HIPAA Hot Topics: Enforcement actions and COVID disclosures in the work place

Two recent enforcement actions and answers to a common question of workplace privacy requirements in light of COVID-19.

Two recent enforcement actions and answers to a common question of workplace privacy requirements in light of COVID-19.

"OCR created the Right of Access Initiative to address the many instances where patients have not been given timely access to their medical records. Health care providers, large and small, must ensure that individuals get timely access to their health records, and for a reasonable cost-based fee," said OCR Director Roger Severino.

In keeping with its Right of Access Initiative, the Office for Civil Rights (“OCR”) announced that Elite Primary Care (“Elite”), a primary care service provider in Georgia, paid $36,000 to settle a potential violation of the HIPAA Privacy Rule’s patient’s right to access his/her protected health information. In April 2019, a patient filed a complaint with OCR indicated that he had requested but was denied access to his medical records. In May 2019, OCR provided technical assistance to Elite. Still, in October 2019, the same patient filed a second complaint indicated that he still had not received his medical records. In May 2020, over a year after the initial request, the patient finally received a copy of his medical records. Seven months later, Elite paid OCR and entered into a corrective action plan, which includes two (2) years of monitoring.

Approximately, one month prior to the Elite settlement, OCR announced that the University of Cincinnati Medical Center, LLC (“UCMC”), which is an academic hospital providing a range of health care services, also settled a HIPAA Privacy Rule Right of Access potential violation for $65,000. Once again, in May 2019, OCR received a complaint that UCMC failed to respond to a patient’s request in February 2019 requesting an electronic copy of her medical records. The patient ultimately received her medical records in August 2019. In November 2020, UCMC paid OCR and entered into a corrective action plan, which includes two (2) years of monitoring.

Finally, the burning question, does disclosure of a COVID-19 diagnosis in the work place constitute a HIPAA violation or violation of another law, such as a state law or the Federal Trade Commission Breach Notification Rule? The answer is “it depends”. First, one must always turn to the facts and circumstances. For example, was a work force member being treated at its place of work and did another employee wrongfully access the records? This is a HIPAA violation under 45 CFR § 164.304

What about the scenario where an employee tests positive? What can an employer disclose and who may be notified?

First, The Americans with Disabilities Act (“ADA”) requires that any mandatory medical test of employees be “job related and consistent with business necessity.” Applying this standard to the current circumstances of the COVID-19 pandemic, employers may take steps to determine if employees entering the workplace have COVID-19 because an individual with the virus will pose a direct threat to the health of others. Therefore, a company may choose to administer COVID-19 testing to employees or require testing before they enter the workplace to determine if they have the virus.

The Centers for Disease Control and Prevention (CDC) recommends that employers notify employees of their possible exposure to COVID-19 in the workplace when a fellow employee tests positive. Employers must not disclose the name of the employee testing positive, as that is confidential information under the ADA.

In light of this, here is a chart, which may be helpful:

Create policies and procedures for testing, vaccination, and other related items such as quarantine. Post EEOC and CDC guidance on site and/or via electronic access depending on the size and type of the organization.Do not single people out and have different rules that apply to different individuals.
If a workforce member tests positive or relays that some person was in close proximity to someone who was exposed, then anonymously make an announcement that a person has tested positive. If individuals are thought to be exposed, then notify them directly but without disclosing who the infected individual is. Do not announce who the individual is to anyone except the appropriate people in the company, human resources for example, and public health authorities, both state and national.
If a work force member is known to work at another facility and he/she tests positive, then Company A should reach out to the public health authority first. Then contact Company B and indicate that a work force member who is known to work for both companies tested positive and Company B’s workforce may need to be tested. If Company B asks for the name of the individual, Company A should state that they cannot disclose the name without consulting legal counsel. Do not call Company B and say that [insert specific employee name] tested positive for COVID-19 and you need to take remedial measures.
Maintain any medical items in a confidential manner. Employers must maintain all information about employee illness as a confidential medical record in compliance with the ADA. Keeping with HIPAA’s standards provides a good faith basis for meeting this requirement. Do Not leave medical information open or in violation of the HIPAA Security Rule.

In sum, HIPAA, as well as general notions of keeping medical records private and secure, continues to be an area of focus for OCR and other government agencies. This is a trend that is sure to continue in 2021.

About the Author

Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.