23 Mar HIPAA Privacy Rule and the Coronavirus Outbreak
The U.S. Department of Health and Human Services (HHS) issued a bulletin to remind covered entities and their business associates that the HIPAA Privacy Rule’s protections still apply during a public health emergency, such as the current coronavirus (COVID-19) outbreak. The bulletin also outlines the different ways that patient information may be shared under the Privacy Rule during an outbreak of infectious disease or another emergency situation.
The Privacy Rule only applies to covered entities and their business associates, and not to employers. Covered entities include health plans, most health care providers and health care clearinghouses. In general, medical information that is provided to an employer directly by an employee is not subject to the Privacy Rule, although other federal and state privacy restrictions may apply, including the Americans with Disabilities Act (ADA). However, any medical information that employers receive from their health plans is subject to the Privacy Rule and generally cannot be used for employment purposes.