To cope with the COVID-19 crisis, many employers are taking employees’ temperatures and asking them general health-related questions as they report to work. A relevant question that often arises in light of this activity is: How do the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) apply to the information gathered?

Covered Entities

HIPAA’s requirements to safeguard protected health information (PHI) apply only to covered entities such as health care plans, health care clearinghouses, and most health care providers — not to employers acting in their capacity as employers. So, while the results of COVID-19-related temperature checks and information gathering must be maintained confidentially, HIPAA does not apply to the COVID-19-related information that an employer collects from employees. (If an organization is a HIPAA-covered entity, a similar analysis would apply to information maintained in its employment records).

Of course, HIPAA does apply to PHI related to COVID-19 that is created, maintained, received, or transmitted by a group health plan. This PHI generally cannot be disclosed to the plan sponsor unless the privacy rule’s prerequisites for such disclosures have been met. For example, in most cases, the PHI could be disclosed only to employees performing administration functions for the plan and could not be used for employment-related actions. Therefore, it is important to carefully document the source of employees’ COVID-19-related information.

Other Laws

The effect of other laws also should be considered. For example, the Americans with Disabilities Act of 1990 (ADA) prohibits an employer from subjecting employees to disability-related inquiries and medical examinations, except under limited circumstances. Although temperature checks are considered medical examinations, guidance from the Equal Employment Opportunity Commission (EEOC) states that employers may screen employees entering the workplace by taking their temperatures and asking them about symptoms (such as fever and shortness of breath) that might indicate the presence of COVID-19.

The EEOC’s guidance is specific to COVID-19 and is based on a finding that the presence of someone with the virus or related symptoms in the workplace would pose a substantial risk of harm to others. The EEOC’s guidance notes that, though HIPAA does not apply to employers per se, the ADA requires employers to safeguard the confidentiality of any medical information gathered. For instance, it should be maintained separately from employees’ personnel files.

Regulatory Compliance

As more and more employers across the country strive to fully get back to work, the threat of COVID-19 persists. Temperature checks and other health monitoring can help protect workers and customers, but it is important to keep regulatory compliance in mind. It is important to consult with a professional advisor on topics related to legal employment issues and compliance. Our human resources professionals can help – let us assist your business and protect your employees.