Abstract:
Coronavirus has made a difference in your practice procedures. You’ve reorganized your waiting room and check-in procedures to comply with social distancing. Staff are required to wear masks and increased personal protection equipment (PPE). Sanitizing has been brought to a new level. Patients must wear masks and notify you of their arrival before entering the waiting room. But have you reviewed and updated your Procedures and Policies manual? With the new normal brought on by the outbreak of human coronavirus and the resultant school closings, travel bans, social distancing, community lockdowns, and other concerns throughout the world, it is time to review your office procedures and HIPAA regulations relative to patient rights and public safety.
Coronavirus has made a difference in your practice procedures. You’ve reorganized your waiting room and check-in procedures to comply with social distancing. Staff are required to wear masks and increased personal protection equipment (PPE). Sanitizing has been brought to a new level. Patients must wear masks and notify you of their arrival before entering the waiting room.
But have you reviewed and updated your Procedures and Policies manual? With the new normal brought on by the outbreak of human coronavirus and the resultant school closings, travel bans, social distancing, community lockdowns, and other concerns throughout the world, it is time to review your office procedures and HIPAA regulations relative to patient rights and public safety.
Understandably, the public, and especially healthcare employees, are concerned about contracting this mysterious, pneumonia-like virus rapidly spreading around the world, because the numbers of confirmed cases spike each day as more people are tested and/or show symptoms. The CDC and local government agencies want to track testing, exposure, recoveries, and deaths to determine where the virus is heading.
At the time of writing this article, the Department of Health and Human Services had declared a public health emergency with respect to coronavirus. Under the public health emergency, covered entities must understand what their obligations are with respect to use and disclosure of protected health information (PHI).
What is the HIPAA Public Health Exemption?
The HIPAA Privacy Rule permits that public health authorities and others who ensure public health and safety be given access to PHI to carry out public health activities. The Privacy Rule also recognizes that public health reports made by covered entities play an important role in identifying threats to individual and public health and safety. As such, the Privacy Rule allows covered entities to disclose PHI without authorization for certain public health purposes.
Under the HIPAA public health exemption (which applies, among other reasons, when a public health emergency has been declared), covered entities may, without written patient authorization, disclose PHI to public health authorities legally authorized to receive it, for the purposes of preventing or controlling disease, injury, or disability. Disease, injury, and disability prevention and control measures and activities include reporting of disease or injury, and reporting of vital events, such as deaths.
Under the HIPAA public health exemption, a covered entity also may disclose written patient authorization and may disclose PHI to conduct public health surveillance, investigations, or interventions.
Covered entities also may, if directed to do so by a public health authority, disclose PHI to a foreign government agency acting in collaboration with that authority. Covered entities that are public authorities may use and disclose PHI for:
The purpose of preventing or controlling disease;
The purpose of preventing or controlling injury; and
The purpose of preventing or controlling disability.
Disease, injury, and disability prevention and control measures and activities include:
Reporting of disease or injury;
Reporting of vital events (i.e., births, deaths); and
Conducting public health surveillance, investigations, or interventions.
Covered entities also may, if directed to do so by a public health authority, disclose PHI to a foreign government agency acting in collaboration with that authority. Covered entities that are public authorities may use and disclose PHI for:
The purpose of preventing or controlling disease;
The purpose of preventing or controlling injury; and
The purpose of preventing or controlling disability.
What is a Public Health Authority?
The HIPAA Privacy Rule defines a public health authority as any of the following that is responsible for public health matters as part of its official mandate:
An agency or authority of the United States government;
A state;
A territory;
A political subdivision of a state or territory; or
An Indian tribe.
Public health authorities also include individuals and entities acting under a grant of authority from, or under a contract with, a public health agency.
Examples of a public health authority include:
State and local health departments;
The federal Food and Drug Administration (FDA);
The CDC; and
The Occupational Safety and Health Administration (OSHA).
Generally, covered entities must reasonably limit the PHI disclosed for public health purposes, to the minimum amount necessary to accomplish the public health purpose.
However, covered entities are not required to make a “minimum necessary determination” for public health disclosures that are made either under an individual’s authorization, or for disclosures that are required by other law.
For disclosures to a public health authority, covered entities may reasonably rely on a minimum necessary determination made by the public health authority that is requesting the protected health information.
For routine and recurring public health disclosures, covered entities may develop standard protocols, as part of their minimum necessary policies and procedures, that address the types and amount of PHI that may be disclosed for such purposes.
When Else Does the HIPAA Public Health Exception Apply?
The Privacy Rule recognizes the important role that persons or entities other than public health authorities play in certain essential public health activities. Covered entities may, therefore, under the Privacy Rule, disclose PHI, without authorization, for the following public health investigations:
Child abuse or neglect: Covered entities may disclose PHI to report known or suspected child abuse or neglect, provided the report is made to a public health or other appropriate government authority authorized to receive such reports under law. Such authorities may include (among other entities) social services departments of local governments and police departments.
Quality, safety, or effectiveness of a product or activity regulated by the FDA: Covered entities may disclose PHI to persons (e.g., individuals, entities, partnerships, and corporations) subject to FDA jurisdiction, if the disclosure is for a public health purpose that is related to the quality, safety, or effectiveness of an FDA-regulated product or activity for which that person has responsibility. Examples of purposes or activities for which such disclosures may be made include (but are not limited to):
Collecting or reporting product defects or problems (including problems regarding use or labeling);
Tracking FDA-regulated products;
Enabling product recalls, repairs, or replacement.
Persons at risk of contracting or spreading a disease: A covered entity may disclose PHI to a person who is at risk of contracting or spreading a disease or condition, if other law authorizes the covered entity to notify such individuals as necessary to carry out public health interventions or investigations.
Workplace medical surveillance: A covered healthcare provider who provides a healthcare service to an individual at the request of the individual’s employer, or provides the service in the capacity of a member of the employer’s workforce, may disclose the individual’s PHI to the employer for the purposes of workplace medical surveillance or the evaluation of work-related illness and injuries to the extent the employer needs that information to comply with OSHA, the Mine Safety and Health Administration , or the requirements of state laws having a similar purpose. In such instances, the covered provider must give written notice to the individual that the information will be disclosed to the individual’s employer. As an alternative to having to give written notice to the individual, the notice may be posted at the worksite, if that is where the service is provided.
Patient Privacy
Understandably, your staff is concerned when patients report with symptoms of the novel coronavirus COVID-19, which have included mild to severe respiratory illness with fever, cough, and difficulty breathing. Fears about contracting the virus could lead healthcare employees to look at PHI impermissibly and share information of patients presenting with these symptoms.
Although healthcare employees are encouraged to answer patient questions about coronavirus and take precautions when dealing with patients presenting with upper respiratory symptoms, they must remember they may not access or disclose patient records for an unauthorized purpose. Curiosity may tempt employees to look up a patient’s medical record to see if the record includes evidence of any discussions a patient may have had with a provider about coronavirus. However, employees should especially resist this temptation with respect to patients who have sought treatment for mild to severe respiratory illness. HIPAA regulations still apply, and under HIPAA, employees may access or disclose patient records only when specifically authorized to do so as part of their job, or when required to do so under law.
Review and/or update privacy procedures in your Policies and Procedures manual to reinforce this HIPAA rule.
Telehealth Rules
During the COVID-19 pandemic, emergency HIPAA waivers made it easier for physicians to provide virtual services. For many, the pandemic and subsequent shutdowns may have resulted in offering telehealth services never before considered. However, these relaxed rules were never meant to be permanent. Eventually, the government will clamp down on telehealth HIPAA compliance with violation penalties as high as $50,000 per occurrence.
Complying with the stricter HIPAA telehealth regulations when the COVID-19 waivers expire is essential to your ability to continue to offer these much sought-after services. Now is the time to review your telehealth procedures to ensure you are complying with the normal HIPAA requirements. Be sure your virtual platform complies with HIPAA rules that were in effect before the relaxed regulations were put into place. Review all rules with staff, who may have become accustomed to the relaxed telehealth rules allowed during the height of the pandemic.
New Employment Policies
The “new normal” also applies to your employment policies to comply with new state and federal COVID-19 employment rules. You must also ensure compliance with other related government agencies and laws that have been modified due to changing circumstances. These include the Americans with Disabilities Act (ADA), the Equal Employment Opportunity Commission, and the United States Department of Labor, among others.
The new employment laws affect everything, from what you are required to pay when an employee is out sick to the safety of the work environment within your practice. Ignoring these new employment regulations really is not an option— it leaves your practice seriously exposed to legal and governmental audits and penalties.
Several employment policy questions you must consider adding to your Policies and Procedures manual include the following:
If testing is available, can you legally test employees for COVID-19?
Are you violating ADA laws if you require pregnant or high-risk staff to stay home?
Can you require staff to use accumulated paid time off as compensation if you send them home?
How do you know if you are required to comply with Federal Families First Coronavirus Act?
If an employee reports that they’ve tested positive for COVID-19, can you inform other staff?
What are your obligations to the Emergency Family & Medical Leave Expansion Act (EFMLEA)?
What obligations do you have related to the Emergency Paid Sick Leave Act (EPSL)?
Are you required to comply with both state and federal employment regulations?
How can you reduce your liability if an employee becomes infected with COVID-19 at work?
What is the best way to document the communication of new employment policies?
If employees work from home, are you required to reimburse home expenses (e.g., Internet)?
Do you have an obligation to report employees with symptoms of COVID-19?
When is it safe to let a COVID-19–positive employee return to work?
How long must you hold a position open for an employee who can’t come to work?
How high does an employee’s temperature need to be for that employee to be sent home?
What should you do if you tell an employee to go home and they refuse?
Are there documentation requirements for COVID-19–positive employees?
Are you required by EFMLEA and EPSL to pay an employee for time they don’t actually work?
If an employee tests positive for COVID-19, are you required to record an OSHA incidence?
How do you amend your FMLA and leave policies to align with updated COVID-19 regulations?
How does COVID-19 change your ADA compliance?
Are there specific PPE items that you are required to provide to staff?
Summary
HIPAA rules and employment regulations, as well as your entire Policies and Procedures Manual, should be reviewed, updated, and reissued to all employees periodically. In the face of a public health emergency such as the coronavirus, it is imperative that all employees be reminded of how important it is to follow the HIPAA privacy rules regarding PHI and that all new rules regarding patient safety and employee matters be recognized.
Topics
Governance
Healthcare Process
Quality Improvement
Related
Cultural Differences: When Hospitals Own PracticesSeven Practice AssessmentsHandling Litigation — How to Live (Well) with a Lawsuit