April HR Bulletin – HIPAA and PHI in the COVID-19 Pandemic
The Health Insurance Portability & Accountability Act (HIPAA) Privacy Rule has been in place since 1996 and drives the standards for privacy of individual health information, along with the addition of the Health Information Technology for Economic & Clinical Health (HITECH) Security Rule in 2010. The Privacy & Security Rule standards address the transmission, security, use, & disclosure of individuals’ personal health information (PHI) by organizations subject to the privacy rules. In the present coronavirus (COVID-19) pandemic situation, it is important to recognize that the laws regarding privacy are still applicable and should be followed.
In the Workplace
Many employers are seeking guidance on how to handle the scenario in which an employee self-discloses to a colleague or supervisor that they have contracted COVID-19 or that they are in the process of receiving testing or diagnosis for COVID-19. The name of the individual should not be shared with others in the workforce, even if an individual self-discloses. There is no value in sharing this information beyond the self-disclosure, and it could result in a HIPAA violation. In the situation where it becomes known that individuals in your workplace may have been exposed to COVID-19, communicate to those who may have been impacted only the fact that they may have been exposed to someone who has contracted the virus without releasing any personally identifiable information and also communicate the steps that you as a business are taking to protect your employees.
In the event an employee tests positive for COVID-19, the Centers for Disease Control (CDC) advise that businesses should be in contact with their state and local health department to obtain timely and accurate information regarding the response. This is not required, but we do know that information regarding COVID-19 is changing daily. Work with the impacted employee to obtain a list of co-workers he/she has been in “close contact” within the last two weeks. The CDC defines “close contact” as “a person that has been within six feet of the infected employee for a prolonged period.” The next step would be to contact those individuals and refer to guidance from the CDC located here: CDC Coronavirus Response for Businesses. As mentioned above, you may share with the employee that someone in the workplace has tested positive (without personally identifying the infected employee). Direct these employees to self-isolate at home for 14 days, monitor symptoms, and work with his/her healthcare provider. Additionally, it will be essential to make plans for extra cleaning and disinfecting in the office, and be sure to share that as part of your response plan with the employees.
Authorized Limited Disclosures of PHI
The HIPAA Privacy Rule acknowledges the need for those responsible for ensuring public health and safety to have access to PHI, which is otherwise protected, to carry out their job functions. The Privacy Rule permits all covered entities to disclose this information even without individual authorization. This information may be released:
- to the CDC or State or local health departments for the purposes of preventing or controlling the disease. See 45 CFR §§ 164.501 and 164.512(b)(1)(i).
- to persons who may be at risk of contracting the disease, so long as the covered entity is authorized to control the spread of disease or to carry out public health interventions.
- to the families, friends, or others involved in a patient’s care when the patient is incapacitated or unconscious and unable to provide authorization for the release of PHI.
- to share information about a patient as may be necessary to identify an otherwise unknown person’s identity, including their general health condition or death. See 45 CFR 164.510(b).
Any information released in these circumstances must be kept to the minimum needed to accomplish the purpose, and may not go into additional health conditions which may be known or may be discovered which are not relevant to the emergency condition (e.g., during examination a doctor determines that an unconscious victim also has cancer) unless the concurrent treatment of said unrelated condition has a direct bearing on the recovery of the patient. Covered entities may rely on information from the CDC that certain information regarding the spread of COVID-19 is necessary for the benefit of the greater public at large. Covered entities also are required to restrict internal access to PHI among their staff only to the extent required to provide the information needed for the teams to do their jobs. See 45 CFR §§ 164.502(b), 164.514(d).
Please note this is just a summary of the federal requirements, and there may be state or local regulations in your area, which also will apply.
Limited Waiver of HIPAA Sanctions and Penalties
On March 15, 2020, the United States Department of Health and Human Services issued a Limited Waiver of HIPAA Sanctions and Penalties during this health emergency time. The patients’ right to privacy has not been suspended. However, the HHS has granted a temporary waiver to cover hospitals that may fail to comply with HIPAA requirements fully. Specifically, the following aspects of HIPAA are waived:
- the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
- the requirement to honor a request to opt-out of the facility directory. See 45 CFR 164.510(a).
- the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
- the patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
- the patient’s right to request confidential communications. See 45 CFR 164.522(b).
This waiver is granted only to hospitals in an emergency area, which has been identified in a public health emergency declaration and has also implemented a disaster protocol. Said waivers are limited to 72 hours after the emergency has been declared.
Enforcement of HIPAA Violations relaxed
On April 2, 2020, the Office of Civil Rights (OCR) announced that it was making a change to the enforcement of HIPAA-related discrimination claims, to support the needs of the CDC to have rapid access to COVID-19 information. Specifically, the OCR will not impose penalties for the disclosure of PHI if the covered entity or business associate (meaning a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity) makes good-faith use of the information and also informs the covered entity of said disclosure within ten business days of the disclosure.
If you or any of your team have any questions about HIPAA, PHI, or navigating during this COVID-19 pandemic, please contact HR Service Inc. at (801) 685-8400. We’d be happy to help!
Prepared by David Norton
Human Resources Business Partner