While HIPAA regulations do impact how employers handle protected health information, the good news is that businesses have some latitude when it comes to COVID-19.
The need to protect workers and workplaces has raised questions among many HR professionals and business leaders about the impact of HIPAA (Health Insurance Portability and Accountability Act) on new health policies and protocols companies are instituting. These concerns mainly revolve around issues of privacy as organizations and businesses take more precautions.
The good news is that HIPAA and other applicable regulations are not a significant hindrance to businesses seeking to safeguard the welfare of their employees and visitors to their facilities.
Common Precautions Being Used by Businesses
Until we develop an effective vaccine against the coronavirus, employers have two primary obligations as they continue to operate their facilities during the COVID-19 crisis:
- Take active steps to prevent COVID-19 from entering the workplace
- Take precautions to prevent COVID-19 from spreading in the workplace if it does enter
With the first case, the Centers for Disease Control and Prevention (CDC) and Occupational Health and Safety Administration (OSHA) both recommend that employers and organizations implement safety procedures such as screening staff for COVID symptoms like fever, cough, shortness of breath, sore throat and body aches before they enter the workplace.
But it’s not just employees and workers who need to be screened. Visiting clients, delivery personnel, and vendors also need to follow the same safety guidelines when they enter an organization’s facility or worksite.
In short, organizations should screen employees and visitors to their workplaces and facilities for three basic issues:
- Positive tests for COVID-19 infection
- Exposure to someone who has been infected with COVID-19
- Presence of symptoms associated with COVID-19
Many businesses have turned to COVID screening apps and forms to regularly and continuously screen their employees and other visitors to their workplace for one of the above issues. These screenings run the gamut from self-directed surveys to checking each employee for possible symptoms, such as a fever, as they enter the facility.
Organizational COVID Protocols and Policies
These screening procedures go hand-in-hand with the COVID protocols and policies that businesses are creating and adopting to properly care for employees who may be flagged during the screening process.
COVID protocols typically require individuals who have been flagged during the employee COVID screening process to self-isolate or self-quarantine. The period of isolation depends on what they were flagged for during the screening process. A positive COVID-19 test result may require up to two weeks of isolation. Basic symptoms may require the employee to stay home until they’ve been cleared to return.
Anyone who was in contact with the infected or symptomatic person should be alerted to reduce the spread of infection. Work policies will guide leave, reporting, and return to work after medical clearance. Following these CDC-recommended procedures means employers also need to comply with health information privacy laws.
Public Health Threat and Company Discretion
Because COVID-19 is a public health threat, employers generally have more discretion on obtaining health information that is usually be limited under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Americans with Disabilities Act (ADA), and other privacy laws (JD Supra, 2020).
In addition to screening for symptoms, for example, the CDC urges employers to ask employees whether they have a positive COVID-19 test, any possible exposure from personal contacts, or travel to high-risk areas. The CDC also encourages employers to ask if an employee’s age or medical history places them at high risk.
Labor and employment law experts confirm that employers can legally ask employees for this information (Littler, 2020; National Law Review, 2020). Businesses and employers are given more leeway because this information is considered critical for risk assessment and planning for business continuity.
This leads to the additional question of whether or not businesses and employers are bound by federal HIPAA laws that require that protected health information (PHI) be kept private and secure?
What About HIPAA and Privacy?
HIPAA is a set of national standards and laws to protect the privacy and security of certain types of health information and grants rights to individuals (HHS, 2017). HIPAA requires that PHI be kept private and secure by any “covered health entity” namely health providers, health plans, and health clearinghouses that process health information as well as any business associates that assist these organizations with their work (HHS, 2017).
Two of the main components of HIPAA are the Privacy Rule and the Security Rule.
- The HIPAA Privacy Rule requires that protected health information be kept private and only disclosed when necessary to deliver care or to facilitate payment for services.
- The HIPAA Security Rule requires that health information be stored and transmitted securely. This is especially important with the shift to electronic health records, digital platforms, and expansion of telehealth.
Per HIPAA, authorization is needed to disclose an individual’s protected health information, such as any current chronic health conditions, unless they are involved in service delivery. Individuals can file a complaint if they believe that their PHI has been inappropriately revealed without consent. This is a major consideration for businesses and organizations, as HIPAA violations can lead to hefty fines.
Are Employers Required to be HIPAA-compliant?
The short answer is that “it depends.”
Businesses and employers are generally not subject to the HIPAA guidelines because they are not considered a covered entity like medical practices, hospitals, health insurers, and their business associates (HHS, 2017). However, employers with a self-insured health plan are subject to HIPAA laws (HHS, 2017; National Law Review, 2020).
Although HIPAA laws do not apply to most employers, there are privacy requirements regarding employees’ health information under the Americans with Disabilities Act (ADA) and state laws (Hamilton, 2020; Littler, 2020). Employers who operate in multiple states need to investigate local mandates.
The EEOC has confirmed that the ADA bans employers from discriminating against employees based on a medical condition, including COVID-19 (2020). And various legal experts have likewise confirmed that the ADA protects workers by requiring employers to keep the identities of employees who have symptoms or have tested positive for COVID-19 confidential (Hamilton, 2020; Littler, 2020; National Law Review, 2020).
The only exception is when an employer is reporting the infection to a public health agency. It is important to note that employment records are not covered under HIPAA, even when those records include health information (HHS, 2017). Regardless, employers are required to keep medical information in a secure file that is separate from the personnel file to be compliant with the ADA (National Law Review, 2020).
Easy COVID-19 tracking for your business.
Guidelines on COVID-19 and Employee Privacy
Employers are required to follow health information privacy laws on COVID-19 matters as outlined by federal and state laws. The CDC recommends appointing a workplace coordinator to handle COVID-19 issues. This role can assist with compliance during screening, reporting, and recording of employee health information. Legal experts can offer specific guidance on employer liability.
The CDC, OSHA, and federal laws offer the following guidelines for employers:
- Employers may screen employees for COVID-19 symptoms, including taking actual temperature checks
- Employers can ask anyone who has symptoms or who have been flagged during the screening process to leave the workplace
- Medical information about an employee must be kept confidential and stored separately from their personnel file
- Employers may choose to require a COVID-19 test only if it is necessary for the employees’ work – or if it places others at risk
- Employers cannot require antibody testing in order to allow an employee to return to work
- Employers must continue to follow occupational safety and anti-discrimination laws
- If an employer utilizes a self-insured health plan, they must follow HIPAA laws on PHI.
How to Integrate Privacy into Workplace Plans and Protocols
Navigating through the COVID-19 pandemic has led to complex challenges for businesses and employers. The CDC, OSHA, and EEOC have published helpful resources to guide employers during COVID-19. OSHA recommends that employers create an Infectious Disease Preparedness and Response Plan that includes policies and practices for staff (2020).
This plan demonstrates how the employer will implement safety practices such as screening, workplace controls, isolation for those infected with COVID-19, and return to work. It is helpful to describe how your organization will communicate and manage health information in accordance with privacy laws.
Employers can choose from a variety of tools and platforms to manage health information securely. Digital screening tools with self-reporting offer more privacy and convenience than paper-based ones.
Furthermore, the data can be easily retrieved as needed for reporting. Digital tools can also complement physical checks. If physical screening stations are needed, a trained staff member should conduct the checks privately.
Assessing tools for HIPAA compliance will ensure that information is maintained under strict privacy and security standards. Validated screening tools that keep your employees’ health information private and secure while offering monitoring capabilities are crucial to reopening safely and recovering from the impact of COVID-19.
Conclusion: Navigating COVID With an Antiquated HIPAA
HIPAA does have a major problem. It is 24 years old and was enacted before the explosion of the Web and the greater digitization of our workplaces. For example, because the email was just coming into use when HIPAA was being written and didn’t have the encryption and security we take for granted today, HIPAA prohibits the transmission of protected health information via electronic mail (email).
As many have noted and called for the past decade, HIPAA needs a serious overhaul.
Nevertheless, as businesses try to operate their workplaces while protecting their employees and worksite visitors, HIPAA and other federal laws covering health data do give employers some latitude – because we are in the midst of a health emergency.
In other words, the challenge isn’t so much HIPAA preventing employers from doing what they must to protect their workers and visitors. The challenge is often for employers to ensure that they’re doing enough to prevent COVID from entering their workplaces and preventing its spread if someone with COVID does enter.
References
CDC. (2020a, February 11). Coronavirus disease 2019 (COVID-19)—Interim guidance for businesses and employers. Centers for Disease Control and Prevention. https://www.cdc.gov/coronavirus/2019-ncov/community/guidance-business-response.html
CDC. (2020b, April 30). Communities, schools, workplaces, & events. Centers for Disease Control and Prevention. https://www.cdc.gov/coronavirus/2019-ncov/community/resuming-business-toolkit.html
COVID-19: Balancing employee safety and privacy. (n.d.-a). JD Supra. Retrieved June 26, 2020, from https://www.jdsupra.com/legalnews/covid-19-balancing-employee-safety-and-16051/
COVID-19: What employers need to know about HIPAA. (n.d.-b). The National Law Review. Retrieved June 26, 2020, from https://www.natlawreview.com/article/covid-19-what-employers-need-to-know-about-hipaa
Gordon, P., Appenteng, K., & Argento, Z. (2020, March 31). Frequently asked questions on Workplace Privacy and COVID-19. Littler Mendelson P.C. https://www.littler.com/publication-press/publication/frequently-asked-questions-workplace-privacy-and-covid-19
Health information privacy. (2015, August 26). HHS.Gov. https://www.hhs.gov/hipaa/index.html
Pandemic preparedness in the workplace and the Americans with Disabilities Act | U. S. Equal Employment Opportunity Commission. (n.d.). Retrieved June 26, 2020, from https://www.eeoc.gov/laws/guidance/pandemic-preparedness-workplace-and-americans-disabilities-act
Safety and health topics | Covid-19 | Occupational Safety and Health Administration. (n.d.). Retrieved June 26, 2020, from https://www.osha.gov/SLTC/covid-19/
What you should know about COVID-19 and the ADA, the Rehabilitation Act, and other EEOO laws | U. S. Equal Employment Opportunity Commission. (n.d.). Retrieved June 26, 2020, from https://www.eeoc.gov/wysk/what-you-should-know-about-covid-19-and-ada-rehabilitation-act-and-other-eeo-laws
Easy COVID-19 tracking for your business.
