While most COVID-19 test results won’t draw the widespread coverage and public interest that Elliott’s diagnosis did, businesses generally and health care providers, health plans, health care clearinghouses specifically need to recognize that coverage of the Elliott outrage will heighten awareness and therefore their need to properly handle and protect COVID-19 or other infectious disease and other testing, diagnosis, treatment and other medical and disability information collected or encountered in the course of their operation through the current COVID-19 health care emergency and otherwise in their own organizations.
ADA Responsibilities of Employers In Handling Medical Information
Protecting COVID-19 testing and other medical information isn’t just a concern for covered entities and their business associates, however. Businesses that are not covered entities also generally should use care in their collection, use, protection and disclosure of COVID-19 testing and other medical information to mitigate their potential liability under the disability discrimination requirements of the ADA, the Rehabilitation Act and other laws. For instance, along with prohibiting employers covered by the ADA from discriminating against qualified individuals with disabilities and requiring those employers to provide reasonable accommodations to such employees, the ADA also regulates the ability of covered employers to perform or require medical testing and imposes specific medical confidentiality requirements on all covered employers. See e.g., What You Should Know About COVID-19 and the ADA, the Rehabilitation Act, and Other EEO Laws.
The ADA’s medical confidentiality requirements dictate that covered employers maintain medical information and records about employees and applicants in separate, confidential files. Covered employers are responsible for maintaining the confidentiality of medical information and records and cannot disclose it without authorization from the subject employee except under the specific conditions allowed by the ADA.
EEOC guidance provided in its publication entitled Pandemic Preparedness in the Workplace and the Americans With Disabilities Act as updated as of March 19, 2020 emphasizes that covered employers remain accountable for complying with the requirements of the ADA and Rehabilitation Act during the current COVID-19 health care emergency and other pandemics.
While the EEOC Technical Assistance Questions and Answers in its publication What You Should Know About COVID-19 and the ADA, the Rehabilitation Act, and Other EEO Laws
Technical Assistance Questions and Answers as updated on June 11, 2020 recognizes temperature checks and certain other COVID-19 inquiries to screen for COVID-19 exposure or infection might be permitted under the safety exception to the ADA during the current COVID-19 health care emergency, that and other EEOC guidance makes clear that covered employers remain responsible for ensuring that the ADA medical confidentiality requirements are met with regarding to testing and related medical information. As a result, all ADA-covered employers generally and health care employers specifically are urged to use care both in the administration and collection of information regarding COVID-19 testing and diagnosis, and the protection of the confidentiality of COVID-19 and other medical information and records collected in the course of administering employment, safety, medical leave or other absence or other operations throughout the COVID-19 health care emergency.
Added HIPAA & Texas HIPAA Concerns For Health Plans & Other HIPAA Covered Entities
Assuming that the disclosure of Elliott’s information is traced to a testing provider, laboratory or other health care provider, health plan or insurer, health care clearing house subject to HIPAA (“covered entity”), a service provider acting as a business associate to a covered entity, or a member of their workforce, the unauthorized release of Elliott’s test results, that he underwent the testing, or other medical information, Elliott’s complaint about a possible HIPAA violation could be well-founded as both HIPAA and the somewhat broader provisions of the Texas Medical Privacy Act (“Tex-HIPAA”) (hereafter collectively the “HIPAA Laws”) both generally prohibit unauthorized disclosure of protected medical information such as his COVID-19 test or test results to the media.
The COVID-19 test results and of “individually identifiable personal health information” about Elliott and his encounter created, used, access or disclosed by the testing facility or other health care provider, a health plan, health care clearinghouse (“covered entity”) or a member of its workforce or a subcontractor acting as a business associated qualify as “protected health information subject to HIPAA’s privacy, security, breach and privacy rights protections of HIPAA and Tex-HIPAA.
The HIPAA and Tex-HIPAA prohibition against unauthorized disclosure of protected health information to the media stem from the HIPAA Laws’ broader requirement that covered entities and business associates affirmatively safeguard protected health information against unauthorized use, access or disclosure and sweeping prohibition against their disclosing or allowing the disclosure of protected health information without a HIPAA-compliant authorization except under the narrow and specifically delineated exceptions identified in the rule, none of which appear relevant to the media disclosure objected to by Elliott from the currently available public information.
Both HIPAA Laws expressly prohibit unauthorized disclosure of protected health information by covered entities or their business associates except under the specifically detailed conditions specified in one or more exceptions to this general rule. Assuming all relevant conditions to qualify for the exception are met, HIPAA does allow covered entities and business associates treatment, payment, operations, public health activities or another situation meeting all applicable requirements of an express exception to the HIPAA prohibition against disclosure.
The federal agency primarily responsible for the implementation and enforcement of HIPAA, the Department of Health & Human Services Office of Civil Rights (“OCR”) regulatory guidance and enforcement history clearly communicates OCR’s view that covered entities or business associates violate HIPAA by disclosing protected health information to the media or other third parties without first obtaining a HIPAA-compliant authorization from the subject of the information except under the specific circumstances described in an applicable Privacy Rule exception.
In its May 5, 2020 Guidance on Covered Health Care Providers and Restrictions on Media Access to Protected Health Information about Individuals in Their Facilities (“5/5 Guidance”), for instance, OCR specifically reminded HIPAA covered health care providers that the HIPAA Privacy Rule does not permit them to give media and film crews access to protected health information including access to facilities where patients’ protected health information will be accessible without the patients’ prior authorization. has made clear that testing facilities and other health care providers generally remain accountable for complying with the HIPAA Privacy Rule that prohibits unauthorized use, access or disclosure of test results and other protected health information except as specifically allowed in the applicable HIPAA Law.
The 5/5 Guidance specifically states, “The COVID-19 public health emergency does not alter the HIPAA Privacy Rule’s existing restrictions on disclosures of protected health information (PHI) to the media.’ Additionally, it states confirmed that even during the current COVID-19 public health emergency, covered health care providers remain required to obtain a valid HIPAA authorization from each patient whose PHI will be accessible to the media before the media is given access to that PHI. In this regard, the 5/5 Guidance states, As explained in prior guidance,1 HIPAA does not permit covered health care providers to give the media, including film crews, access to any areas of their facilities where patients’ PHI will be accessible in any form (e.g., written, electronic, oral, or other visual or audio form), without first obtaining a written HIPAA authorization from each patient whose PHI would be accessible to the media. 2 Additionally, covered health care providers may not require a patient to sign a HIPAA authorization as a condition of receiving treatment. The guidance clarifies that masking or obscuring patients’ faces or identifying information before broadcasting a recording of a patient is not sufficient, as a valid HIPAA authorization is still required before giving the media such access. Additionally, the guidance describes reasonable safeguards that should be used to protect the privacy of patients whenever the media is granted access to facilities.
OCR’s positions on disclosures to the media in the 5/5 Guidance reaffirm OCR’s longstanding interpretation and enforcement of HIPAA as prohibiting disclosures of PHI and media access to areas where patients or their protected health information might be visible or accessible is long standing.
In June, 2013, for instance, OCR sent a clear message to covered entities and business associates not to make unconsented disclosures of protected health information to or allow media access to areas where patients or their protected health information could be accessed or observed when it required Shasta Regional Medical Center (SRMC) to pay $275,000 to resolve OCR HIPAA charges stemming from SRMC’s unauthorized disclosure of protected health information to multiple media outlets as part of a public relations effort to mitigate damage from fraud and misconduct allegations made against it by the patient. See HIPAA Sanctions Triggered From Covered Entity Statements To Media, Workforce.
OCR subsequently reinforced its warning to covered entities and business associates about unauthorized disclosures of protected health information in a 2016 Frequently Asked Question (Media FAQ) that discussed covered entities HIPAA responsibilities when dealing with the media. The Media FAQ was issued in conjunction with OCR’s collection of its $2.2 million settlement with New York-Presbyterian Hospital and a series of other settlements totaling $999,000 from three other health care providers accused of violating HIPAA by allowing media personnel into treatment or other areas where patients or patient protected health information was accessible without first obtaining a HIPAA compliant written authorization from each patient or other subject present or whose protected health information otherwise would be accessible to the media. See $999K Price Hospitals Pay To Settle HIPAA Privacy Charges From Allowing ABC To Film Patients Without Authorization.
In the Media FAQ, OCR stated HIPAA required covered entities to obtain prior written authorization before disclosing protected health information to the media or allowing media to film or access exam rooms or other areas where patients or protected health information could be observed or accessed. The Media FAQ also stated that masking or blurring the identity of the patient or their specific information was not an adequate substitute for written authorization and that covered entities also were responsible for ensuring that reasonable safeguards were in place to protect against impermissible disclosures or to limit incidental disclosures of other PHI in areas where media is allowed access where prior authorization has not been obtained. While stressing the importance of compliance with these requirements, however, the Media FAQ clarified that the HIPAA Privacy Rule does not require health care providers to prevent members of the media from entering areas of their facilities that are otherwise generally accessible to the public like public waiting areas or areas where the public enters or exits the facility In addition, the Media FAQ states a health care provider or other Covered Entity also highlighted certain other limited circumstances where HIPAA might allow limited disclosure of protected health information to the media in accordance with specific provisions of the Privacy Rule about an incapacitated patient when in the patient’s best interest; or disclose a patient’s location in the facility and condition in general terms that do not communicate specific medical information about the individual to the media or any other person any person where the individual has not objected to his information being included in the facility directory and the media representative or other person asks for the individual by name.
In the intervening years, OCR periodically has issued additional reminders to covered entities about HIPAA’s general prohibition against unconsented disclosures to the media as well as sanctioned harshly various covered entities for violating these prohibitions. In 2017, OCR required the largest not-for-profit health system in Southeast Texas, Memorial Hermann Health System (MHHS), to pay OCR $2.4 million to settle charges it violated HIPAA by issuing a press release to the media that shared the name and other protected health information about a patient suspected of using a fraudulent insurance card to obtain care at a clinic without the patient’s prior HIPAA-compliant authorization. While OCR concluded a report made MHHS made to law enforcement about the patient was allowable under the Privacy Rule, OCR found MHHS violated the Privacy Rule by issuing the press release disclosing the patient’s name and other PHI without authorization from the patient and also by failing to timely document the sanctioning of its workforce members for impermissibly disclosing the patient’s information. See $2.4M HIPAA Settlement Warns Providers About Media Disclosures Of PHI.
While OCR has announced certain temporary enforcement relief from a narrow set of HIPAA requirements during the COVID-19 health care emergency as applied to certain qualifying testing facilities, telemedicine providers and other specific health care providers engaging in certain types of health care during the COVID-19 health care emergency, OCR consistently has made clear that its COVID-19 HIPAA relief is very limited in scope, applicability and duration and in no way waives the prohibition against unauthorized disclosure to the media or other third parties not generally permitted under HIPAA. See e.g., 5/5 Guidance; OCR Issues Guidance on How Health Care Providers Can Contact Former COVID-19 Patients About Blood and Plasma Donation Opportunities; OCR Announces Notification of Enforcement Discretion for Community-Based Testing Sites During the COVID-19 Nationwide Public Health Emergency; OCR Announces Notification of Enforcement Discretion to Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities During The COVID-19 Nationwide Public Health Emergency; OCR Issues Bulletin on Civil Rights Laws and HIPAA Flexibilities That Apply During the COVID-19 Emergency; OCR Issues Guidance to Help Ensure First Responders and Others Receive Protected Health Information about Individuals Exposed to COVID-19; OCR Issues Guidance on Telehealth Remote Communications Following Its Notification of Enforcement Discretion; OCR Announces Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency. To the contrary, OCR’s announcement of the 5/5 guidance quotes OCR Director Roger Severino, as stating “Hospitals and health care providers must get authorization from patients before giving the media access to their medical information; obscuring faces after the fact just doesn’t cut it,” Severino added.
Minimize Exposures By Preventing Unauthorized Media & Other Disclosures
Even without Mr. Elliott’s outrage heightening awareness about HIPAA’s prohibitions against unauthorized disclosures of protected health information to the media, the recent warning about HIPAA’s restrictions on media disclosure and access to protected health information and patient treatment areas in OCR’s 5/5 Guidance alone should serve as a strong incentive for covered entities and business associate promptly to reverify that the adequacy of their current policies, practices and training to prevent inappropriate media disclosures of protected health information and otherwise defend their compliance with OCR’s interpretation of HIPAA’s requirements for dealing with the media. Predictable heightened patient and public awareness and expectations about these and other HIPAA responsibilities fueled by the widespread media coverage of Mr. Elliott’s COVID-19 test results and his outrage about the unauthorized disclosure of his test results makes it more important than ever that health care providers and other covered entities and business associates take steps to prepare to respond to foreseeable complaints and questions by other patients, their families and others.
As part of these efforts, most covered entities and business associates may want to consider, at minimum, reconfirming the adequacy and understanding of their current media and other disclosure policies and practices, as well as sending strategic communications to their business associates and members of their workforce reminding them of the covered entity’s policies regarding media access and disclosures.
As part of these activities, covered entities should consider conducting a well-documented assessment of their current policies, practices and workforce training on disclosure of information to the media and other parties generally, as well as policies on allowing media or other parties to enter, film, photograph or record within their facilities or otherwise disclosing or allowing media access to their facilities. Along with these efforts, most covered entities also may want to consider also reminding workforce members that their patient privacy responsibilities also requires that they not share or discuss patient protected health information, film, photograph, or otherwise record, patients or areas where patients or patient protected health information is or might be present without prior written consent of the patient and the consent of their organization.
Since covered entities and members of their workforce also are likely to be subject to other statutory, ethical, contractual or other privacy or confidentiality requirements beyond those imposed by the HIPAA Laws such as medical confidentiality duties applicable to physicians and other health care providers under medical ethics, professional licensure or other similar rules, contractual responsibilities, as well as common law or statutory privacy, theft of likeness or other statutory or common law tort claims and exposures. Covered entities and business associates generally should consider whether other steps are advisable to manage these exposures along with managing their HIPAA Law compliance.
Given the high incidence of COVID-19 exposure and infection within their workplace, covered entities, business associates and other employers should use care fulfill their HIPAA Law relevant employment law confidentiality responsibilities when dealing with testing or other medical information about employees. In this respect, along with any HIPAA Law obligations that a covered entity or business associate has in handling medical information about a patient who also is an employee or family member of an employee, covered entities also should use care to ensure that medical confidentiality requirements of the Americans With Disabilities Act (“ADA”) and other applicable employment laws are met.
Since this analysis and review in most cases will result in the uncovering or discussion of potentially legally or politically sensitive information, Covered Entities should consider consulting with or engaging experienced legal counsel for assistance in structuring and executing these activities to maximize their ability to claim attorney-client privilege or other evidentiary protections against discovery or disclosure of certain aspects of these activities.
Finally, covered entities should keep in mind that HIPAA and other medical privacy compliance and risk management is an ongoing process requiring constant awareness and diligence. Consequently, covered entities and business associates also should use care both to monitor OCR and other regulatory and enforcement developments as well as exercise ongoing vigilance to monitor and maintain compliance within their organizations.
We hope this update is helpful. For more information about the these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.
Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.
About the Author
Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years legal and operational management work, coaching, public policy and regulatory affairs leadership and advocacy, training and public speaking and publications. As a significant part of her work, Ms. Stamer has worked extensively domestically and internationally on an demand, special project and ongoing basis with health industry, health plan and insurance and other business, government and community organizations and their leaders, spoken and published extensively on HIPAA and other privacy and data security concerns, as well as other health care and health benefits; human resources, employee benefits and other workforce and services; insurance; workers’ compensation and occupational disease; business reengineering, disaster and distress; and many other management concerns.
Board Certified in Labor and Employment Law By the Texas Board of Legal Specialization, Scribe for the ABA JCEB Annual Agency Meeting with OCR, Vice Chair of the ABA International Section Life Sciences Committee, and the ABA RPTE Employee Benefits & Other Compensation Group and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer has extensive experience advising, representing, defending and training health care providers, health plans and insurers, employers, community organizations and others about HIPAA and other privacy concerns and has published and spoken extensively on these concerns.
Her involvement with HIPAA and other privacy and data concerns has taken place as part of her more than 30 years involvement working with with public and private health industry, health insurance and other employers and organizations of all sizes, employee benefit plans, insurance and financial services, health industry and a broad range of public and private domestic and international business, community and government organizations and leaders on pandemic and other health and safety, workforce and performance preparedness, risks and change management, disaster preparedness and response and other operational and tactical concerns throughout her adult life. A former lead advisor to the Government of Bolivia on its pension project, Ms. Stamer also has worked internationally and domestically as an advisor to business, community and government leaders on crisis preparedness and response, privacy and data security, workforce, health care and other policy and enforcement, as well as regularly advises and defends organizations about the design, administration and defense of their organizations workforce, employee benefit and compensation, safety, discipline and other management practices and actions.
Ms. Stamer also serves in leadership of a broad range of professional and civic organizations and shares insights and thought leadership through her extensive publications and public speaking. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.
About Solutions Law Press, Inc.™
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here. ©2020 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.￼