Not being a covered entity would keep a random manager using PHI for labor relations bullying from falling afoul of minimum necessary/access and uses policy stuff; but PHI in the hands of a non-covered entity suggests either a successful inferential attack or a HIPPAA violation on the part of a covered entity.
My guess would be a fairly basic inferential attack; when dealing with a class of procedures that often have deliberately visible effects and aren’t terribly cheap it’s a plausible guess that insurance would be used if available. Given the weaksauce requirements for stripping individual identifiers from ‘Summary health information’ in the group disclosures to plan sponsors case that dataset might work as well; though random managers having it would be a lot skeevier(especially since it would look an awful lot like an attempt to sneak past the requirements imposed on plan sponsors using PHI for ‘plan administration functions’, which include not using it for any employment-related action or decision.
