March 15, 2020: the U.S. Health and Human Services (HHS) declared a limited HIPAA Privacy Rule waiver in response to the continuing battle to contain and reduce the spread of COVID-19, as a measure to help stave off the spread of COVID-19, now considered an international pandemic.
As some privacy measures put in place through the Health Information Portability Act (HIPAA), are waived temporarily to fight the spread of the novel coronavirus that causes COVID-19, many questions arise for business owners and human resources professionals. What are their HIPAA and Americans with Disabilities (ADA) responsibilities and liabilities when it comes to privacy measures during the coronavirus emergency?
Are all HIPAA Privacy Rules Suspended During the COVID-19 Pandemic?
No. It is important for employers to understand that the waiver, designed to address the disclosure of health information in specific circumstances connected to the ongoing COVID-19 pandemic, isn’t a free pass to disregard privacy rules. Employers and HR departments must still handle sensitive personal information for those afflicted with the disease with great care.
“Employers should remain very vigilant about how personal health information is handled,” says Deirdre Kamber Todd, Esq., an employment attorney in Allentown, Pennsylvania, who specializes in HIPAA and ADA compliance issues. “The situation we are in does not take away HIPAA or ADA compliance, and after the pandemic passes, the laws will remain and issues are bound to come up in the aftermath. Businesses need to be mindful of this.”
What HIPAA Privacy Rule provisions have been temporarily waived?
According to HHS, in a declared emergency or disaster period, the federal government may waive sanctions and penalties against a covered hospital that does not comply with certain provisions of the HIPAA Privacy Rule. These include:
- Requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care
- Requirement to honor a request to opt out of the facility directory
- Requirement to distribute a notice of privacy practices
- A patient’s right to request privacy restrictions or confidential communications
According to The National Law Review, these lifted restrictions do not apply generally to employers. When it comes to protected health information (PHI), the same health privacy rights that have been established by both HIPAA and ADA still apply. In fact, according to the HHS waiver, these temporary provisions are for specific circumstances and are only applicable:
- In the area identified in the public health emergency declaration
- To the hospitals where disaster protocols have been instituted
- For up to 72 hours from the time the hospital implements its disaster protocol (If the public health emergency declaration is terminated by the President or the HHS Secretary before this time frame expires, the privacy waiver ends immediately)
What Are Employers’ Responsibilities and Liabilities During the COVID-19 Emergency?
In an emergency situation, the HIPAA Privacy Rule permits disclosures for treatment purposes and certain disclosures to disaster relief organizations, such as the American Red Cross, for crisis efforts, such as to to help notify family members of a patient’s location. Keep in mind that bosses do not fall into the same category here as medical and emergency workers.
“Employers need to know that if they are not entitled to share employee PHI any way they like during a national emergency,” says Kamber Todd. “They should always follow best practices whenever they do handle sensitive health information, regardless of whether there is a pandemic or not.”
According to the Equal Employment Opportunity Commission’s (EEOC) ADA guidelines, during the COVID-19 pandemic, employers may ask employees if they are experiencing symptoms of the virus, such as fever, chills, cough, shortness of breath, or sore throat. Employers also must keep all information about any employee’s illness as a confidential medical record in compliance with the ADA.
Kamber Todd notes that as the COVID-19 situation unfolds, it is important for employers to check with state and local authorities as well as federal ones, since changes to patient privacy rules and regulations can happen on several governmental levels. She advises keeping an eye on provisions for:
- Public health activities and authorities
- Disclosures to family, friends and others involved in an individual’s care and for emergency notification
- Disclosures to prevent or lessen a serious and imminent threat
- Disclosures to the media and others
- Abiding the “Minimum Necessary Rule”
What is the Minimum Necessary Rule?
HIPAA’s Minimum Necessary Rule states that an individual’s information can only be disclosed to the extent that it is the absolute least needed to accomplish the purpose of the disclosure. “This is, generally speaking, a solid guide for HIPAA and ADA privacy compliance,” says Kamber Todd. “You should follow this rule even when preparing preemptive measures in the face of emergencies.”
Remember Documentation Is Your Friend in Times of Emergencies
These are certainly unprecedented times that have no road map. Make sure your actions and events are well documented, so as to show that you acted with good intent and in good faith. According to Kamber Todd, “Documenting that you acting with the best intentions to follow the law during an emergency period can help protect you from potential regulatory sanctions or common-law issues down the line.” If you don’t explain why you took an action, your motives can more easily be open for interpretation. Some things employers can do to protect their employees and their businesses in this regard include:
- Be transparent and refrain offering personal opinions when communicating with employees regarding the coronavirus situation
- Avoid fear-mongering and speak about preventative things being done or that can be done by individuals to combat the spread of the disease
- Use employee health questionnaires or checklists asking them to describe if they are displaying symptoms or if they have been exposed to coronavirus risks (travel, family members with symptoms, etc.)
- Have a policy in place to send anyone home who has displays obvious symptoms or has self-reported risks on the above-mentioned checklist (avoid specifics that can signal an individual out)
- Limit the amount of PHI specifically stated when notifying that an employee has been sent home, referring to the policy points being followed instead of personal details
- Be wary of signaling out any legally protected classes when you craft policies or sharing information
- Be careful not to touch on health information that can be interpreted under HIPAA as possibly identifying someone, directly or by process of disqualifying others
As the Regulatory Hits Keep Coming, Proceed Responsibly and With Caution
The new Families First Coronavirus Response Act (FFCRA) requires that certain employers provide employees with paid sick leave or expanded family and medical leave for specified reasons related to COVID-19. The Department of Labor (DOL) will be enforcing these new measures, which will likely run into some privacy rule hurdles. Currently, the Centers for Disease Control’s (CDC) guidance on how employers alert others in a safe way that does not infringe upon privacy rights appears to be somewhat muddled, according to Kamber Todd. She recommends to err on the side of caution, as once an employee’s health information revealed, you cannot take it back. And as always, when in doubt, check with trusted employment law counsel.
HIPAA and COVID-19 Resources for Employers
Here are some valuable resources to help you with these and other issues during the coronavirus emergency:
- HIPAA Privacy Rule
- HHS Limited HIPAA Privacy Rule Waiver Declaration
- HHS provides Clarification on HIPAA Privacy Rule Compliance during Emergency Situations
- Centers for Disease Control Resources for Businesses and Employers
- SHRM’s COVID-19 Government Response and Resources
- EEOC Information on ADA and COVID-19
Is Your Organization Struggling With Its Emergency HR Plans?
RAI Resources can help enhance your HR policies and procedures so that your business is better prepared for workforce issues, including national emergencies that affect the workplace, like the coronavirus situation we are currently in. When your employees feel supported and valued, it can improve retention, engagement and productivity, too. We are a premiere HR consulting and professional recruiting firm, and we provide tactical, practical employment assistance across a number of fields, including: manufacturing, construction, logistics, professional services and engineering. Contact us today for your complimentary, no-obligation consultation.
Deirdre Kamber Todd, Esq., is a partner with the Kamber Law Group, P.C, a next-generation law-firm located in Allentown, Pennsylvania. She specializes in employment law, healthcare law, social media law, HIPAA, ADA, FMLA and business law.