To cope with the COVID-19 crisis, many employers are taking employees’ temperatures and asking them general health-related questions as they report to work. A cogent question that often arises in light of this activity is: How do the requirements of the Health Insurance Portability and Accountability Act (HIPAA) apply to the information gathered?
Covered entities
HIPAA’s requirements to safeguard protected health information (PHI) apply only to covered entities such as health care plans, health care clearinghouses and most health care providers — not to employers acting in their capacity as employers. So, while the results of COVID-19-related temperature checks and information gathering must be maintained confidentially, HIPAA doesn’t apply to the COVID-19-related information that an employer collects from employees. (If an organization is a HIPAA-covered entity, a similar analysis would apply to information maintained in its employment records.)
Of course, HIPAA does apply to PHI related to COVID-19 that’s created, maintained, received or transmitted by a group health plan. This PHI generally cannot be disclosed to the plan sponsor unless the privacy rule’s prerequisites for such disclosures have been met. For example, in most cases, the PHI could be disclosed only to employees performing administration functions for the plan and couldn’t be used for employment-related actions. Therefore, it’s important to carefully document the source of employees’ COVID-19-related information.
Other laws
The effect of other laws should also be considered. For example, the Americans with Disabilities Act (ADA) prohibits an employer from subjecting employees to disability-related inquiries and medical examinations, except under limited circumstances. Although temperature checks are considered medical examinations, guidance from the Equal Employment Opportunity Commission (EEOC) states that employers may screen employees entering the workplace by taking their temperatures and asking them about symptoms (such as fever and shortness of breath) that might indicate the presence of COVID-19. The EEOC’s guidance is specific to COVID-19 and is based on a finding that the presence of someone with the virus or related symptoms in the workplace would pose a substantial risk of harm to others. The EEOC’s guidance notes that, though HIPAA doesn’t apply to employers per se, the ADA requires employers to safeguard the confidentiality of any medical information gathered. For instance, it should be maintained separately from employees’ personnel files.
Regulatory compliance
As more and more employers across the country strive to fully get back to work, the threat of COVID-19 persists. Temperature checks and other health monitoring can help protect workers and customers, but it’s important to keep regulatory compliance in mind. Our firm can provide further information. © 2020