Don’t forget about HIPPA and medical privacy during pandemic

Updated April 9, 2020

During the current coronavirus pandemic, it’s natural that workers will be nervous. If they are physically still at work because their jobs can’t be done from the perceived safety of their homes, any news of a sick co-worker will spur concern. Something as simple as colleague calling off for the day or sharing on social media that a family member is sick will set off alarm bells of anxiety. Employers need to be prepared for a barrage of questions and know which are legal to answer.

That’s where medical information and privacy rules come into play. Here’s what you need to know about what you can say and do under the Health Insurance Portability and Accountability Act (HIPAA) and other laws protecting privacy.

HIPAA Privacy Rule

The law includes a provision protecting medical information. The HIPAA Privacy Rule protects the privacy of patients’ health insurance information. While employers are not the primary entities the privacy provisions are aimed at, there are many times that employers do have to follow the rules. For example, if you operate a health clinic – either on or off-site – you are covered. The same holds true if you manage a self-insured health plan for employees or even act as an intermediary between your workers and health care providers. Thus, if you are now routinely doing temperature checks or otherwise monitoring health to screen for potential COVID-19 infections, you’re probably covered.

Even if you are not a covered entity, you have separate obligations under the Americans with Disabilities Act (ADA), the Family and Medical Leave Act (FMLA) and the Genetic Information Nondiscrimination Act (GINA) to protect medical information. Following HIPAA’s rule makes sense as a way to meet those obligations, too.

What’s covered

First and foremost, employers are not excused from complying with the privacy rule merely because of a public health emergency such as the one currently occurring in the United States. But there are important exceptions built into HIPAA for just such occasions. The law balances the appropriate use and disclosure of medical information when it’s necessary to treat a patient and protect the nation’s public health.

Covered entities are required to cooperate with public health authorities like your state department of health, the CDC and OSHA. Collecting and sharing information on an ongoing basis like suspected cases or exposures does not violate HIPAA. Plus, OSHA requires you to report workplace injuries, illness or exposure to the virus.

What you can tell co-workers

The bottom line is that employers should institute strict privacy rules when talking to employees about potential illnesses, including possible exposure to the coronavirus that causes COVID-19.

• You may share protected health information about a patient who is your employee as necessary to treat him or another patient. In other words, if an employee is diagnosed with COVID-19 and another employee is exhibiting symptoms and requests information, you may be able to provide that information to the other employee’s physician. The same holds true if the first sick employee has triggered a need to quarantine other employees who were in close contact with the first employee. That does not mean that you should release the name of the employee to other workers. That information is confidential under the ADA and the FMLA.
• Your department of health also likely requires you to report cases and wider outbreaks. That way, they can carry on with their job of contract tracing.
• When it comes to media inquiries, your responses should be limited and not include personal information such as names and addresses. You should consult with counsel before responding to media inquiries.

What you can, can’t ask staff during the pandemic

Most of your employees have probably heard about the Families First Coronavirus Response Act, which lets some workers take paid sick and family leave. Their expectations may not match the reality, though. (See “Who is and isn’t eligible for emergency leave?”)

When those workers ask for leave because they can’t or don’t want to come to work, you need to know exactly what you can and cannot ask. You also need to know what proof you can demand to assure employees are fit to work—or if they are potentially contagious.

• Testing questions. In ordinary times, you can’t subject disabled workers to medical tests. But during a pandemic, you can require some testing to prevent disease spread.
  
  That’s why the EEOC has stated that temperature checks do not violate the ADA. In fact, several national retailers such as Walmart and Kroger are now checking workers’ temps at the beginning of each shift. Expect further guidance from federal agencies when quick COVID-19 tests become widely available.
• Leave requests. No doubt you have workers requesting paid leave under the FFCRA. Some may want time off because they fear getting sick.
  You may request proof that employees qualify for leave under the law’s self-care and diagnosis criteria or its caring-for-others and school-closure sections.
  
  There is no specific form yet for documenting that a worker has been ordered to self-quarantine, has COVID-19 symptoms or is undergoing treatment or diagnosis. Consider accepting tele-medicine assessments or similar proof.