Here’s a question from one employer about how the pandemic may affect HIPAA requirements.
Q. Due to COVID-19, our company is planning to take employees’ temperatures and ask them general health-related questions as they report to work each morning. Does HIPAA apply to the information we obtain from employees?
A. HIPAA’s requirements to safeguard protected health information (PHI) apply only to covered entities (health plans, health care clearinghouses, and most health care providers), not to employers acting in their capacity as employers. So, while the results of COVID-19-related temperature checks and health questions must be maintained confidentially, HIPAA doesn’t apply to the COVID-19 information that your company collects from employees. (If your company were a HIPAA covered entity, a similar analysis would apply to information maintained in the company’s employment records.)
Of course, HIPAA does apply to PHI related to COVID-19 that is created, maintained, received, or transmitted by your group health plan. This PHI generally cannot be disclosed to the plan sponsor unless the privacy rule’s prerequisites for such disclosures have been met. For example, in most cases, the PHI could be disclosed only to employees performing administration functions for the plan and couldn’t be used for employment-related actions. Therefore, it’s important to carefully document the source of employees’ COVID-19 information.
The effect of other laws should also be considered. For example, the Americans with Disabilities Act (ADA) prohibits an employer from subjecting employees to disability-related inquiries and medical examinations, except under limited circumstances. Although temperature checks are considered medical examinations, guidelines from the Equal Employment Opportunity Commission (EEOC) state that employers may screen employees entering the workplace by taking their temperatures and asking them about symptoms (such as fever and shortness of breath) that might indicate the presence of COVID-19.
The EEOC’s guidance is specific to COVID-19 and is based on a finding that the presence of someone with COVID-19 or related symptoms in the workplace would pose a substantial risk of harm to others. Although HIPAA doesn’t apply, the EEOC’s guidance notes that the ADA requires employers to safeguard the confidentiality of the medical information, which must be maintained in medical files separate from employees’ personnel files.