What information can I disclose about employees who are ill with COVID-19?
All Health Insurance Portability and Accountability Act (HIPAA) rules and regulations apply, even in a public health emergency. Benefit plan administrators should be particularly careful. For those subject to HIPAA, an important provision to consider is 45 CFR 164.512(b), which deals with public health activities. In essence, it provides if a public health authority requests information and the public health authority has the statutory authority to request that information, it is permissible to disclose the legally required information to the public health authority, but the information must otherwise remain confidential and should not be disclosed to reporters, members of the county medical society, or others who might seek information from benefit plan administrators. It is always advisable to require those requesting the information to explain why such request is covered by a HIPAA exception to ensure the disclosure is appropriate.
HR administrators may have more leeway than personnel governed by HIPAA, but to avoid potential liability for invasion of privacy torts or violations of the Americans with Disabilities Act, the Family and Medical Leave Act, the Families First Coronavirus Response Act paid leave provisions, and state and local paid sick leave laws, they should consult counsel before disclosing any health information, particularly if the information can be tied to individual employees. The employer must balance the ability of other employees to protect their health with the privacy rights of infected individuals. In general, employers can disclose that an employee has been diagnosed but should avoid identifying the ill employee by name and should be careful before providing any other specific information, particularly in small offices. As one example, the fact that an employee had a fever or other symptoms would be subject to ADA confidentiality requirements.
Where applicable, employers should also consider the applicability of data privacy laws, such as state laws like the California Consumer Privacy Act (CCPA) or other State or local laws, and international ones like the General Data Protection Regulation (GDPR). Any decisions about applicability of privacy laws or their exceptions should be made in consultation with counsel.
Last updated April 9
These materials are made available by Jackson Walker for informational purposes only, do not constitute legal or medical advice, and are not a substitute for legal advice from qualified counsel. The laws of other states and nations may be entirely different from what is described. Your use of these materials does not create an attorney-client relationship between you and Jackson Walker. The facts and results of each case will vary, and no particular result can be guaranteed.