HIPAA Hot Topics: Enforcement actions and COVID disclosures in the work place

Two recent enforcement actions and answers to a common question of workplace privacy requirements in light of COVID-19.

"OCR created the Right of Access Initiative to address the many instances where patients have not been given timely access to their medical records. Health care providers, large and small, must ensure that individuals get timely access to their health records, and for a reasonable cost-based fee," said OCR Director Roger Severino.

In keeping with its Right of Access Initiative, the Office for Civil Rights (“OCR”) announced that Elite Primary Care (“Elite”), a primary care service provider in Georgia, paid $36,000 to settle a potential violation of the HIPAA Privacy Rule’s patient’s right to access his/her protected health information. In April 2019, a patient filed a complaint with OCR indicated that he had requested but was denied access to his medical records. In May 2019, OCR provided technical assistance to Elite. Still, in October 2019, the same patient filed a second complaint indicated that he still had not received his medical records. In May 2020, over a year after the initial request, the patient finally received a copy of his medical records. Seven months later, Elite paid OCR and entered into a corrective action plan, which includes two (2) years of monitoring.

Approximately, one month prior to the Elite settlement, OCR announced that the University of Cincinnati Medical Center, LLC (“UCMC”), which is an academic hospital providing a range of health care services, also settled a HIPAA Privacy Rule Right of Access potential violation for $65,000. Once again, in May 2019, OCR received a complaint that UCMC failed to respond to a patient’s request in February 2019 requesting an electronic copy of her medical records. The patient ultimately received her medical records in August 2019. In November 2020, UCMC paid OCR and entered into a corrective action plan, which includes two (2) years of monitoring.

Finally, the burning question, does disclosure of a COVID-19 diagnosis in the work place constitute a HIPAA violation or violation of another law, such as a state law or the Federal Trade Commission Breach Notification Rule? The answer is “it depends”. First, one must always turn to the facts and circumstances. For example, was a work force member being treated at its place of work and did another employee wrongfully access the records? This is a HIPAA violation under 45 CFR § 164.304

What about the scenario where an employee tests positive? What can an employer disclose and who may be notified?

First, The Americans with Disabilities Act (“ADA”) requires that any mandatory medical test of employees be “job related and consistent with business necessity.” Applying this standard to the current circumstances of the COVID-19 pandemic, employers may take steps to determine if employees entering the workplace have COVID-19 because an individual with the virus will pose a direct threat to the health of others. Therefore, a company may choose to administer COVID-19 testing to employees or require testing before they enter the workplace to determine if they have the virus.

The Centers for Disease Control and Prevention (CDC) recommends that employers notify employees of their possible exposure to COVID-19 in the workplace when a fellow employee tests positive. Employers must not disclose the name of the employee testing positive, as that is confidential information under the ADA.

In light of this, here is a chart, which may be helpful:

In sum, HIPAA, as well as general notions of keeping medical records private and secure, continues to be an area of focus for OCR and other government agencies. This is a trend that is sure to continue in 2021.

_{About the Author}

_{Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.}