COVID-19 Update:  Pandemic response exceptions to common privacy practices in business and health care 

By: Cristina N. Hyde, JD

 Over the past several weeks, New Jersey’s Governor Murphy and various federal government offices have issued more than 20 executive orders and federal memorandums in an effort to address the ongoing COVID-19 crises, decelerate the pandemic and mitigate its effect on all citizens.  Predominantly effective for the duration of the corona virus crises, the new legislation alters some common practices which address patient and employee privacy.

In a continued effort to help our clients navigate these tumultuous waters, here is a rundown of the main points applicable to health care professionals and small business owners, to date:

Health Care

 HIPPA, Telemedicine, and Telehealth

  • All health providers may provide and bill for appropriate telemedicine and telehealth services.
  • Out-of-state health care providers may deliver telehealth services in New Jersey for COVID-19 screening purposes only.
  • The Office for Civil Rights (OCR) will not be auditing providers or issuing fines for using non-HIPAA compliant platforms (such as Skype and FaceTime). This exception, however, does not insulate a provider from penalties related to patient complaints.

Privacy Practices

Your Notice of Privacy Practices must explicitly cover the following circumstances, this is not new, but extremely important now:

  • notifications to public authorities and law enforcement;
  • communication with patients; and
  • when permission is not required for disclosure to law enforcement, CDC, DOHH, Joint Commission, FDA, etc.

Informed Consent

The decision to practice telemedicine requires practitioners to obtain informed consent which includes the additional acknowledgment that patients have been advised of:

  • the methods used to deliver telemedicine;
  • the benefits (i.e., improved access to care); and
  • the risks (i.e., potential public exposure of health information and the inability to fully treat)

Reporting of Positive COVID-19 Patients

HIPAA permits a covered entity to disclose the protected health information (PHI) of an individual infected with or exposed to COVID-19, to the following entities:

  • law enforcement;
  • paramedics;
  • first responders; and
  • public health authorities

Disclosure is permissible when:

  • It is needed to provide treatment;
  • Notification is required by law; and
  • Notification is to a public health authority in order to prevent or control spread.

HIPAA, Privacy, and Employees

All Equal Employment Opportunity Commission (EEOC) laws remain in full force and effect and the EEOC continues to update information.  Those updates can be found here.

In order to protect the workforce, an employer is permitted to inform a public health agency of the identity of any individual confirmed to have tested positive with COVID-19.  Staffing agencies may also inform employers that a contractor placed in their workplace has tested positive for the corona virus.  Additionally, for the duration of the public health emergency, employers are permitted to do the following:

  • ask employees whether they are experiencing COVID-19 symptoms;
  • require employees to have their temperature taken upon reporting to work; and
  • require a doctors note confirming fitness for duty upon an employee’s return from a COVID-19 absence

Any reports, notes or disclosures must be maintained as part of the employee’s confidential medical record.  Additionally, in order to ensure that any inquiry remains appropriate to symptoms related to the pandemic, employers should refer to the World Health Organization and Centers for Disease Control for guidance.

If you would like assistance with understanding or interpreting any of the recent orders or guidance related to your practice or business, please do not hesitate to Contact Us.

Comments are closed.