January 21, 2021

Volume XI, Number 21

Advertisement

January 21, 2021

Subscribe to Latest Legal News and Analysis

January 20, 2021

Subscribe to Latest Legal News and Analysis

January 19, 2021

Subscribe to Latest Legal News and Analysis

COVID-19 Testing and HIPAA Compliance

As COVID-19 swab (PCR) and blood (antibody) testing continue to occur in greater numbers and diverse settings, it is important to recognize that the results of such tests are subject to HIPAA privacy and security compliance rules. There is a common public misconception that the declaration of a public health emergency has created a broad exception for covered entities and business associates to use and share COVID-19 testing results. This is not the case.

COVID-19 Compliance for Health Care Providers

First, it is important to recognize that the Department of Health and Human Services (HHS) has created an official website for health care providers which contains HIPAA-related information and guidance pertaining to COVID-19. Among the information available are notices issued by the HHS, such as the notice of enforcement discretion for telehealth services relating to COVID-19, which was analyzed in our previous blog post, “OCR Will Not Seek Enforcement Action for Use of Non-Compliance Telehealth Communications During the Coronavirus (COVID-19) National Public Health Emergency.”

In March, the HHS issued an extremely limited waiver of certain HIPAA requirements, which applied narrowly to hospitals that have instituted a disaster protocol, and then only for up to 72 hours after initiation of the protocol. Reports of this waiver led to a common public misconception that HHS was “relaxing” HIPAA rules. Notices and guidance from the HHS have repeatedly emphasized the need to observe HIPAA rules during the COVID-19 public health emergency.

COVID-19 Testing and HIPAA Compliance

Under HIPAA, a covered entity may disclose COVID-19 test results obviously to the individual patient, and may also use and disclose test results as necessary to treat the patient. There is also an exception that allows disclosure without authorization in cases of a serious and imminent threat to health and safety, to persons in a position to lessen the threat. Disclosure of test results to third parties, such as employers, must be done in compliance with HIPAA privacy rules. As is well known, an individual patient may authorize the release of COVID-19 test results to a third party in a written authorization that meets HIPAA requirements. Covered entities engaged in testing are well-advised to obtain such written authorization from the individual patient as a matter of course if the test results are to be disclosed to an employer. Written authorization is also advisable if the covered entity will use the test results for contact tracing purposes.

The public health activities provision of HIPAA permits covered entities to disclose COVID-19 test results to an employer without the individual’s authorization in very limited circumstances. The covered entity must provide the testing to the individual at the employer’s request, for information concerning a work-related illness or injury or workplace-related medical surveillance, and because such information is needed by the employer to comply with OSHA, the Mine Safety and Health Administration (MHSA), or similar state law requirements. In the context of COVID-19 testing, the public health activities exception may apply when the employer is a licensed health care facility, such as a skilled nursing facility, given that they may have such federal or state-mandated workplace safety reporting requirements. The covered entity must provide the employee with written notice of the disclosure to the employer in all such cases.  It is important to recognize that this exception generally would not apply to fitness-for-duty examinations.

For employers who have implemented COVID-19 testing as part of a pre-placement or fitness-for-duty examination, covered entities may not disclose results to the employer absent written authorization from the individual patient to do so.

Advertisement
©2020 Norris McLaughlin P.A., All Rights ReservedNational Law Review, Volume X, Number 206
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

F. Peter Lehr Health Care Attorney Norris McLaughlin Law Firm Pennsylvania
Member

Peter Lehr focuses his practice on health care transactional and regulatory matters, real estate, and land use law, including zoning and subdivision applications and commercial lending.

Peter has represented and counseled a variety of health care providers, including hospitals, long term care and nursing facilities, home health agencies, assisted living facilities, and more. He has assisted clients in numerous transactions and regulatory issues involving such mandates as the Health Information Technology for Economic and Clinical Health (“HITECH...

(484) 765-2283
Advertisement
Advertisement