COVID-19 Employee Health Information: HIPAA Compliance Guide for Employers and HR

HIPAA Applicability to Employers

When HIPAA does and does not apply

HIPAA regulates how covered entities—health plans, most health care providers, and health care clearinghouses—and their business associates use and disclose protected health information. As an employer, you are not a covered entity when you collect or store COVID-19 details for workplace safety or leave management. Those employment records are not PHI under HIPAA, even if they contain medical facts.

HIPAA does apply when your organization operates or sponsors a group health plan. Information handled by that plan, its vendors, or a third-party administrator can be PHI. Keep a bright line between “employer” records and “health plan” records to avoid accidental HIPAA exposure.

Practical tests to determine scope

• If you received the information through your group health plan, treat it as PHI.
• If you gathered the information directly from an employee for workplace decisions, treat it as an employment record subject to other laws, not HIPAA.
• If a vendor processes plan data on your behalf, it likely needs a business associate agreement.

Other laws still matter

Even when HIPAA does not apply, ADA compliance, state privacy statutes, workers’ compensation rules, and public health orders impose strict confidentiality requirements. Build your COVID-19 practices to satisfy all applicable regimes, not HIPAA alone.

Employer-Sponsored Health Plans Compliance

Core HIPAA obligations for plan sponsors

Employer-sponsored group health plans—especially self-insured health plans—must comply with the HIPAA Privacy, Security, and Breach Notification Rules. As the plan sponsor, you should ensure the plan has policies, designates a privacy and security official, trains workforce members who handle PHI, and applies the minimum necessary standard to routine uses and disclosures.

Firewalls between plan and employer functions

Establish a formal firewall so PHI does not flow into HR or management for employment decisions. Limit access to workforce members performing plan administration, document those roles, and amend plan documents to restrict PHI use to plan purposes. Never use PHI to make hiring, firing, or scheduling decisions.

Fully insured vs. self-insured considerations

For fully insured plans, your insurer carries most operational HIPAA duties. If you receive only enrollment information or de-identified summary health information, your obligations are narrower. For self-insured health plans, you directly shoulder operational safeguards, vendor oversight, and breach notification readiness.

Vendor management and data handling

• Execute business associate agreements with TPAs, COBRA administrators, and wellness vendors that create, receive, or transmit PHI.
• Review data flows for testing, treatment, and payment of COVID-19 services covered by the plan.
• Use de-identified or aggregated data whenever possible for plan analytics and communications.

Confidential Handling of Employee Health Information

Segregation, access controls, and need-to-know

Store COVID-19 medical details—test results, vaccination documentation, exposure reports—separately from personnel files. Limit access to a short list of HR or safety personnel with a legitimate business need. Maintain access logs and review them periodically.

Minimum collection and retention

Collect only what you need for workplace safety, leave eligibility, or implementing reasonable accommodations. Publish a retention schedule that aligns with legal obligations and your operational needs, then securely dispose of records when the retention period ends.

Using information appropriately

Use employee medical information to manage work restrictions, return-to-work timing, or accommodations, and share only what is necessary with supervisors to implement those steps. Avoid disclosing names or specific diagnoses beyond that need-to-know circle to preserve confidentiality requirements and trust.

Authorized Disclosure of Health Information

Disclosures from the group health plan (HIPAA context)

• Treatment, payment, and health care operations uses are permitted for PHI within the plan.
• Disclosures required by law or to public health authorities may be allowed, applying the minimum necessary standard when applicable.
• Share PHI with the plan sponsor only if plan documents permit it and solely for plan administration—not for employment decisions.
• Prefer de-identified or aggregated reports for leadership briefings.

Disclosures from employer-held records (non-HIPAA context)

• Under the ADA, you may disclose to supervisors or managers only the restrictions or accommodations an employee needs, not the underlying diagnosis.
• First aid and safety personnel may receive information if necessary for emergency treatment or safety planning.
• Government agencies may access information when investigating compliance or pursuant to lawful orders.
• When informing potentially exposed coworkers, protect the source’s identity to maintain contact tracing privacy.

Privacy in COVID-19 Screening and Testing

Design screenings that are job-related and necessary

Screening and testing programs should be tied to workplace risk and operational needs. Ask only targeted questions about symptoms, exposure, and work-readiness. Avoid open-ended medical histories or collecting family medical information, which can raise issues under other laws.

Limit data and secure the process

• Avoid retaining raw temperature scans or daily symptom logs unless they serve a clear purpose.
• Use secure intake methods, such as encrypted forms or privacy screens at entry points.
• Train screeners on confidentiality, do not conduct screenings in earshot of others, and route results to the minimal set of reviewers.

Testing and third-party providers

If your health plan pays for testing, PHI rules apply to that plan data. If your company contracts directly with a testing vendor outside the plan, set contractual privacy obligations, define what the vendor may share, and require secure transmission and storage. Keep employee identities confidential in communications beyond the need-to-know group.

Record-Keeping and Confidentiality Practices

Build a lean, defensible record

• Document the purpose for each category of COVID-19 data you collect and the lawful basis for holding it.
• Keep records only as long as required by law or policy, then destroy them securely using shredding or certified digital wiping.
• Maintain separate repositories for employment records and plan PHI to prevent commingling.

Security safeguards and monitoring

• Apply role-based access, strong authentication, and encryption for stored and transmitted data.
• Log access and changes; review logs for anomalies.
• Adopt incident response and breach notification playbooks—HIPAA for plan PHI and appropriate state breach rules for non-PHI.

Transparency with employees

Publish concise notices explaining what you collect, how you use it, who may see it, and how long you retain it. Clarity supports compliance and builds employee confidence in your confidentiality requirements.

Compliance with State and Federal Laws

Key federal frameworks to align

• HIPAA applies to your group health plan and its vendors handling PHI.
• The ADA governs medical inquiries, confidentiality, and reasonable accommodations in the workplace, independent of HIPAA.
• GINA restricts collection of family medical history; avoid asking about relatives’ health when conducting screenings.
• FMLA and workers’ compensation rules affect documentation and disclosures related to leave and occupational illness.
• OSHA and similar safety regulations may influence what you record and how you protect workers.

State privacy and employment laws

Several states impose additional obligations on employee data, including notice, access rights, or special handling for health information. Check the states where you operate for sector-specific rules, data breach requirements, and retention mandates that may exceed federal baselines.

Public health orders and reporting

When a law or public health authority requires reporting, disclose only the minimum necessary to comply. Keep a record of the legal basis, what you disclosed, and to whom. Where not required, prefer de-identified or aggregated data to balance safety and privacy.

Governance, training, and oversight

• Map data flows across HR, safety, security, and the health plan to ensure the right regimes apply at each step.
• Train managers and screeners on ADA compliance, confidentiality requirements, and escalation procedures.
• Conduct periodic audits and tabletop exercises to test your safeguards and breach response.

Conclusion

Treat COVID-19 employee health information through two lenses: HIPAA for your health plan and employment/privacy laws for workplace records. Separate systems, limit access, disclose only what is necessary, and document your rationale. With clear governance and training, you can protect people, respect privacy, and meet your legal duties.

FAQs

Does HIPAA apply to employers managing COVID-19 health information?

HIPAA applies to your group health plan and its vendors, not to you in your role as an employer managing workplace records. Employment records—like screening results or accommodation notes—are typically not PHI, but they remain protected by the ADA and state privacy laws.

How should employers handle disclosure of employee COVID-19 status?

Share only what is necessary with a small need-to-know group. For workplace safety, notify potentially exposed employees without naming the positive individual. For plan-related matters, follow HIPAA, apply the minimum necessary standard, and use de-identified or aggregated data whenever feasible.

What are the record-keeping requirements for COVID-19 health data?

Collect the least amount of information needed, store it separately from personnel files, restrict access, and follow a written retention schedule aligned with legal obligations. Secure records with encryption, access logs, and incident response procedures, and dispose of them promptly when the retention period ends.

Can employers use employee health information for contact tracing?

Yes, you may use limited information to identify close contacts and implement safety measures, but protect contact tracing privacy by keeping the source anonymous, sharing only what contacts need to know, and retaining records only as long as necessary. If the health plan is involved, ensure HIPAA-compliant handling of any PHI.