When COVID-19 first began to spread in the United States, a recurring question we received was whether employers become subject to HIPAA by taking employee temperatures or collecting medical information. The answer generally is that HIPAA does not apply to employers, and that this medical information is instead subject to other laws, such as the Americans with Disabilities Act (ADA).
But the days of employers relying solely on temperature checks and questionnaires are behind us, as an increasing number of employers have launched COVID-19 testing programs. Employers who conduct COVID-19 testing of employees should consider whether their testing program qualifies as a "group health plan" under ERISA and HIPAA, creating new privacy, security, and breach notification obligations.
Employers May Not Be Subject to HIPAA Privacy Regulations, but Their Group Health Plans Are
The HIPAA privacy, security, and breach notification obligations only apply to "covered entities"—certain healthcare providers, health plans, and healthcare clearinghouses—and the "business associates" who handle protected health information on their behalf. HHS has always been open about the fact that the HIPAA privacy and security regulations do not regulate employers.
While an employer is not subject to the HIPAA privacy, security, and breach notification rules, a health plan is. And HIPAA defines "health plan" to include an employee "group health plan."
Under ERISA and HIPAA, an employer and its group health plan are considered to be separate legal entities. So, while an employer is not subject to HIPAA privacy, security, and breach notification regulations, the employer's group health plan usually is. And because group health plans are not living, breathing creatures, it typically falls on an employer as sponsor of the plan, or a third party administrator, to ensure that the group health plan is compliant with its HIPAA requirements.
Employers often do not want to be involved in complying with HIPAA. They may be "hands off" with respect to protected health information, relying on a third party administrator to handle the plan's protected health information and the associated HIPAA compliance obligations. This can help the employer avoid, for example, needing to build out a robust HIPAA Security Rule compliance program.
Is COVID-19 Testing a "Benefit" Under ERISA?
And then COVID-19 comes along, with more and more employers testing their employees. In fact, California has begun to legally require employers to provide free COVID-19 testing of employees in certain situations (see our blog Cal/OSHA Adopts Emergency COVID-19 Prevention Rule). Employee testing, however, might create ERISA and HIPAA issues.
ERISA defines a "group health plan" as an employee welfare benefit plan to the extent that the plan provides "medical care," which is defined as including "amounts paid for – the diagnosis … of disease." Paying for COVID-19 testing seems to qualify as paying for the diagnosis of disease. But is an employer's COVID-19 testing program an "employee welfare benefit plan?"
An employee welfare benefit plan includes any program that an employer establishes or maintains for the purpose of providing medical benefits. This takes us further down the rabbit hole to the question of whether COVID-19 testing, when the employer mandates the testing as a condition to return to the office, qualifies as a "medical benefit." Certainly, being required by your employer to wrestle a swab up your nasal passage in order to return to work, when you have no reason to believe that you have COVID-19, does not feel like a "benefit" at the time. But common sense and the law often diverge.
The Department of Labor has issued an advisory opinion that an employer paying for mandatory employee drug testing does not provide the employee "with benefits that are in the nature of medical benefits or benefits in the event of sickness." At first blush, COVID-19 testing seems closely analogous. It is mandatory testing intended to benefit the employer, rather than the employee.
But the 9th Circuit in Aloha Airlines, Inc. v. Ahue has held that FAA-mandated medical examinations of pilots, paid for by an employer, constitute a "medical benefit" that creates an ERISA plan. The court held that it is a medical benefit because it "provides the pilot with a direct and immediate assessment of his personal medical condition," notwithstanding that the purpose of the test is to ensure the safety of the general public.
This logic seems equally applicable to COVID-19 testing, which is focused on public safety but results in the employee learning if she likely has a specific medical condition. The court dismissed arguments that "medical benefits" under ERISA are limited to those that solely benefit the employee or that Congress intended to distinguish between voluntarily obtained benefits and compelled benefits.
When COVID-19 testing is compared to drug testing and FAA-mandated medical examinations, the latter seems to be the closer analogy. The medical examinations of pilots are focused on a medical condition. Drug testing, in contrast, is focused on whether the employee has taken drugs recently.
While we recognize that a substance use disorder also is a medical condition, drug testing does not identify whether someone has such a disorder—it may only show that an employee took a drug once recently. And while the mandatory medical examinations provide new health information to the pilot about any medical conditions, drug testing is not providing "new" information to the employee (unless the test is wrong or the employee does not realize that they have taken prohibited drugs). Accordingly, employers may find the holding in Aloha Airlines to be more on point than the Department of Labor guidance on drug testing.
If an employer treats COVID-19 testing as an employee medical benefit, then the employer may need to treat the testing program as a group health plan. Note that an exception may apply if the testing is done through an employer's onsite medical clinic, since an onsite clinic is an "excepted benefit" under ERISA and excluded from the definition of "health plan" under HIPAA.
On the ERISA side, the COVID-19 group health plan may need to be "wrapped" into a more general group health plan (the primary medical plan) in order to comply with Affordable Care Act requirements. An exception may be if the COVID-19 testing program is part of an employee assistance plan, which is an "excepted benefit" under ERISA (but, in contrast to onsite clinics, may not be excluded from the definition of "health plan" under HIPAA).
On the HIPAA side, the COVID-19 testing program, with respect to payment to a healthcare provider for the testing, may need to comply with the HIPAA privacy, security, and breach notification rules. This could require the employer to create a HIPAA Security Rule program with respect to the information.
To Illustrate the Point
Despite all this, it remains true that HIPAA generally does not apply to employers. Confusingly, HIPAA should not apply to an employer with respect to a COVID-19 testing program, other than with respect to payment to the healthcare provider who performed the testing. It is best to think about the COVID-19 testing program as involving three parties:
- (1) The lab that performs the testing;
- (2) The employer's group health plan (the COVID-19 testing program with respect to paying for the testing); and
- (3) The employer that receives the test results and makes employment decisions accordingly.
HIPAA usually applies to the lab (depending on its billing practices), in which case the lab usually would need a patient's HIPAA-compliant authorization to disclose the test results to the employer. HIPAA would apply to the group health plan that is paying for the testing (but which likely does not need to receive the test results). But HIPAA would not apply to the employer who receives the test results for purposes of making employment decisions. Instead, the employer will be subject to the ADA with respect to the test results, and may be subject to state laws such as Section 56.20 of the California Confidentiality of Medical Information Act.
To make this a bit more real, imagine an employer with two HR employees, Fred and Wilma. Fred is responsible for paying a lab to conduct COVID-19 testing of employees. Wilma is responsible for ensuring that only employees who have recently tested negative return to the office.
Fred will coordinate with the lab to learn who has been tested and to pay the lab accordingly. These exchanges between Fred and the lab may be subject to HIPAA, including HIPAA "transaction standards" that govern how requests for payment for healthcare are formatted. Fred's files showing who has received tests may be subject to HIPAA, including its Security Rule.
But Fred likely does not need to know the test results—only that the tests happened and were paid for. In contrast, Wilma does not need to know everyone who has been tested—she only needs to know the results for those who are seeking to return to the office. Her information likely is outside of HIPAA, but subject to the ADA and potentially other laws.
If you think that this is a lot to wrap your head around, you are not alone. COVID-19 testing programs raise very complex ERISA and HIPAA issues. Admittedly, reasonable minds will differ on how the laws apply. What is most important is that employers enter this space with eyes wide open, carefully analyzing what activities likely fall outside of HIPAA, and what activities may introduce new HIPAA obligations.
And next year, we are likely to see employer vaccination programs begin. These will likely raise many of the same issues, potentially creating ERISA and HIPAA obligations to the extent that an employer pays for vaccinations of employees.
This article was originally featured as a privacy and security advisory on DWT.com on December 11, 2020. Our editors have chosen to feature this article here for its coinciding subject matter.