NOTE: This blog includes discussions and explorations of legal issues. The content is intended for educational purposes only, and is not intended to be legal advice. You should always consult with a licensed attorney before taking any action that could affect or impair your legal rights.
The Health Insurance Portability and Accountability Act of 1996 and its subsequent amendments (“HIPAA”) have been discussed previously (see here and here). At times, navigating compliance through HIPAA can be complicated and convoluted, but a failure to understand it can have catastrophic results, as this article from Bloomberg Businessweek explains. The article is a bit of a lengthy read, so I will save you some time, as most of the length comes from including numerous instances of this problematic behavior occurring: many major companies are alleged to have ordered their employees to keep the fact that they tested positive for coronavirus, confidential, and to not disclose such status to the co-workers of these employees.
I’m going to set aside all other potentially applicable concerns (e.g., labor laws, workplace safety rules, etc.), to focus specifically on HIPAA issues that appear to be arising as a result of the novel coronavirus pandemic. There are certainly parts of HIPAA that can be straightforward, but there are also, undoubtedly complicated parts to it. Figuring out if, what, and how much HIPAA allows an employer to say about an individual employee’s diagnosis when it comes to the disease causing a global pandemic — without the employee’s consent, falls more into that latter (more complicated) category. Figuring out if, what, and how much HIPAA allows an employee to say about his or her personal diagnosis, falls into the former (pretty simple) category. HIPAA sets no limits on what an individual (i.e., an employee) is allowed to disclose about his or her own personal health care. That being said, a closer inspection might be required in situations where an individual is disclosing from whom they “caught” the virus (e.g., “I got coronavirus from my son-in-law/co-worker/patient/client, etc.”) because that could possibly lead to the disclosure of someone else’s PHI.
Nevertheless, a company that prohibits employees from disclosing to their co-workers that they have contracted COVID-19, under the auspices of “protecting an employee’s rights under HIPAA” is not in fact protecting any “right” of the employee. On the contrary, it only inhibits the employee from expressing a fact that he or she otherwise has a right to express. HIPAA could only possibly become a factor if the inverse happened: the company required employees to disclose their COVID-19 status. Employer policies that prohibit employees from disclosing their COVID‑19 status to their co-workers does not protect an employee’s privacy under HIPAA, it simply makes it more likely that fewer people (e.g., colleagues, regulators, press, customers, etc.) will be aware that an individual in proximity to them has tested positive for COVID‑19.
When it comes to stemming the spread of COVID‑19, it is less important whether such gag rules derive from nefarious intentions or a simple lack of understanding how HIPAA works, than it is to ensure that cases of COVID‑19 are identified, isolated, and treated. At least when it comes to HIPAA, there are no rules requiring employers to prohibit employees from simply self‑identifying their own COVID-19 status (but see above for potential issues that could arise from disclosing other information).