HIPAA Myths and COVID-19
During the COVID-19 pandemic, rumors about HIPAA abound. If you’re confused about the rules around telemedicine, mask policies, employee temperature checks, and whom you can notify about positive cases, we offer some clarity.
COVID-19 has truly thrust HIPAA into the limelight. But with this attention comes misinformation. Everyone appears to be confused about what is happening and even whether HIPAA remains in effect. We are here to set the facts straight and clear up all the rumors.
Rumor 1: The federal government suspended HIPAA.
Many have heard that the federal government has suspended HIPAA, leading to the assumption that HIPAA is no longer good law. But this is not true.
The Office for Civil Rights announced “enforcement discretion” for certain parts of the HIPAA Privacy Rule. This is similar to some states (like Illinois) permitting expired drivers’ licenses to remain valid for three months beyond the expiration date due to the COVID Pandemic.
For HIPAA, the enforcement discretion allows third parties who work with providers and hospitals to share information with the CDC, HHS, and public health authorities without violating HIPAA.
Rumor 2: Providers who use telehealth are not subject to HIPAA.
From the beginning of the pandemic, telehealth has increased in availability and use. The enforcement discretion does apply to telehealth services and how they are rendered. Most notably, it allows a provider to use non-HIPAA compliant programs to render healthcare services over telehealth.
However, this is not an absolute policy. A provider using their professional judgment can choose to use a platform that would ordinarily violate HIPAA, such as FaceTime. However, some are still not appropriate, such as Facebook Live, TikTok, and Twitch. These apps are considered to be public-facing. They are not considered private and would not fall under the COVID-19 exception.
Rumor 3: The state can override HIPAA.
State governments can override HIPAA, but only in limited circumstances. If the state has more stringent requirements than HIPAA, then state law must be followed. For example, if Illinois passes a law saying that telehealth cannot be rendered via FaceTime, that overrides HIPAA’s exception.
Rumor 4: Medical offices or hospitals that provide COVID-19 test statistics and other information to municipalities and governments violate HIPAA.
HIPAA allows such information to be disclosed as long as the information is de-identified. Even before the pandemic, Providers and hospitals were authorized by HIPAA to share health information with public health and oversight agencies. HIPAA’s Privacy Rule ensures that public health authorities receiving such information have a legitimate need to carry out their public health mission.
Rumor 5: It is a HIPAA violation for a business to ask why the customer cannot wear a mask.
Many businesses are now requiring customers who enter their store to wear a mask. Such a mask policy would not be considered a violation of HIPAA, as HIPAA does not apply to most businesses.
The HIPAA Privacy Rule, which sets forth the requirements for keeping protected health information (PHI) private, applies to three types of organizations, considered “covered entities”:
- healthcare providers,
- healthcare clearinghouses, and
- health plans
In addition, some other are expected to comply with HIPAA. These are businesses that assist covered entities with their healthcare activities, and they are called “business associates.” But, if the business is not involved with a covered entity’s healthcare activities, it does not need to comply with HIPAA.
Therefore, if a business, such as Walmart, is neither a covered entity nor a business associate, it is not required to comply with HIPAA’s Privacy Rule.
Rumor 6: Employers cannot take your temperature at work because it would violate HIPAA.
Some employers are implementing screening processes for COVID symptoms, including temperature checks. Of course, any employee screening process would have to be operated in a fair, non-discriminatory way. This does not violate HIPAA unless your employer happens to be a covered entity.
Further, separately from a HIPAA stance, the Equal Employment Opportunity Commission has said that employers may measure employees’ body temperature. As with all medical information, an employee’s fever or other symptoms would be subject to ADA confidentiality requirements. Employers can use temperature checks, so long as it is consistent with following the CDC, state, and local health agencies’ guidelines. The workplace is still subject to the ADA confidentiality requirement.
An employer telling people that an employee has tested positive for COVID is a bit thornier. While this may violate employment laws, this is not a violation of HIPAA.
On the other hand, depending on how your company’s health plan is structured, your employer may be a covered entity or business associate. If so, there may be a potential HIPAA issue.
Rumor 7: Contact tracing violates HIPAA.
Public health officials want to know where COVID-19 came from to figure out how to stop the spread, otherwise known as contact tracing. Many believe that finding out where the spread originated from violates HIPAA.
But with COVID-19, the Office for Civil Rights allows providers to share certain information for “public health and health oversight activities” with certain entities. These entities include the Center for Disease Control, the Centers for Medicare and Medicaid Services, state and local health departments, and certain state emergency operations centers.
In summary, COVID-19 has caused many changes and created much confusion for entities that have to deal with HIPAA. It can be overwhelming to deal with different statutes and constant updates.
First and foremost, remember that inaccurate information often spreads online, especially through social media. While we celebrate the public’s heightened awareness that patient privacy is protected by law, we’ve also observed that the public’s understanding about the specifics of HIPAA remains low. Fortunately, many reliable sources of information, including government and educational sites (.gov and .edu), as well as healthcare law firm blogs like ours, seek to set the record straight.
If you’re a healthcare provider and you have questions about HIPAA compliance, which many do—especially now during the pandemic—please reach out to an experienced attorney at Jackson LLP Healthcare Lawyers.
The COVID-19 pandemic is a dynamic and evolving public health emergency. The laws and situation are fluid, and this article may not reflect the most current situation.
This blog is made for educational purposes and is not intended to be specific legal advice to any particular person. It does not create an attorney-client relationship between our firm and the reader and should not be used as a substitute for competent legal advice from a licensed attorney in your jurisdiction.