporting, but it doesn’t apply in general situations where you might test employees to determine whether they can come into work.
Other Employee Privacy Considerations
Other laws protect individual privacy regarding medical information, such as the Americans with Disabilities Act (ADA). Under this law, employers must keep medical information like COVID test results in confidential files separate from personnel files.
Employers also can’t disclose the name of a worker who tested positive without the employee’s consent under the ADA. However, you can communicate a positive case to your workforce and alert individuals who were in close contact. The ADA has other implications for COVID testing and vaccination programs — read more about how the ADA impacts workplace COVID testing and mandatory workplace vaccinations.
In addition to legal requirements, communicate with your employees about steps you are taking to ensure their privacy to build trust around work-related COVID testing. Some employees may feel more comfortable getting tested if their privacy concerns are addressed, creating a safer and more positive work environment for everyone.
Brio’s easy-to-use, end-to-end diagnostic testing solution is completely HIPPA compliant. We’ve also cultivated a network of courier and lab partnerships that ensure fast, reliable results. Our easy-to-use dashboard gives employees the insights and results they need while also keeping their information safe.
Katrina Ballard writes about health, technology and education. She holds a master’s degree in public administration from American University.
US Department of Health and Human Services Office for Civil Rights - HIPAA, Health Information Exchanges, and Disclosures of Protected Health Information for Public Health Purposes
US Centers for Disease Control and Prevention - Health Insurance Portability and Accountability Act of 1996 (HIPAA)
U.S. Department of Health and Human Services - Summary of the HIPAA Privacy Rule
The National Law Review - COVID-19: What Employers Need to Know About HIPAA
The National Law Review - COVID-19 Testing and HIPAA Compliance
Davis Wright Tremaine LLP - HIPAA May Apply to Employer COVID-19 Testing Programs