Law360 is providing free access to its coronavirus coverage to make sure all members of the legal community have accurate information in this time of uncertainty and change. Use the form below to sign up for any of our weekly newsletters. Signing up for any of our section newsletters will opt you in to the weekly Coronavirus briefing.
Sign up for our Health newsletter
You must correct or enter the following before you can sign up:
Thank You!
Law360 (March 31, 2020, 1:20 PM EDT) --
 |
| Brian Johnston |
The future guidance relates to the disclosure of employee health information to necessary authorities and other interested parties during the COVID-19 pandemic, but possibly also for other similar public health emergencies should they occur again.
Specifically, Section 3225 of the CARES Act directs the secretary of the U.S. Department of Health and Human Services to issue guidance on the sharing of patients' protected health information, or PHI, during the current COVID-19 public health crisis that should specifically include information on compliance with regulations under the Health Insurance Portability and Accountability Act, including policies that come into effect during such emergencies.
While this paragraph within the CARES Act doesn't specifically relate to group health plans, nor does it give even a road map to clarify the specifics of what the guidance from HHS may contain, it is important to remember that an employer group health plan is deemed to be a covered entity for HIPAA privacy compliance (whether it is a fully insured or self-insured group health plan), just as health care providers would be.
To this point, rightly so, HHS has already issued several interim pronouncements to give health care providers some level of relief with respect to HIPAA privacy compliance obligations, including the issuance of a waiver of all penalties and sanctions for some Privacy Rule provisions in its March 2020 bulletin on COVID-19 and HIPAA.[1] The guidance doesn't relieve health care providers of the general obligation to remain compliant with HIPAA but waives penalties and sanctions for the near term as such providers focus on providing necessary care and treatment to the many who are in immediate medical need.
Correspondingly, HHS and the Office for Civil Rights also released additional guidance to lessen compliance hurdles for telehealth providers so they can be a resource to health care providers, which temporarily allows the use of telehealth and other remote communication resources that may not be fully HIPAA-compliant with privacy and security guidelines.[2]
Most recently, HHS and the OCR have also issued further relief and guidance to all covered entities about the authority under HIPAA and the importance of getting important health information to law enforcement, paramedics, first responders and other public health officials who are on the front lines trying to control and manage the spread of the coronavirus as quickly as possible.[3]
Importantly, each of these pronouncements from the regulators give immediate guidance in a very fluid situation but none has the authority of the law for the long term. Section 3225 of the CARES Act now directs the necessary authorities to issue such legal authority through regulation under HIPAA in the next 180 days.
The hope and expectation is that these regulations will not only further clarify the guidance that has already been issued, in a manner that continues to comply with HIPAA, but also helps create a more definitive road map for all HIPAA-covered entities to follow for any future public health disasters, including those experienced by employer group health plans.
In the meantime, it is important for employers to remember what HIPAA does, and does not, require with respect to the disclosure of PHI from a group health plan under current law. To that end, there remain a few key tenets that continue to exist with respect to HIPAA compliance for employer group health plans:
HIPAA allows the disclosure of PHI for public health emergencies.
Although HIPAA broadly limits the disclosure of an individual's own PHI by a HIPAA-covered entity, HIPAA does allow for specific circumstances in which such disclosures can be made without the individual's authorization or subjecting the covered entity to penalties for an unauthorized disclosure of PHI.
Each of the guidance items above provide continued reminders that all covered entities, including group health plans, can disclose PHI without the individual's authorization in certain specific situations. The most typical for a health plan are disclosures related to a participant's treatment, payment or health plan operations, but more importantly, disclosures can also be made:
- When required by law: As an example, if a group health plan became aware of a positive COVID-19 test that had not previously been known or disclosed, the health plan could be obligated to notify state or federal public health officials about the potential exposure. More typically such reports will be provided by the individual or other health care providers, but the plan could still have disclosure obligations, nonetheless.
- To public health officials who are authorized: If requested by a local, state or federal public health official, HIPAA provides that the group health plan can and generally must disclose any records or information it may have related to any claims submitted to the plan for COVID-19 testing and treatment.
An employer is not a HIPAA-covered entity.
While employers do typically sponsor group health plans, which would be subject to HIPAA, the activities and actions of an employer in the maintaining of an ongoing employer relationship with its employees is not subject to HIPAA or other HIPAA mandates.
This means then that the information, even if it includes employee health information, gathered or maintained by an employer for employment-related purposes (e.g., workers compensation, Family and Medical Leave Act, sick leave, etc.) is not generally subject to HIPAA and the employer won't be subject to HIPAA noncompliance penalties for disclosures other than as set forth above.
Note: This does not mean there are not other federal, state or local laws that restrict the disclosure of an employee's health information.
What is the practical impact?
Given the above, what does this really mean employers can and can't disclose about an employee's (or their dependent's) possible COVID-19 exposure or treatment? Most importantly, questions need to be asked around the type of information being requested, by whom and for what purposes. Once those purposes are determined:
The employer is allowed to ask for information related to the employee's ability to work and perform his or her job functions.
The employer can also inquire about potential COVID-19 exposures as long as the information being provided does not come from the employer group health plan. For example, an employer representative can't pull participant claim information from a health plan database to determine if an employee or family member has been exposed to COVID-19 or any other illness. Of course, guidelines now established under the CARES Act, the Families First Coronavirus Response Act and other applicable law must be followed as well.
The employer cannot terminate an employee's group health plan coverage if the employee or family member has been diagnosed with COVID-19.
The employer maintains its legal right to maintain or terminate employment of any employee for any other purpose, as long as allowable under other applicable law. The employee would retain rights to continue health insurance under the group health plan as applicable under state or federal health continuation laws.
The group health plan must continue to comply with HIPAA and other applicable law, regardless of the circumstances.
Fully insured plans have the majority of all compliance responsibilities taken care of by an insurance carrier, but self-insured plans must generally comply with HIPAA regardless. Written policies and procedures need to be maintained.
HIPAA privacy notices must be provided to all eligible individuals. HIPAA training needs to be updated to ensure that all current employees who work with and on behalf of the health plan are aware of the ongoing legal responsibilities involved, particularly during the current environment.
Business associate agreements need to be signed with all service providers who assist with group health plan operations so treatment, payment or health plan operations can be transmitted when necessary as well. Other federal and state privacy requirements must also be followed.
Conclusion
These are but only a few of the important considerations that continue even in the current public health crisis environment. While the regulators will undoubtedly be formalizing key procedures to use as a guide during future epidemics, the above basic tenets will likely remain regardless, and any employer plan sponsors that fail to remember these HIPAA compliance responsibilities will sooner or later be held financially responsible for any breaches that ultimately occur.
Clarification: This article has been updated to clarify that HHS' penalty and sanction waivers only apply to some Privacy Rule provisions.
Brian M. Johnston is a principal at Jackson Lewis PC.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
[1] https://www.hhs.gov/sites/default/files/hipaa-and-covid-19-limited-hipaa-waiver-bulletin-508.pdf.
[2] https://www.hhs.gov/about/news/2020/03/17/ocr-announces-notification-of-enforcement-discretion-for-telehealth-remote-communications-during-the-covid-19.html.
[3] https://www.hhs.gov/sites/default/files/covid-19-hipaa-and-first-responders-508.pdf.
For a reprint of this article, please contact reprints@law360.com.
