COVID-19 Employer Playbook

COVID-19 and PHI

Covered Entity Definition Reminder Recall that the HIPAA Law applies only to Covered Entities which are defined to be one of three types: a health plan (employer group health plan, Medicare, Medicaid, etc.), a healthcare provider (doctors, hospitals, laboratories, pharmacies, etc.), or a healthcare clearinghouse. Separately, Business Associates of Covered Entities are now also considered Covered Entities. Note that “employer” is not on the list of Covered Entity types. Employers are not, in fact, covered directly by the HIPAA Privacy rules. Rather, it is the group health plan of the employer that is subject to HIPAA.

What is PHI? Protected Health Information is defined as any information that relates to: • Past, present or future health condition (physical or mental) • Provision of healthcare • Past, present or future payment for the provision of healthcare

While this is a very general definition, it is important to remember that it only applies to health information that is held by or transmitted to or from a Covered Entity. When the Covered Entity is an employer health plan, this means it is any information that emanates from the group health plan. That would include all claims information, enrollment information, and election information. But remember, it does need to come from the health plan in order to be considered PHI. Is a COVID-19 Diagnosis PHI? So, in the employer context, PHI is confined to health information that comes from the group health plan. If an employee communicates that they or a family member are ill or have been diagnosed with COVID-19, this is not necessarily PHI. That said, if the source of that information is health plan records or from assisting the employee with claims or something related to the health plan, then the information would be considered PHI. General knowledge or being directly told that someone may have tested positive would not typically be considered PHI. Still, Don’t Blab While an employee’s direct sharing information about COVID-19 testing or diagnosis for themselves or a family member may not be PHI, other employment confidentiality rules, as well as general common courtesy, should inform careful handling of all such sensitive information. Employees May Share The HIPAA rules are a one-way street. While employers are restricted in sharing the health information of employees, employees are not restricted from sharing their own health information. That includes anyone they choose and through any medium they choose, in person or on any form of social media.


Insights provided by

© 2020 Vita. All Rights Reserved

Powered by