Media Center

News Publications Articles Videos
COVID-19 and HIPAA: Employers’ Limited Privacy Obligations
March 17, 2020

While COVID-19 will require changes in day-to-day operations, companies – in an effort to protect their employees, customers, and business partners – must balance safety with privacy.  This article will cover some basic HIPAA terms and employers’ privacy obligations under that law.  

HIPAA’s Key Terms
Covered Entity: Covered entities include health plans, health care clearing houses and health care providers. For example, covered entities include hospitals, health insurance benefits providers and health care practitioners. HIPAA’s privacy and security rules apply to covered entities.  

Business Associate: Business associates are entities that have signed a business associate agreement with a covered entity. Business associates must comply with HIPAA’s privacy and security rules as stated in the business associate agreement. It is important to note that a subcontractor for a business associate usually signs an agreement extending the terms of a business associate agreement to the subcontractor. Accordingly, subcontractors of business associates will likely have to comply with the privacy and security obligations from a business associate agreement.    

Plan Sponsor: A plan sponsor is an employer that sponsors a health insurance plan for its employees. Plan sponsors do not qualify as covered entities, and generally HIPAA does not apply to plan sponsors. However, there are circumstances in which the health insurance plan sends employee health information to the plan sponsor or employer. When that happens, the plan sponsor, i.e. employer cannot compromise privacy of that employee information nor make employment-related decisions based on that information.  

How Plan Sponsors, i.e. Employers Can Protect Their Safety While Abiding by Privacy Obligations
Generally, HIPAA does not apply to employers (plan sponsors). However, if an employer or plan sponsor receives information that an employee may have travelled to or from a place affected by COVID-19, is susceptible to COVID-19, or is currently infected with COVID-19, this information must be treated as highly confidential. Employers must not disclose identifying information or information that would allow others to infer the identity of the affected individual. Employers must limit access to this information to essential personnel and consider having its legal department or privacy department be the first point of contact for this information. Ideally, one of those departments would conduct a privacy review and scrub identifying information before the information is passed on to Human Resources or the I.T. department.   

Finally, employers should consult the 2009 EEOC guidance about pandemic preparedness. A copy of that guide is available at Section III provides a series of ADA-compliant practices for employers. Employers can also access guidance from the Centers for Disease Control (CDC) about how to manage COVID-19 here:

To discuss these or other related issues, contact Tomu Johnson at (801) 536-6903 or send an email to