Post ID: @2xtt+1bBAnYMm, correct, HIPAA does not apply to private businesses, only to certain covered entities.
https://www.csglaw.com/the-covid19-pandemic-does-hipaa-apply-to-my-business
A common question from clients in the midst of the COVID-19 pandemic is if and how HIPAA applies to them and whether they are permitted under HIPAA to use or disclose information with respect to an individual’s COVID-19 diagnosis and/or related health information. For most businesses, the answer is that HIPAA will not apply.
The health information privacy and security requirements under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) apply to a limited group of entities, referred to as “Covered Entities,” as well as certain entities that provide services to Covered Entities, referred to as “Business Associates.” Covered Entities are generally certain health care providers, health insurance plans/companies and healthcare clearinghouses. Most businesses do not fall in these categories. See previous CSG client alert for more information regarding entities subject to HIPAA
A business that is neither a Covered Entity nor a Business Associate may nevertheless have indirect HIPAA obligations with respect to employee health information but only in the context of the employer’s group health plan. Such obligations would only exist with respect to information disclosed from the group health plan to the employer, and such disclosures are only permitted in certain limited circumstances. Since an employer is most likely to learn of an employee’s COVID-19 diagnosis or related health information directly from an employee, HIPAA group plan obligations would not likely impact the employer’s disclosure of such information. For additional information regarding employer group health plan obligations, see previous CSG client alert