Since 1996, the Health Insurance Portability and Accountability Act (HIPAA) has been protecting the privacy and security of defined health information. Understanding HIPAA is even more important, because as HR professionals, per HIPAA, we can’t disclose positive COVID-19 results, but still must protect our employees. HIPAA is defined by two rules:
- The Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information. This applies to health plans, health care clearinghouses and those health care provisions that conduct certain health care transactions electronically.
- The Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by an organization. There is a HIPAA Security Toolkit Application is a self-assessment survey intended to help organizations better understand the requirements of the HIPAA Security Rule.
All employers, no matter if you are an organization of 1 or 10,000, are bound by HIPAA.
COVID-19 provides unique challenges to the privacy of information because as a pandemic people are more prone to sharing information about someone with the virus and the sheer numbers of people infected. However, even COVID-19 does not alter the HIPAA Privacy & Security Rules which restricts the disclosure of protected health information. Those safeguards that protect employee’s health information apply to COVID-19 cases. 
As an employer, you must provide guidance to leaders and employees on the importance of keeping employee health information private, even when voluntarily disclosed by the affected employee. There are particular protocols for disclosing this information to others that must be followed which includes written consent to share that information with parties who have a need to know.
If you do not have your medical health information secured, the following guidance is provided by HIPAA:
- All employee health information must be transmitted in a confidential manner. If you are still using a fax machine to transfer medical information, employers must have a dedicated fax in a secured space that is only accessible to benefits or human resources professionals dedicated to benefits administration.
- If you are transmitting via email, secure communications by using password protection of employee’s medical information to those who administer benefits
- Keep all health information separate from an employee’s personnel file. Recordkeeping requirements require employers to maintain a separate file for all employee’s medical/benefits information.
- Ensure that your leaders and employees understand the HIPAA privacy laws and their role in protecting an employee’s medical information. Or have provided guidance to your workforce on the requirements under HIPAA, now is an excellent time to develop a communication plan and train.
COVID-19 is a rapidly developing situation and when an employer receives information, whether from a group health plan or the impacted employee, their health information must be protected.
For further information, please go to the https://www.cdc.gov/coronavirus/2019-ncov/community/organizations/businesses-employers.html
 HIPAA Compliance and COVID-19 Coronavirus, posted by HIPAA Journal on March, 16, 2020