HIPAA Tips: Information for Covered Entities and Employers
By Kristy M. Kimball and Lisa Carlson
What’s the Issue?
Covered entities, such as hospitals and other healthcare providers, may be asked by unrelated third-parties for information relating to a patient’s diagnosis or presumed diagnosis of COVID-19.
The information below outlines how the Health Insurance Portability & Accountability Act (“HIPAA”) applies to health information obtained or maintained by those subject to HIPAA (e.g., covered entities or business associates of covered entities), but does not cover state-specific privacy laws or employment-specific confidentiality laws. For example, the ADA, FMLA, and workers compensation laws all have confidentiality aspects that will impact employers.
Do I have to comply with HIPAA?
- HIPAA protects the privacy and security of individually identifiable health information (or “PHI”) that is obtained or maintained by “covered entities” and their business associates.
- Covered entities include (1) healthcare providers, (2) health plans, including most employee benefit plans; and (3) healthcare clearinghouses.
- A business associate is a person or organization, other than a member of a covered entity’s workforce, that performs certain functions, activities, or services on behalf of a covered entity that involve the use or disclosure of PHI.
If you are a covered entity, what records must you protect under HIPAA?
Covered entities MAY NOT use or disclose the PHI they create, receive, and maintain about patients without the patient’s authorization or unless an exception applies (see HIPAA Exceptions, below).
What about the health-related records of my employees?
- Employers that are “covered entities” MAY share information about employees that they have received in their capacity as an employer, as that information is not protected by HIPAA.
- For more information about how HIPAA impacts covered entities as employers, visit the HIPAA: Information for Employers section below.
HIPAA Exceptions:
The following exceptions may be available to covered entities during the Coronavirus pandemic, allowing the sharing of PHI absent a patient’s authorization. However, if an exception does not apply, the patient’s authorization must be obtained.
- For Treatment Purposes. HIPAA allows covered entities to disclose PHI about the patient that is necessary to treat the patient or a different patient.
- To Prevent a Serious and Imminent Threat. Covered entities can share PHI to anyone who is in a position to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. Any such disclosure must be consistent with applicable state law and ethical standards.
- For Public Health Activities. In the interest of allowing public health authorities and others to have sufficient information to appropriately respond to public health and safety issues, HIPAA allows covered entities to disclose PHI to public health and safety persons at risk of contracting or spreading a disease or condition.
- To Family, Friends, and Others Involved in a Patient’s Care. Covered entities may share PHI with a patient’s family, friends, or others that the patient has identified as being involved in their care.
- Covered entities are generally prohibited from sharing a patient’s PHI with the media or anyone not involved in the patient’s care without the authorization of the patient or their personal representative.
If an exception applies, how much information can I share?
- With the exception of disclosures for treatment purposes, HIPAA only allows covered entities to share the minimum amount of information necessary to fulfill the purpose under the applicable exception.
Are there exceptions under HIPAA for emergency situations?
- Covered entities must remember that the standards for protecting PHI imposed by HIPAA remain applicable even during emergency situations and public health crises.
- Covered entities must take action to prevent against unauthorized access to patient records (snooping) and unauthorized disclosures.
In an emergency, are sanctions and penalties against covered entities waived?
- The Secretary of Health and Human Services has authority to waive sanctions and penalties for violations of certain provisions of the HIPAA Privacy Rule during public health emergencies.
- On March 15, 2020, the Secretary executed this authority, waiving sanctions and penalties against covered hospitals, applicable only to the following provisions:
- The requirement to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 C.F.R. 164.510(b).
- The requirement to honor a request to opt out of the facility directory. See 45 C.F.R. 164.510(a).
- The requirement to distribute a notice of privacy practices. See 45 C.F.R. 164.520.
- The patient’s right to request privacy restrictions See 45 C.F.R. 164.522(a).
- The patient’s right to request confidential communications. See C.F.R. 164.522(b).
- This waiver is only effective (1) in the emergency area identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol.
- For more information, please see the OCR guidance on the HIPAA Waiver and Privacy and Disclosures in Emergency Situations.
HIPAA: INFORMATION FOR EMPLOYERS
What is the Issue?
Employers are wondering about their responsibilities related to the protection of the health information of their employees, particularly if the business has reason to suspect that a particular employee has been exposed to or is symptomatic for COVID-19.
The information below outlines how the Health Insurance Portability & Accountability Act (“HIPAA”) applies to health information obtained or maintained by general employers. It does not cover state-specific privacy laws or employment-specific confidentiality laws. For example, the ADA, FMLA, and workers compensation laws all have confidentiality aspects that will impact employers. Employers must be aware of and comply with those laws in addition to HIPAA.
Do I have to comply with HIPAA?
- HIPAA protects the privacy and security of individually identifiable health information (or “PHI”) that is obtained or maintained by “covered entities” and their business associates.
- Covered entities include (1) healthcare providers, (2) health plans, including most employee benefit plans; and (3) healthcare clearinghouses.
- Unless an employer falls into one of those three categories, HIPAA will not apply to the employer and the employer will not be prevented from using or disclosing health-related information under HIPAA (but other employee confidentiality laws may still apply).
If you are a covered entity, what records must you protect under HIPAA?
- Employers that are “covered entities” MAY NOT share information about employees that they have received in their capacity as a covered entity without the individual’s authorization or unless an exception applies.
- For more information about the obligations of covered entities and applicable exceptions, visit the HIPAA: Information for Covered Entities section above.
- For example, employers that are health care providers or who have self-funded health plans must protect an employee’s PHI that they obtain for purposes of rendering medical treatment or administrating the health plan.
- Employers that are “covered entities” MAY share information about employees that they have received in their capacity as an employer, as that information is not protected by HIPAA.
- For example, if an employee provides test results to an employer to satisfy conditions for employment, that information will be part of the employee’s employment record, which is not protected by HIPAA.
How can employers gain access to an employee’s health information?
- Employer attempts to gain access to an employee’s PHI from a source other than the employee (e.g., the patient’s provider) will likely be met with that covered entity’s insistence on HIPAA compliance.
- Employers can ask for information from the employee.
- Employers can ask the employee for a signed HIPAA-compliant authorization that would allow covered entities to share the employee’s PHI with the employer.
- Covered entities may be persuaded to rely on an exception allowing them to share information with the employer without the patient’s authorization. See HIPAA Exceptions in the HIPAA: Information for Covered Entities section above.