Coronavirus Raises Privacy Concerns for Healthcare Providers and their Workers
The outbreak of a new coronavirus that is believed to have began in central Chinese city of Wuhan and now appears to be spreading to the United States is driving concerns for organizations around preparedness regarding their operations, their customers, and their employees. Both the Center for Disease Control and Prevention (CDC) and the State Department have issued travel advisories, and the CDC asks everyone who traveled to Wuhan in the last 14 days and experiences symptoms to seek medical care immediately.
Many organizations are seeking guidance on how best to respond to these concerns, especially those in certain industries. Business that rely on international travel, such as in the commercial airline and border protection industries must be particularly aware. Organizations must consider a range of issues – travel restrictions, how to identify persons likely to have been exposed to the virus and how to limit that exposure, communication plans in the event an exposure is identified, as well as a range of employment law issues, including under the Americans with Disabilities Act, the Genetic Information Nondiscrimination Act, the National Labor Relations Act, and other federal and state laws.
Naturally, however, the spread of infectious disease also raises particular concerns for healthcare workers who want to do their jobs and care for their patients, while also protect themselves and their families. In the healthcare sector, as with prior contagious disease outbreaks, fears about contracting the virus could lead to impermissible “snooping” and sharing of information by healthcare employees. Covered entities and business associates therefore need to take this increased risk seriously and remind members of their workforce members that they may not access or disclose patient records for an impermissible purpose. Healthcare workers also should be reminded that impermissible snooping also can lead to termination, fines, and in some cases criminal prosecution.
In November 2014, during the Ebola outbreak, the Office for Civil Rights issued a bulletin addressing HIPAA privacy in emergency situations. This bulletin provides a good resource and reminder for health care providers when working in this environment. For some covered entities that may not yet maintain as robust a program for creating HIPAA privacy and security awareness, this would be a good opportunity to communicate some of the basic safeguards required under HIPAA, including when and under what circumstances they can share patient information with family, friends, public health agencies, and the media. All covered entities should also remember to document these efforts, as it is required under HIPAA and will help them to substantiate their compliance efforts.
Healthcare providers also must remember that HIPAA is not the only game in town. They have to also consider more stringent state laws that may apply in these situations. Additionally, for healthcare providers in different settings, such as universities in an educational setting, the Family Educational Rights and Privacy Act (FERPA) may have additional protections for treatment records pertaining to students.
No one knows where the next victim of the coronavirus will show up for care. First and foremost, that provider needs to be prepared to treat that person. But the provider also needs to be sure privacy and security safeguards are in place to avoid a breach of the patient’s privacy and a compliance exposure.