ML BeneBits


Since the 2019 Novel Coronavirus (COVID-19) was first detected in December, the death toll has continued to rise as the virus quickly spreads. Centers for Disease Control (CDC) officials have stated that while the immediate risk of the virus to the American public is believed to be low at this time, US employers should more closely consider employee safety and ways to address disease prevention in the workplace.

We recently published a LawFlash that addresses employment law considerations surrounding these concerns. Here we take a closer look at privacy issues facing employers that provide self-funded or self-administered health benefits to their employees and therefore must comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy rule.

Federal privacy laws, such as HIPAA, can create complexities for many plan sponsors as they attempt to weigh the privacy rights of an employee or dependent who has contracted COVID-19 against preserving public safety, including that of the employee’s or dependent’s co-workers, family, and friends.

The Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) issued a bulletin on February 3, 2020, confirming that even in these situations, the protections of the HIPAA privacy rule still apply. Therefore, a group health plan must continue to apply administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI). The bulletin notes that while HIPAA protects the privacy of PHI, it does not preclude the use and disclosure of the minimum amount of PHI necessary to treat a patient (the employee or dependent), to protect the nation’s public health, or to prevent a serious and imminent threat to the health and safety of a person or the public.

Consult the following list, based on the relationship of an employee who has contracted COVID-19 and the individual(s) to whom this information will be disclosed, in order to maintain HIPAA compliance during the COVID-19 outbreak.

Family and Friends

Information about a COVID-19 patient can be disclosed to certain friends, family members, and other individuals involved in the care of that person. While this exception would generally only apply with respect to a healthcare provider, this exception makes it clear that an employer, regardless of whether it is a covered entity under HIPAA, can share information about an employee’s or dependent’s location, general condition, or death, as necessary, to identify, locate, and notify family members, guardians, and others persons responsible for that person’s care.


Employers should always be wary of employee snooping, as this poses a significant privacy risk, but none more so than for those employers that are subject to the HIPAA privacy rule. We recommend using the curiosity and media presence surrounding COVID-19 as an opportunity to remind those employees with access to PHI of their responsibilities under HIPAA.

The Media

The media plays a large role in preserving public health and providing timely and accurate information about COVID-19 and the risk of contraction. However, the media and the general public are not covered by HIPAA mandates and therefore are not subject to HIPAA restrictions once they have information about an individual who has contracted COVID-19.

Therefore, to the extent that information concerning an employee or dependent who has contracted COVID-19 was not obtained solely through an employer’s role as such, HIPAA prohibits the disclosure of information regarding the employee or dependent’s condition to the media without his or her consent.

Public Health Authorities

In situations where individuals have contracted an infectious disease such as COVID-19, there is a legitimate need to share information with public health authorities and others responsible for ensuring public health and safety. Those entities may need PHI to allow them to carry out their mission, which is to protect the public from disease.

Accordingly, the HIPAA privacy rule contains exceptions that would permit employers to share information regarding employees or dependents who have contracted COVID-19 to state and federal public health authorities, such as the Centers for Disease Control and Prevention (CDC) and state and local departments of health.

With respect to all permitted disclosures of employee or dependent PHI, such disclosures are subject to the minimum necessary rule. Shared information should be limited to the minimum necessary amount to accomplish the purpose for which the information is disclosed.