hipaa law and employers

Key Facts About HIPAA Law and Employers During COVID-19

There have been a lot of questions about what local health departments and other COVID related providers can and can’t do lately. Some of those questions are about what your employer can share with medical professionals and vice versa. The detailed answers depend on the state, but there are some overarching themes everyone needs to know. 

We hope you’re taking as many precautions as possible as an employer and you’ll never have to use this information, but it’s your duty to your employees to understand HIPAA law and employers’ roles in them. 

To help, we’re going over what information COVID medical professionals can collect, what you’re asked to provide to them as an employer vs an individual, and what HIPAA considers personal health information, below. 

What is HIPAA? A (Very) Brief History

HIPAA stands for the “Health Insurance Portability and Accountability Act” and it came to be thanks to the rise of the internet. 

It was signed into law in 1996 by President Bill Clinton, as an effort to reform American Healthcare.

Part of the reason it was was written was the development of electronic medical records, which hadn’t been possible with technology ever before. Since this was new technology, there were no specific laws governing it. 

HIPAA changed that. Not only did it set privacy standards for electronic medical records, but it gave patients more rights as well. 

The Four Rules of HIPAA

HIPAA has Four core principles, They are that healthcare administration (whether private or public sector) must:

  1. Protect patient privacy information
  2. Use Electronic and physical security for patient records
  3. Participate in the “minimum necessary” use disclosure
  4. Allow patients access to their own medical information and allow them to approve specific uses of it.

To best protect patient privacy information, HIPAA created an official list of PHI identifiers or Protected Health Information. Similarly, they established IIHI, “individually identifiable health information”. The two are subtly different, but act to do the same thing: conceal patient health information unless it’s absolutely necessary to reveal it. 

PHI or IIHI Examples 

Have you ever wondered if your doctor talks to their friends or family about their patients? They do – especially in these crazy COVID days. But to do so they have to conceal patient information – they can’t use any patient identifiers. 

Identifiers are anything that could distinguish one patient from another. Think of it like this – you’re out to dinner and you overhear a health professional describing an interaction with a patient. Identifiers are anything that could clue you into who they’re talking about. 

There are 18 identifiers, but some include: 

  • Name
  • Dates
  • Address 
  • Email 
  • Record Numbers 
  • Images
  • Personal visible identifiers 
  • Social Security Numbers 
  • And more

Let’s go through an example, which we’ll go into in more depth later. 

You, as an employer, get a call from a county health department. They tell you they’re calling in regards to one of your employees who is positive for COVID. Which of the following is an appropriate HIPAA-bound transcript? 

A) Hi, I’m calling because your employee Bob Jones tested positive for COVID on September 19th. We want to make sure you isolate all the employees that worked with him. His last date of work was 9/10. 


B) Hi, I’m calling because one of your employees has tested positive for COVID-19. Their last day of work was 9/10 and they report having close contact with 5 employees and weren’t wearing a mask while at work. 

The correct answer is B. Even though it makes things a lot harder, Medical Providers cannot disclose which employee has tested positive for COVID. It’s up to the employee to tell you, the employer, about their positive result. 

The health department or medical entity can encourage the positive patient to alert their employer, but unless they’ve told you themselves, they can’t identify the patient. 

HIPAA Law and Employers During COVID: What Information Do You Have to Give?

So, let’s say you get the call above about a positive employee and you know who it is. As long as COVID has been determined reportable in your state (which it has in the majority of states) that gives the medical professional the right to request employee contact information for the close contacts of the case. 

You are required, by law (again depending on the state but in most) to provide names and phone numbers of the employees who worked with the positive individual while the individual was infectious and or symptomatic. 

If the employee decides not to tell you they’re positive, it’s your duty to provide the health department or medical professional with a list of people who worked during their specified time period in the specific areas that the positive patient worked in. 

That conversation would look like this, “The positive case reports that their last day of work was the 10th and that they were on the ground floor of the building all day and reported interacting with all usual ground-floor level employees.”

You would then provide them with a list of everyone that works on the first floor – and they would be isolated for two weeks, to make sure they don’t develop the virus. 

Test Results, Isolation Letters, and Coming Back to Work 

Finally, let’s talk about your legal rights when it comes to excusing out and allowing people back in the workplace. 

If a person is being isolated by the health department, the department is not allowed to specify the reason for isolation. That would be a HIPAA violation. You will only see that they’re being isolated, the date they’re released, and who the letter is addressed to. 

Similarly, the Health Department or medical professional cannot send lab results to you as the employer. They can provide them to your employee, who can then share them with you if they see fit. 

Isolation letters are official state documents and must be accepted – a person cannot be penalized for being isolated. 

As for returning to work, most health departments are using the symptom-based clearance method and if the person meets certain criteria, they will receive a clearance letter with a clearance date. 

You, as an employer, are allowed to request negative test results to allow your employee back to work, but keep in mind that laboratories all across the US are backed up and it could take up to a week for them to obtain their test result. 

Navigating These Difficult Times 

We hope the information above cleared some things up for you about HIPAA law and employers. If you have questions, you have the right to ask to call the medical professional back and give HR or your company lawyer a call. 

Want to learn more about HIPAA and how to fulfill your duties as an employer? Give us a call

HIPAA Security Reminders


HIPAA Security Suite has developed a weekly HIPAA Security Reminder series that’s FREE for all of us who are responsible for, or engaged in, the use and protection of PHI.

Pursuant to Section 164.308(a)(5) of the HIPAA Security Rule, the Standard states: Implement a security awareness and training program for all members of its workforce (including management).

This standard is part of our Best Practices Recommendations for HIPAA Security Suite users, but it’s available for FREE to anyone who wants to comply with HIPAA using the easiest, best tools available.

Sign Up

Scroll to Top