COVID and Health Information Privacy


December 3, 2020  |  John Wiese


As COVID-19 case numbers in the US continue to coast at an all time high, we need to keep our safety guards up now more than ever. Though, as the winter season pushes us indoors and reports of a vaccine grow more promising each day, we may continue to see our infection numbers climb. With that in mind, let’s remind ourselves how to protect our employees from the virus, while also protecting the identities and health information of those who have contracted the virus. It is important that you know both your rights as an employer, and those of your employees.

First and foremost, it’s your responsibility as the employer to keep your employees protected from the coronavirus in the workplace. The CDC explicitly encourages employers to prevent and reduce transmission among employees and maintain a healthy work environment. A large part of that means educating employees about the transmission of the virus, and encouraging them to spot early signs of contraction. Employers would also do well to hone in on the stigma associated with coronavirus.

An employer’s response to COVID will set the tone for how employees will then respond to known cases, and subsequently how they may treat coworkers who contracted the virus. In the unfortunate event that an employee does contract the virus, employers should have a response ready. So what steps can you take to protect your employees from the virus, while protecting their health privacy?

ADA During the COVID-19 Pandemic

One of the most common questions we hear is: Do employees who have contracted COVID-19 fall under the protection of the Americans with Disabilities Act (ADA)? Short answer: yes. But certain stipulations of the act have been altered in the case of COVID positive employees. Employers are permitted to know more about their worker’s health than under normal circumstances for the sake of the wellbeing of their other employees. One thing that has not changed, however, is the requirement that employers keep employee health information completely private. ADA-covered employers may:

    • take the temperatures of their employees
    • ask employees who call in sick if they are experiencing symptoms of the virus (fever, chills, cough, shortness of breath, or sore throat)
    • question their employees regarding travel, exposure, or symptoms related to COVID-19, and  if  someone in their household was exposed to the virus
    • request a fitness-for-duty or return-to-work certification if an employee had been quarantined by a treating medical provider or public health official
    • investigate other potential workplace exposures while maintaining the absolute anonymity of the exposed employee
    • inform employees of a potential workplace exposure to COVID-19

All of this is operating under a need-to-know basis. An employer is only permitted to inquire about this health information or inform their employees about potential exposure if they work  in an in-person setting, and come into contact with one another or with clients/customers. More specifically, these inquiries are only permitted if an employee’s  health status could constitute a “direct threat” to the business. A “direct threat” is defined as a significant risk of substantial harm to the health or safety of the employee or others that cannot be eliminated or sufficiently reduced by reasonable accommodation.

What about Self-Insured Health Plans?

If we use a self-insured health plan, are we subject to HIPAA as it pertains to COVID-19? Short answer: yes. A Self Funded, or Self-Insured plan is when  the employer assumes the financial risk for providing health care benefits to its employees. In the rare case that an employer assumed the financial cost of employee health concerns, they are subject to certain HIPAA requirements. If the employer obtained an employee’s COVID status because of their relationship as the defacto health insurance provider, that information is considered personal health information (PHI). Thus, revealing an employee’s COVID information would not only constitute a ADA violation, but a HIPAA violation as well. Both ADA and HIPAA stipulate that any PHI should be stored separately from an employee’s personnel file and available to as few people as possible.

If you have more questions about how to keep compliant during the COVID-19 pandemic, we have no shortage of resources for you:

For any additional support, don’t hesitate to contact us!


ADAcompliancecovid-19hipaaPHI
COVID and Health Information Privacy
View bio

Stay up to date with our blog posts!

Subscribe