What are Employer HIPAA Violations?
Does HIPAA apply to employers? HIPAA requires covered entities and business associates to secure protected health information (PHI). PHI is individually identifiable health information that is used to communicate past, present, or future health, the provision of healthcare, or the payment for the provision of healthcare. Employers’ human resources departments often collect information on employees that may be considered PHI. However, if the information isn’t used for the previously mentioned purposes, the employer is not subject to HIPAA.
However, employers’ self-insured health plans do fall under HIPAA jurisdiction, since they would have access to PHI to administer the health plan. As such, the employer would be required to safeguard PHI. If the employer failed to safeguard their employees’ PHI, this would be an employer HIPAA violation.
Employer HIPAA Violations and COVID-19 Testing
The Equal Employment Opportunity Commission (EEOC) released guidance on employee testing stating that testing must be consistent with business necessity, mandatory medical tests must be job related, and tests should be reliable and accurate.
“Applying this standard to the current circumstances of the COVID-19 pandemic, employers may take steps to determine if employees entering the workplace have COVID-19 because an individual with the virus will pose a direct threat to the health of others,” stated the EEOC.
Christopher Durham, an attorney with Duane Morris in Philadelphia, has made the following recommendations for employer COVID-19 testing:
◈ If employers decide to test employees for COVID-19, they must do so on a nondiscriminatory basis. This means that if an employer tests one employee, they must test all employees.
◈ Testing records must be confidential. If an employee tests positive, their identity cannot be revealed.
◈ Testing, screening, or inquiries that are not necessary to address potential direct threat are prohibited.
◈ If an employee has a medical condition that requires alternative testing, the employer must make accommodations for such testing.
◈ If an employee refuses testing, employers will need to consider how to handle an employee’s refusal. For example, the employer could refuse access to the worksite for employees that refuse testing.
◈ If an employee cannot access the worksite while waiting to be tested, or awaiting test results, there may be an obligation to compensate the employee under wage and hour laws for time spent waiting.
◈ Employees should be required to consent in writing to the screening.
◈ Employers should consider test accuracy when selecting a test to use.
◈ There should be predetermined conditions for an employee who tests positive to be able to return to the workplace.
◈ Employers must consider the implications of a positive test result (i.e., exposure implications for employees that may have come into contact with the positive employee in the days leading up to the positive test).