HIPAA applies to protected health information (PHI). It involves individually identifiable information from an employer’s health plan records. It is not PHI when an employer gets medical information directly from an employee or provider. Here are some examples to illustrate the difference:
1. It is PHI The employer gets a list of employees from their TPA who have been vaccinated An employer pulls a claims report to see who tested positive for COVID
2. It is not PHI The employer conducts temperature checks on employees The employer asks employees to provide proof of vaccination
3. Why It Matters HIPAA imposes all kinds of requirements on employers. There are requirements to report a breach of PHI. Employers are also restricted in how they can use PHI. For example, you can use PHI for plan administration for things like claims adjudication or case management. You cannot use it for non-health plan or for employment related purposes at least without authorization.
It is important to remember that, just because information is not PHI, doesn’t mean that it doesn’t need to be protected or kept confidential. Other laws will probably come into play, such as the Americans with Disabilities Act.