The HIPAA Privacy Rule is designed to regulate the use and disclosure of personal health information in the context of health insurance coverage and healthcare provision.

First, note that HIPAA applies only to ‘covered entities’ and ‘business associates.’ Specifically, the HIPAA Privacy Rule applies only to disclosures made by employees, volunteers, and other members of a covered entity’s or business associate’s workforce. Generally, covered entities are health plans, health care clearinghouses, and certain health care providers, while business associates perform specific services for covered entities that provide access to personal health information (‘PHI’), that is, individually identifiable health information that is maintained or transmitted by a covered entity.

Secondly, note that HIPAA applies only to Protected Health Information (‘PHI’). When a covered entity creates or receives ‘health information’ that identifies a specific individual, it is PHI. Health information refers to information that relates to an individual’s medical condition, the provision of medical care for that individual, or the payment for that individual’s medical care. The term is broad enough to pick up health coverage option (e.g. HMO or indemnity) or category (e.g., single/family), enrollment, and premium payment information, as well as information relating to health condition and treatment.

To the extent an employer is not a covered entity, it is typically not subject to HIPAA’s privacy rule, but an employer may unintentionally fall under HIPAA if it sponsors a group health plan from which it receives PHI. That is why there is an important exception from the definition of PHI for individually identifiable health information in employment records held by a covered entity in its role as employer. This information includes records needed for the employer to carry out its obligations under the Family and Medical Leave Act (FMLA), Americans with Disabilities Act (ADA), and similar laws, as well as files or records related to occupational injury, disability insurance eligibility, sick-leave requests, drug screenings, workplace medical surveillance, and fitness-for-duty tests of employees.

The ultimate result is that most employers will not fall under HIPAA. But be aware that there may be other state or federal rules that apply.

Fortunately, in an outbreak of an infectious disease such as coronavirus, HIPAA-covered employers will have the same freedom as HIPAA-excluded employers to share employee information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public–consistent with applicable law. This means an employer may disclose an employee’s health information to anyone in a position to prevent or lessen the serious and imminent threat, including family, friends, co-workers, caregivers, and law enforcement, without an employee’s permission.

As to what determines the nature and severity of a threat to health and safety, HIPAA expressly defers to the professional judgment of health professionals.