Be Wary of Potential HIPAA Traps When Responding to Coronavirus Concerns
As we counsel clients on best practices in addressing the coronavirus pandemic, we continue to caution clients on potential HIPAA issues with internal response plans. In a recent Bulletin, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a warning to employers to "ensure that HIPAA covered entities and their business associates are aware of the ways that patient information may be shared under the HIPAA Privacy Rule in an outbreak of infectious disease or other emergency situation, and to serve as a reminder that the protections of the Privacy Rule are not set aside during an emergency" (emphasis added).
As a reminder, HIPAA covered entities include not only health care providers, but also health care plans maintained by employers. Employers who are considering involving human resources personnel with access to HIPAA protected health information (that is part of the employer's medical plan), should carefully consider potential privacy concerns that could be raised if information from the health plan is accessible and/or considered in responding to workplace safety concerns. Moreover, we have seen some employers implement testing and prevention strategies that can create new employer-sponsored health plans, and/or involve third-parties or onsite clinics that are otherwise considered health care providers or plans subject to HIPAA.
These traps for the unwary are best addressed by involving the HIPAA Privacy Official within the organization and by working with outside HIPAA counsel to ensure that Coronavirus response planning does not trigger any compliance issues.