As the United States continues to adapt to the new global Coronavirus (COVID-19) pandemic, organizations are increasingly under pressure to disclose health information relating to employees that have tested positive for COVID-19 and even those who tested negative for the virus. Some of this demand is driven by state and federal health authorities, who are ramping up their testing and contact tracing efforts to corral COVID-19. This will lead to an increased demand for data sharing of employees’ personal and health information.

If your business is not a health plan, a covered healthcare provider (such as a hospital, pharmacy or nursing home), or a healthcare clearinghouse, you may run a significant risk of violating employee privacy laws if you disclose employee health information. Organizations need to take proactive steps to protect their employees’ privacy, minimize potential regulatory exposure, and ensure the security of personal and protected health information from unauthorized disclosure.

“Covered entities” and “business associates”¹ regulated by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) are permitted to disclose protected health information² to public health authorities³ without individual authorization.⁴ For example, a covered entity may disclose protected health information to the Centers for Disease Control and Prevention (“CDC”) “on an ongoing basis as needed to report all prior and prospective cases of [individuals] exposed to or suspected or confirmed to have Novel Coronavirus” without receiving explicit authorization. Likewise, covered entities may disclose an individual’s protected health information without an individual’s authorization when:

• The disclosure is needed to provide treatment;
• Such notification is required by law;
• First responders may be at risk of infection;
• Disclosure of protected health information to first responders is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public.⁵ 

Except when required by law, covered entities must take reasonable efforts to limit the information disclosed to public health authorities to the minimum necessary to accomplish the purposes for the disclosure.⁶ 

The Office for Civil Rights (“OCR”) has produced a simple, yet helpful, disclosure of protection health information checklist (PDF) addressing requests from public health authorities.

While the Secretary of Health and Human Services may waive sanctions and penalties when the president declares an emergency or disaster, the HIPAA Security Rule obligations regarding administrative, physical and technical safeguards are still active and require continuous implementation irrespective of the public health emergency (e.g., COVID-19). Thus far, the limited waiver addressing HIPAA sanctions and penalties, as issued by the Department of Health and Human Services in March 2020, applies only to hospitals that have activated a disaster protocol related to COVID-19 and not to all covered entities or business associates.⁷

Organizations not considered to be a covered entity are not subject to HIPAA, but may be restricted by alternative state or federal privacy legislation that prohibits the disclosure of employee health information. You should consult with your privacy counsel before deciding to provide any employee health information to state and federal health authorities.

The Americans with Disabilities Act of 1990 (“ADA”) regulates an employer’s disability-related inquiries and medical examinations for all prospective and current employees, including individuals who do not have disabilities that fall within the scope of the ADA. Notably, the ADA prohibits employee disability-related inquiries or examinations unless such activities are job-related and consistent with business necessity. Guidance from the U.S. Equal Employment Opportunity Commission (“EEOC”) provides that “a disability-related inquiry or medical examination of an employee is job-related and consistent with business necessity when an employer has a reasonable belief, based on objective evidence, that: (1) an employee’s ability to perform essential job functions will be impaired by a medical condition; or (2) an employee will pose a direct threat due to a medical condition.”⁸ Accordingly, during the COVID-19 pandemic, an event that constitutes a direct threat, employers may ask employees to disclose whether they are experiencing influenza-like symptoms commonly associated with COVID-19.

Conversely, the ADA prohibits employers from asking employees to disclose whether they have a medical condition that may make the employee vulnerable to COVID-19 when such an employee is not experiencing any influenza-like symptoms. This limitation may be problematic for employers who are considering a partial re-opening in which they ask employees who may be particularly susceptible to COVID-19 to remain at home. An employer may ask whether an employee is symptomatic of COVID-19, but may not ask whether he or she has pre-existing medical conditions that might make the employee more or less likely to develop those symptoms.

All health information obtained from prospective and current employees must be kept as confidential information and should receive appropriate protection. Information regarding any medical condition, medical history, and information derived from inquiry or examination must be collected and maintained on separate forms and in separate medical files from prospective and current employees’ regular files.

Organizations regulated by the European Union’s General Data Protection Regulation (“GDPR”) may wish to review the specific COVID-19 guidance produced by each of national data protection authorities (“DPA”) in response to this crisis. The European Data Protection Board has indicated that anonymized data which does not allow for individuals to be identified in any way falls beyond the scope of GDPR.⁹ In addition, DPAs across the European Union and the United Kingdom have made clear that the sharing of employee health information with public authorities is permissible where required in order to comply with a legal obligation, as described in GDPR Articles 6(1)(c) and 9(2)(b).¹⁰ 

As the scope, scale and intensity of COVID-19 continues to change, so will the sphere of regulation and legislation promulgated by state and federal authorities. Stay informed with Kutak Rock’s COVID-19 and CARES Legal Resource Portal, or contact a member of our Privacy and Data Security group.

Data Sharing with Health Authorities During COVID-19

¹Covered entities are: (1) health plans; (2) healthcare clearinghouses; and (3) healthcare providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. Business associates are a “[…] person or entity, who is not a member of the workforce and performs or assists in performing, for or on behalf of a covered entity, a function or activity regulated by the HIPAA Administrative Simplification Rules, including the Privacy Rule, involving the use or disclosure of individually identifiable health information, or that provides certain services to a covered entity that involve the use or disclosure of individually identifiable health information.” See, https://privacyruleandresearch.nih.gov/pr_06.asp (Accessed: May 4, 2020).
²Tests, diagnosis, treatments, and information associated with an individual’s COVID-19 status is considered to be a component of protected health information.
³45 CFR § 164.501, “Public health authority means an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate.”
⁴ 45 CFR § 164.512(b)(1)(i).
⁵See, https://www.hhs.gov/sites/default/files/covid-19-hipaa-and-first-responders-508.pdf (Accessed: May 4, 2020).
⁶45 CFR § 164.502(b).
⁷See, https://www.hhs.gov/sites/default/files/hipaa-and-covid-19-limited-hipaa-waiver-bulletin-508.pdf.
⁸Pandemic Preparedness in the Workplace and the Americans with Disabilities Act (Updated March 21, 2020) https://www.eeoc.gov/laws/guidance/pandemic-preparedness-workplace-and-americans-disabilities-act (Accessed: May 4, 2020).
⁹See, https://edps.europa.eu/sites/edp/files/publication/20-03-25_edps_comments_concerning_covid-19_monitoring_of_spread_en.pdf (Accessed May 10, 2020)
¹⁰For example, see, https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/04/how-we-will-regulate-during-coronavirus/ (Accessed May 10, 2020)