HIPAA Privacy and Security in the Workplace During the COVID-19 Pandemic

When communicating with patients and providing telehealth services, some technologies used may not be fully compliant with HIPAA rules.

On March 17, 2020 the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that it will waive potential HIPAA penalties in cases of good faith while using telehealth during nationwide COVID-19 public health emergency.¹

A covered health care provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients, explained OCR.¹ The OCR is exercising its enforcement discretion not to impose penalties for non-compliance with the HIPAA rules in connection with the good faith provision of telehealth using such non-public facing or video communication products during the COVID-19 nationwide public health emergency.

The OCR notes that the HIPAA enforcement discretion applies to telehealth services provided for any reason regardless of whether the services are related to the diagnosis and treatment of health conditions related to COVID-19.¹

HIPAA-covered entities should note that the enforcement discretion does not apply to public-facing video communication platforms such as Facebook Live, TikTok and Twitch.¹ These public-facing video communication applications should not be used for providing telehealth.

Is COVID-19 a Disability Under the ADA?

Aside from HIPAA, you need to be concerned with other state and federal rules—most importantly, the Americans with Disabilities Act (ADA). Employers are also encouraged to consult guidance from the Centers for Disease Control and Prevention (CDC), the Equal Employment Opportunity Commission (EEOC), the Department of Labor (DOL), and HHS. Because the COVID-19 situation is dynamic, with new measures occurring each day, employers should consult with counsel for the latest developments and updated guidance on the topics.

The ADA generally prohibits medical examinations and inquiries of current employees unless such examinations or inquiries are job-related and consistent with business necessity. An examination or inquiry is job related and consistent with business necessity if the employer has reason to believe the employee may have a medical impairment that restricts the employee’s ability to perform essential job functions and/or may pose a “direct threat” of harm to the employee or others in the workplace. A “direct” threat is defined as a significant risk of substantial harm to the health or safety of the employee or others that cannot be eliminated or sufficiently reduced by reasonable accommodation.

An employee likely would not be deemed to pose a direct threat due to COVID-19 unless the employee is known to have contracted the virus, has come into close contact with someone known or likely to have the virus, or is exhibiting symptoms that may be associated with the virus. Employers may request a fitness-for-duty or return-to-work certification if an employee had been quarantined by a treating medical provider or public health official or the employer has placed the employee off work based upon reasonable objective evidence that the employee may pose a direct threat of harm in the workplace.

However, the certification should be narrowly tailored to seek information that is job-related and consistent with business necessity. Therefore, where the basis for seeking the medical information is rooted only in a belief that the employee may pose a “direct threat” of harm to others by spreading the virus but there is no indication of medical restrictions on the employee’s ability to perform essential job functions, the fitness for duty certification should be focused on whether or not the employee poses a direct threat in the workplace. A “direct threat” is defined as a significant risk of substantial harm to the health or safety of the employee or others that cannot be eliminated or sufficiently reduced by reasonable accommodations.

What Information Can We Share With Our Employees?

If an employee is confirmed to have COVID-19, employers should inform their employees of their possible exposure to COVID-19 in the workplace. Employers should not, however, disclose to coworkers the identity of the quarantined employee because confidentiality requirements under federal law, such as the ADA, may apply. Additionally, as virologic testing comes online, the Genetic Information Nondiscrimination Act of 2008 (GINA) may also prohibit the disclosure of the identity of the employee.²

Finally, in the State of Iowa, the attorney general has also expressed the opinion that an employee’s identity should not be disclosed. Linn County Public Health (LCPH) released a statement saying, “LCPH is in regular communication with the Iowa Department of Public Health (IDPH) regarding the information that is allowable to release, and IDPH states that it is confidential per the Iowa attorney general’s office.”³

A covered health care provider who provides a health care service to an individual at the request of the individual’s employer, or provides the service in the capacity of a member of the employer’s workforce, may disclose the individual’s PHI to the employer for the purposes of workplace medical surveillance or the evaluation of work-related illness and injuries to the extent the employer needs that information to comply with OSHA, the Mine Safety and Health Administration (MSHA), or the requirements of state laws having a similar purpose. The information disclosed must be limited to the provider’s findings regarding such medical surveillance or work-related illness or injury. The covered health care provider must provide the individual with written notice that the information will be disclosed to his or her employer (or the notice may be posted at the worksite if that is where the service is provided).⁴

Waivers to HIPAA Regulations During the COVID-19 Pandemic

On March 15 the Secretary of the Department of Human and Health Services, announced a limited HIPAA waiver is in place covering the following provisions of the HIPAA Privacy Rule:

• The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care⁴
• The requirement to honor a request to opt out of the facility directory⁵
• The requirement to distribute a notice of privacy practices⁶
• The patient’s right to request privacy restrictions⁷
• The patient’s right to request confidential communications⁸

Note: the waiver only applies in areas covered by the public health emergency, only for hospitals that have implemented their disaster protocol and only for a period of 72 hours from implementation. When either the presidential or secretarial declaration terminate, hospitals must then comply with Privacy Rule requirements for patients still under their care even if 72 hours have elapsed.

Disclosures to Law Enforcement and First Responders

In certain cases, HIPAA permits such sharing without the individual’s authorization. Guidance published by the Office for Civil Rights on March 24, 2020 includes several examples of situations where HIPAA would not require patient authorization, including:⁹

• Disclosure for treatment, such as to emergency medical transport personnel who will provide treatment while transporting the individual to the hospital.

• Disclosure to a first responder conducting a public health investigation who may have been exposed to COVID-19, or who may be at risk of contracting or spreading COVID-19.

• Disclosure to prevent or lessen a serious and imminent threat to the health and safety of a person or the public, such as disclosures to fire department personnel, or others who are charged with protecting the health or safety of the public, if:
  o There is a belief, in good faith, that the disclosure is necessary to prevent or minimize the threat of imminent exposure.
  o The disclosure is made to someone they believe can prevent or lesson the threat.
  o The disclosure is consistent with applicable law and standards of ethical conduct.

When first responders may be at risk of infection:
• A covered entity may disclose protected health information (PHI) to a first responder who may have been exposed to COVID-19, or who may otherwise be at risk of contracting or spreading COVID-19, if the covered entity is authorized by law, such as state law, to notify people as necessary in the conduct of a public health intervention or investigation. For example, HIPAA permits a covered county health department, in accordance with state law, to disclose PHI to a police officer or other person who may come into contact with a person who tested positive for COVID-19, for purposes of preventing or controlling the spread of COVID-19.⁴

When the disclosure of PHI to first responders is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public:
• A covered entity may disclose PHI to prevent or lessen a serious and imminent threat to a person or the public, when such disclosure is made to someone they believe can prevent or lessen the threat, which may include the target of the threat. For example, HIPAA permits a covered entity, consistent with applicable law and standards of ethical conduct, to disclose PHI about individuals who have tested positive for COVID-19 to fire department personnel, child welfare workers, mental health crisis services personnel, or others charged with protecting the health or safety of the public if the covered entity believes in good faith that the disclosure of the information is necessary to prevent or minimize the threat of imminent exposure to such personnel in the discharge of their duties.¹⁰

When responding to a request for PHI by a correctional institution or law enforcement official having lawful custody of an inmate or other individual, if the facility or official represents that the PHI is needed for:
• providing health care to the individual,
• the health and safety of the individual, other inmates, officers, employees and others present at the correctional institution, or people responsible for the transporting or transferring of inmates,
• law enforcement on the premises of the correctional institution; or
• the administration and maintenance of the safety, security, and good order of the correctional institution.

For example:
• HIPAA permits a covered entity, such as a physician, located at a prison medical facility to share an inmate’s positive COVID-19 test results with correctional guards at the facility for the health and safety of all people at the facility.¹¹
Under these examples, a covered entity should not post the contents of such a list publicly, such as on a website or through distribution to the media. A covered entity under this example also should not distribute compiled lists of individuals to EMS personnel, and instead should disclose only an individual’s information on a per-call basis. Sharing the lists or disclosing the contents publicly would not ordinarily constitute the minimum necessary to accomplish the purpose of the disclosure (i.e., protecting the health and safety of the first responders from infectious disease for each particular call).
• A 911 call center may ask screening questions of all callers—for example, their temperature, or whether they have a cough or difficulty breathing—to identify potential cases of COVID-19. To the extent that the call center may be a HIPAA covered entity, the call center is permitted to inform a police officer being dispatched to the scene of the name, address, and screening results of the persons who may be encountered so that the officer can take extra precautions or use personal protective equipment (PPE) to lessen the officer’s risk of exposure to COVID-19, even if the subject of the dispatch is for a non-medical situation.

Under this example, a 911 call center that is a covered entity should only disclose the minimum amount of information that the officer needs to take appropriate precautions to minimize the risk of exposure. Depending on the circumstances, the minimum necessary PHI may include, for example, an individual’s name and the result of the screening.

Updates

This article is valid as of the date of publication. Remember, because the COVID-19 situation is dynamic, with new measures occurring each day, this information will need to be updated as new relevant guidance is published. Nonetheless, employers should consult with counsel for the latest developments and updated guidance on the topics. As such we encourage you to consult guidance by the CDC, the EEOC, the DOL, and HHS. With this rapidly changing situation and new guidance occurring daily, employers should monitor guidance from regulatory agencies, and possibly consult with regulatory counsel for the latest developments and updated guidance on these topics.

Roger Shindell is Chief Executive Officer of Carosh. He is also chairman of the Healthcare Information and Management Systems Society (HIMSS) Risk Assessment Work Group and is a member of American Health Information Management Association (AHIMA) privacy and security council. Shindell has more than 30 years of multidisciplinary experience in health care and has served as an advisor and principal in health care, technology, and service companies. He may be reached at rshindell@carosh.com.

1. U.S. Department of Health and Human Services Office for Civil Rights. OCR Announces Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency. March 17, 2020. https://www.hhs.gov/about/news/2020/03/17/ocr-announces-notification-of-enforcement-discretion-for-telehealth-remote-communications-during-the-covid-19.html .
2. U.S. Equal Opportunity Employment Commission. Genetic Information Nondiscrimination Act of 2008. https://www.eeoc.gov/statutes/genetic-information-nondiscrimination-act-2008
3. Channel 9 News, KCRG Cedar Rapids, Iowa, Apr 3, 2020.  
4. US Department of Health and Human Services, Office for Civil Rights. HIPAA Administrative Simplification. 45 CFR §164.512(b)(1)(iv). March 2013. Accessed May 21, 2020. https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf
5. US Department of Health and Human Services, Office for Civil Rights. HIPAA Administrative Simplification. 45 CFR §164.510(b). March 2013. Accessed May 21, 2020. https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf
6. US Department of Health and Human Services, Office for Civil Rights. HIPAA Administrative Simplification. 45 CFR §164.510(a). March 2013. Accessed May 21, 2020. https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf
7. US Department of Health and Human Services, Office for Civil Rights. HIPAA Administrative Simplification. 45 CFR §164.520. March 2013. Accessed May 21, 2020. https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf
8. US Department of Health and Human Services, Office for Civil Rights. HIPAA Administrative Simplification. 45 CFR §164.522 (a). March 2013. Accessed May 21, 2020. https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf
9. US Department of Health and Human Services, Office for Civil Rights. OCR issues guidance to help ensure first responders and others receive protected health information about individuals exposed to COVID-19. March 24, 2020. https://www.hhs.gov/about/news/2020/03/24/ocr-issues-guidance-to-help-ensure-first-responders-and-others-receive-protected-health-information-about-individuals-exposed-to-covid-19.html .
10. US Department of Health and Human Services, Office for Civil Rights. HIPAA Administrative Simplification. 45 CFR §164.512(j)(1). March 2013. Accessed May 21, 2020. https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf
11. US Department of Health and Human Services, Office for Civil Rights. HIPAA Administrative Simplification. 45 CFR §164.512(k)(5). March 2013. Accessed May 21, 2020. https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf .
For a related TWC article, see https://tinyurl.com/ycpuzuyc.