HIPAA Privacy Rights: Triggers and Exceptions Amidst COVID-19 and Return To Work

May 1st marked the reopening of many regions across the United States.  While many states stressed that social distancing and proper health safeguards should still be observed, many businesses reopened in the United States, signaling a moderate return to normal in the United States, and potentially triggering HIPAA privacy rights. 

Understanding HIPAA Privacy Rights

As employees return to their workplaces, many employers may be unaware that their roles as health insurance providers may raise new questions regarding medical record privacy in the face of the coronavirus pandemic.  For instance, as it was common practice for many businesses to test and record symptoms of their employees for the sake of flattening the curve, this triggered a host of new policies that employers had to follow regarding safeguarding the privacy of employee medical health records. This was addressed in a previous blog post “Coronavirus and Employee Privacy – What Employers Should be Aware Of.”

And on top of these new practices, employers must also be well versed in the rules under the Health Insurance Portability and Accountability Act, better known as HIPAA, as the coronavirus is still very much prevalent.  Put very broadly, HIPAA privacy rights protect the security and privacy of health records in connection with health care providers and health care plans.  As employers are often responsible for providing the crux of health care plans to American citizens, it is important to understand when HIPAA is triggered. 

In the past, the mere providing of health care to employees did not trigger HIPAA privacy rights in itself.  As such, employment records, accommodation requests, certain certifications, and workers’ compensation were not governed under HIPAA.  With COVID-19 looming over the United States, however, employers must understand that if they act on behalf of the health care plan they provide, this may trigger HIPAA rules, which in turn, would limit when employers may disclose certain information about an employee’s medical history or health conditions.  

Exceptions to HIPAA Privacy Rights Due to COVID-19 Pandemic

While HIPAA would normally prohibit the disclosure of medical information of employees, an employer may be allowed to disclose medical information about an employee if: it was required for the employee to receive immediate treatment, it was required by law, notification was required to be given to relevant authorities, and when there is a risk of infection to first-responders arriving on the scene.   

In order to facilitate experts in finding a cure to COVID-19, the Office of Civil Rights at the U.S. Department of Health has also stated that they will waive penalties for HIPAA privacy rights violations made in good-faith, if these violations occur when health care providers are communicating with patients remotely, but, as such, it is important to note that the waivers will only apply to health care providers in that case. 

Key Takeaways on HIPAA Privacy Rights Violation During the COVID-19 Pandemic

As employees return to work, it is important for employers and employees alike to know that HIPAA privacy rights may be triggered during the current coronavirus pandemic because employers may now need to provide relevant health information about their employees if: 

• required by law; 

• to allow first-responders to render first aid; 

• to notify first-responders of the risk of exposure to the virus; and 

• in order to assist the United States in slowing the spread of the virus by providing notice of infected workers in their employ.

For more insights on data privacy, see our Technology & Data Overview and Health Technology Industry Legal Solutions pages.

You may also be interested in: