COVID-19 Raises Privacy Issues for Major-League Baseball

After months of delay trying to address COVID-19 issues, the 2020 Major League Baseball (“MLB”) season finally opened Thursday night with the New York Yankees defeating the Washington Nationals, 4-1, and the Los Angeles Dodgers pulling away from the San Francisco Giants for an 8-1 victory. Because of the COVID-19 pandemic, this season – assuming it is not called off because of COVID-19 outbreaks – will be unlike any prior MLB season. The regular season has been reduced from 162 games to 60 games, the number of playoff teams was expanded from 10 to 16 teams, games are being played in empty stadiums, and players, coaches, and other staff are subject to extensive COVID-19 testing and daily monitoring.

As of July 17, 80 players have tested positive for COVID-19, 17 of which tested positive after teams began their workouts on July 1. Of those 80 players, the general public knows the identity of only 56 of them. Why only 56, especially since MLB clubs traditionally have disclosed details of a player’s injury? For example, when New York Mets pitcher Noah Syndergaard tore the ulnar collateral ligament in his pitching elbow in March, the Mets announced that Syndergaard had suffered the injury and would undergo Tommy John surgery. The Mets later announced that the surgery had been successful, and that Syndergaard was expected to pitch again at some point during the 2021 season.

MLB clubs are more tight-lipped about COVID-19 issues. MLB has effectively created a COVID-19 Related Injured List for players who have tested positive, have been exposed, or have shown symptoms of the COVID-19. The list does not differentiate between players who have tested positive and players who have been exposed to someone who has tested positive for COVID-19, and is not being published as a stand-alone list. Instead, players with positive COVID-19 testing or exposure status will be acknowledged on the normal injury report just like any other injured player. Their injury, however, will be described as an undisclosed injury, an illness, or a non-baseball injury. While naming a player to the injury list with a designation of “undisclosed” does open the door for public speculation regarding a player’s health status, the various designations on the list do not function to definitively confirm that a particular player has tested positive for or been exposed to the virus that causes COVID-19.

Why do MLB clubs disclose less about the status of a player who is missing games because of COVID-19 than a player one who is out for the season with a torn elbow ligament?

The simple answer is that the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Americans with Disabilities Act (“ADA”) provide broad health privacy and confidentiality protections for players. Specifically, HIPAA and the ADA each restrict the clubs’ ability to publicize information about employee illness without permission.

How do HIPAA and the ADA Apply?

HIPAA applies to an MLB club in its role as a health-care provider to the players. HIPAA is a federal law that was created to protect sensitive patient health information and prevents disclosure of individual health information without such individual’s consent. This privacy rule generally applies only to specified types of covered entities and their associates. Covered entities include healthcare providers and group health insurance plans. Certain business associates and vendors of a covered entity can also be required to observe HIPAA’s requirements. Where an entity is either not regulated by HIPAA, or is subject to HIPAA, but has obtained individual consent, the federal privacy law does not prevent the disclosure of personal medical information. Because professional sports teams provide healthcare to their players via team doctors, they are healthcare providers under HIPAA. The terms and conditions of professional athletes’ employment, as documented in the applicable collective bargaining agreement, generally requires player consent to disclose individual medical information relevant to team status.

The ADA applies to an MLB club in its role as an employer. The ADA functions to prohibit employers from discrimination against employees on the basis of a disability and to require employers to treat all information about employee illness as a confidential medical record. While federal guidance indicates that COVID-19 status is unlikely to constitute a disability, the Equal Employment Opportunity Commission (“EEOC”) has made clear that employers must treat employee COVID-19 status as confidential.

Why is There Different Treatment?

An elbow injury and a positive COVID-19 test are treated differently because of HIPAA, the ADA, and MLB’s collective bargaining agreement and standard player contract.  MLB players and clubs must operate in accordance with the health information disclosure rules as currently codified under Article XIII.G.(1) of the collective bargaining agreement known as the 2017-2021 Basic Agreement (the “CBA”) and by Paragraph 6(b)(1) of each standard player contract, known as the Uniform Player’s Contract (“UPC”). Under these agreements, each player is required to execute a HIPAA-compliant authorization for the use and disclosure of health information about the player. By signing the UPC, the player authorizes disclosure of employment-related injuries. The UPC incorporates the relevant health information disclosure provisions of Article XIII.G. of the CBA, Section 4, which provide that:

[for] public relations purposes, a Club may disclose the following general information about employment-related injuries: (a) the nature of a Player’s injury, (b) the prognosis and the anticipated length of recovery from the injury, and (c) the treatment and surgical procedures undertaken or anticipated in regard to the injury.

If a medical condition, other than an employment-related injury, prevents a player from playing and the player has not provided the club with specific written authorization to disclose information about the medical condition, the club may disclose only that a medical condition is preventing the player from playing and the anticipated absence of the player from the club. COVID-19 status, therefore, is not deemed to be an employment-related injury that would allow an MLB club to disclose details regarding prognosis and treatment. Although a player may authorize a team to disclose his COVID-19 status, such authority is not automatic under either HIPAA or the documents governing the employment relationship. The ADA does not explicitly address employee authorization of an employer to disclose medical information, but does permit limited disclosure as necessary to respond to a request for reasonable accommodation.

In practical terms, this compliance with the HIPAA privacy and ADA confidentiality rules with respect to COVID-19 means that even if a player tests positive, the club or its staff may not disclose that to the public unless granted permission to do so by the player.   Any unauthorized disclosure could constitute a HIPAA violation, for which significant federal civil monetary penalties may apply if the U.S. Department of Health and Human Services investigates a compliant or performs a compliance audit. Additionally, a player might be able to bring a collective bargaining grievance, or to allege a breach of the employment contract.

Lessons for the Rest of Us

Of course, most businesses are not professional sports franchises with collective bargaining agreements providing HIPAA disclosure consent. The caution displayed by the MLB in avoiding the disclosure of player COVID-19 status, however, is a reminder to all employers with access to employee health information and records to carefully assess which health-related information disclosures may or may not be permitted under applicable law.


HIPAA is a complex health privacy law with multiple exceptions and with sometimes conflicting state law counterparts. Health care providers, employer sponsors of self-insured group health plans and their business associates are subject to its requirements and should take care to ensure that affirmative compliance actions are taken and maintained. Violations of these rules, as well as the inability to demonstrate operational and documented (written) compliance, can subject the health care providers, health plan sponsors, or their associates, to large civil, or even criminal, penalties.


For employers who, unlike MLB clubs, are not directly subject to HIPAA, it is important to remember that other laws provide separate protections for employee health information. Any information known to an employer regarding an employee’s disability or gathered as a result of an employer-provided medical examination (which can include taking a temperature) should remain confidential. Employers must maintain all information about employee illness as a confidential medical record in compliance with the ADA and EEOC guidance. Similarly, employers subject to the Family and Medical Leave Act (“FMLA”) or the Emergency Family Medical Leave (“EMFL”) provisions of the CARES Act must confidentially maintain any records and documents relating to employee (and family) medical certifications and medical histories and created for FMLA or EMFL purposes. The Genetic Information Nondisclosure Act (“GINA”) also requires employers to keep all genetic information, including information about an individual’s genetic tests, the genetic tests of a family member, family medical history, regarding employees confidential. The ADA, FMLA, EFML, and GINA all require that such records be stored separately from the usual personnel files.

If you have questions related to your business’s obligations under the ADA, FMLA, CARES Act, or GINA, or HIPAA, or seek attorney-client privileged review of your current compliance program, including as to HIPAA policies and procedures, please contact your regular OCHDL attorney or Pete Faust.