A recent federal lawsuit in Virginia illustrates both how far an employer can go in asking employees about COVID-19 diagnosis, as well as how far HIPAA law prevents such inquiries. In this case, the plaintiff, because of an incorrect belief about what constitutes a crime under HIPAA, lost his job. Is violating HIPAA a crime? Yes, but only in narrow circumstances.
Is Violating HIPAA a Crime: The Lawsuit
Employers generally have the right to ask their employees if they or family members have tested positive for COVID-19. This is because employers have an obligation to maintain a safe workplace that does not put the health of their employees at risk. Under HIPAA, covered entities are restricted in their ability to use or disclose protected health information (PHI), such as a COVID-19 diagnosis. Plaintiff’s employer, however, was not a covered entity, and therefore had the right to ask that Plaintiff reveal COVID-19 test results.
In March of 2020, Plaintiff Christopher Wells had been exposed to a family member who tested positive for COVID-19. His employer, Enterprise Leasing, learned of this through an anonymous source, not through Mr. Wells. Enterprise then informed Wells of the allegations, and asked Wells to discuss them. Wells stated that he planned to see a doctor the following week, but neither confirmed nor denied the allegation. Enterprise then asked that Wells keep it informed of Wells’ and his family members’ test results.
Wells refused. Enterprise then terminated Wells for insubordination. Wells then sued Enterprise in federal court, under a novel legal theory. According to Wells, HIPAA prevented him from disclosing his and family members’ COVID-19 status. Wells believed that had he disclosed his and his family’s COVID-19 test results, he would have violated a provision of HIPAA making disclosure of PHI without a crime, punishable by a fine, jail time, or both. He therefore argued that he had been wrongfully terminated for refusing to commit a criminal act. Wells filed suit for wrongful termination, seeking nearly half a million dollars in damages.
Is Violating HIPAA a Crime: The Court’s Decision
Is violating HIPAA a crime? Yes, if a covered entity or a member of a covered entity’s workforce knowingly discloses PHI to another person or entity not authorized to receive it. PHI is individually identifiable health information created or received by a healthcare provider that relates to the person’s past, present, or future physical or mental health condition. The court quickly determined that since neither Wells nor Enterprise were healthcare providers or business associates, Wells’ disclosure would not have been a crime. In other words, he would not have faced punishment by a fine of up to $50,000 or imprisonment for up to a year. The court then dismissed Wells’ lawsuit.
Is Violating HIPAA a Crime: What HIPAA Actually Says
The Court noted that HIPAA does not place any prohibitions on an individual disclosing their or a family member’s PHI, which includes a family member’s COVID-19 test results or the presence of COVID-19 symptoms. Enterprise simply asked Wells to make the disclosures; it did not force Wells to do so, nor did it prevent him from first obtaining his family members’ consent.
This is so because Enterprise did not command or coerce Wells to disclose his medical information. Nor did they request that Wells supply his family member’s medical information without the family member’s consent. In short, Wells was not asked to commit a crime, and was not directed to commit a crime. Therefore, he was not terminated for involvement in any HIPAA criminal activity.
This fact does not mean an employer is not bound by other laws when requesting COVID-19-related information. All types of employers must comply with the Americans With Disabilities Act (ADA) when requesting such information. The ADA permits employers to ask employees whether they have COVID-19. Under the ADA, employers must take reasonable steps to ensure the confidentiality of employee protected health information.
