With the coronavirus disease 2019  (COVID-19) in the news, there is of course concern not only for personal safety for each other, but there are some regulatory implications as well.  Although this is not your typical employee welfare benefit plan topic, we wanted to address how your group health plans and HIPAA Privacy are affected by this public health concern.


The Privacy rules apply to covered entities (health plans, health care clearing houses and health care providers) and business associates working on behalf of the covered entity.

Hays clients typically sponsor one or more group health plans.  These include:

  • Medical
  • Dental
  • Vision
  • Health Flexible Spending Arrangements (Health FSA)
  • Health Reimbursement Arrangements (HRA)
  • Any other plan sponsored by the employer that provides care diagnosis or treatment.

Employers that sponsor a self-insured medical plan or an insured medical plan for which they receive protected health information (PHI) from the plan will have HIPAA Privacy compliance obligations.  Normally, there is no reason for an employer to receive individually identifiable health information from its group health plans.  Such information is referred to as PHI. Generally, the group health plan (or more practically, the insurance carrier or third-party claims administrator) is prohibited from disclosing PHI to the employer unless there is specific language in the health plan contract or document that allows for such disclosure, and then only if necessary, for specific health plan operation activities.

Under HIPAA, the group health plan (and by extension the claims payor) may disclose PHI:

  • For treatment (e.g. an individual’s PHI can be provided to a hospital that is treating the individual), payment (PHI may be disclosed to the claims payor) or health plan operations (plan administration functions).
  • To public health officials authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury or disability.
  • To persons at risk of contracting or spreading a disease or condition if other law, such as state law, authorizes the covered entity to notify such persons as necessary to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations.

Employer Obligations

What happens if PHI that includes information on an individual’s status contains information identifying diagnosis of the coronavirus and that information is shared with the employer/plan sponsor?   

This could come from the medical plan, or even a health FSA report if it contains actual claims information. This information is subject to HIPAA, even if employees of the employer are authorized to receive PHI for health plan operations. If there is no operational need for this PHI do not ask for or accept it the information. Additionally, the employer may not take any employment or retaliatory action based upon PHI. These requirements apply to the use and disclosure of any PHI.

What if the employee share their own protected health  information with the employer?

The employer will most likely find out if an employee has had potential contact with the coronavirus or is infected with the coronavirus directly from the employee rather than through the group health plan.

What if the employee is requesting time-off for treatment?

Although not directly subject to HIPAA because it is coming from the employee and not the covered entity (health plan), this is still confidential information and may even be considered a request for leave, including protected leave under the Family Medical Leave Act (FMLA) or other applicable leave laws.


COVID-19 is a rapidly developing situation.  In those instances when the employer receives such information from the group health plan, the HIPAA Privacy controls still apply. The group health plan can disclose this information for public health reasons, but the employer may receive, use and disclose any PHI only as allowed under the Privacy rules.

For information on responding to the coronavirus in the work place go to: https://www.cdc.gov/coronavirus/2019-ncov/specific-groups/guidance-business-response.html

Interim Guidance for Businesses and Employers to Plan and Respond to Coronavirus Disease 2019 (COVID-19), February 2020.

Please be advised that any and all information, comments, analysis, and/or recommendations set forth above relative to the possible impact of COVID-19 on potential insurance coverage or other policy implications are intended solely for informational purposes and should not be relied upon as legal advice. As an insurance broker, we have no authority to make coverage decisions as that ability rests solely with the issuing carrier. Therefore, all claims should be submitted to the carrier for evaluation. The positions expressed herein are opinions only and are not to be construed as any form of guarantee or warranty. Finally, given the extremely dynamic and rapidly evolving COVID-19 situation, comments above do not take into account any applicable pending or future legislation introduced with the intent to override, alter or amend current policy language.

Interested in learning more? Connect with us today.