HIPAA, Telecommuting, and Force Majeure provisions in the wake of the Coronavirus pandemic

March 17, 2020

What organizations and physicians need to know.

In light of the Coronavirus pandemic, persons should be familiar with its impact on HIPAA, telecommuting and force majeure provisions. 

 

HIPAA

The HIPAA Privacy Rule and Security Rule are still applicable during this pandemic. The Privacy Rule has always had an exception for health providers to report certain diseases or conditions of an individual patient to various state and federal government agencies, such as a state’s Department of Health and Human Services or the Centers for Disease Control and Prevention (CDC). 45 CFR § 164.512(b)(1)(i). The transmission of the patient’s information still needs to occur in accordance with the Security Rule. 

Trending: RVUs: The basics of physician compensation

The U.S. Department of Health and Human Service’s comment on disclosing CoVID-19 patient related information underscores these notions: 

“In general, except in the limited circumstances described elsewhere in this Bulletin, affirmative reporting to the media or the public at large about an identifiable patient, or the disclosure to the public or media of specific information about treatment of an identifiable patient, such as specific tests, test results or details of a patient’s illness, may not be done without the patient’s written authorization[.]”

 

Telecommuting

First and foremost, organizations should already have natural disasters or government declared emergencies in its policies and procedures, including its Disaster Recovery and Business Continuity Plans. 

For workforce members who already work remotely, a checklist and attestation, as well as training, should already be in place. For workforce members who typically do not work from home or away from the local office, organizations should have the person complete a checklist, verify that the attestations are truthful, provide additional training and install any software that other remote employees have in place. 

It goes without saying that secure WiFi is one of the requirements on the checklist, as well as using a room outside of the purview of other family members and friends and having a cross-cut shredder. Employers should keep workforce members up to date on government directives and changes in hours of operation. Overall, ensuring continuing compliance with the Security Rule’s technical, administrative and physical safeguards is vital. 

 

Force majeure

Finally, a common contractual provision that has come to the forefront is the force majeure clause. Black’s Law Dictionary defines force majeure as, “[a]n event or effect that can be neither anticipated nor controlled.” 

Force majeure clauses allocate risk between the contracting parties if performance becomes impossible or impracticable because of an unforeseen event. No doubt, a pandemic is an unforeseen event. Yet, like most interpretations of a contract, courts first look to the “four corners” of the document. The Parties should be as specific as possible when drafting this provision. An “act of God” could be and has been interpreted differently than a “emergency measures”. The most effective way to make sure an item is either included or excluded is to list it. Otherwise, it may be up to a court to apply an objective standard. In the pandemic situation and most other disasters such as Hurricane Harvey, the most cost effective and expeditious route is for the parties to reach an agreement. Otherwise, a court may rely on equitable remedies. 

Read more: Smart investing for physicians

In sum, from a practical standpoint, in order to thwart the spread of the Coronavirus, wash hands regularly, wipe down surfaces, limit face to face interactions and adhere to CDC guidance. Telecommuting also requires vigilance. Be certain to adhere to the Privacy Rule and the Security Rule. Providers may make disclosures to various health authorities, albeit in a secure manner. Finally, when considering contracts, be sure to list and define broad categories. Alternatively, if a contract is already in place, be certain to review case law in the jurisdiction. Above all else, be rationale and reasonable.  

Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.