Allowances Made for COVID-19 Don’t Mean Telehealth Providers and Employers Can Share Protected Information Without Consequences

By: Drew Barnholtz

COVID-19 has become a pervasive concern for everyone. Older Americans are particularly susceptible to contracting COVID-19. On March 17^th, the Trump Administration and the Department of Health and Human Services (HHS) announced the expansion of Medicare beneficiaries’ access to telehealth services during the COVID-19 outbreak. Importantly, the HHS Office for Civil Rights (OCR) announced it will waive potential HIPAA penalties for good faith use of telehealth during the emergency, and the HHS Office of Inspector General (OIG) provided flexibility for healthcare providers to reduce or waive beneficiary cost-sharing for telehealth visits paid by federal healthcare programs. Expanding access to services through telehealth is particularly necessary when seniors are being told to stay home. However, providers need to balance expanded access with the protection of these beneficiaries’ information.

The Telehealth Waiver Isn’t a Free Pass with Regard to HIPAA Violations

Violations of HIPAA for breaching a patient’s protected health information are expensive. The penalties for noncompliance are based on the level of negligence and can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations of an identical provision. Violations can also carry criminal charges that can result in jail time. Fines will increase with the number of patients and the amount of neglect. In a typical telehealth scenario, a medical provider interacting with patients is subject to the full gamut of HIPAA’s privacy and security protections. Telehealth providers using synchronous or asynchronous communication methods with patients through telehealth platforms should continue to use best practices in terms of protecting the privacy and security of patients’ protected health information (“PHI”). Bear in mind that the statute of limitation for a HIPAA violation is six (6) years and this waiver only applies to violations of HIPAA for telehealth services provided during the COVID-19 emergency.

Telehealth providers and platforms should stay the course in terms of protecting patient’s PHI including, only allowing authorized users to have access to electronic PHI (“ePHI””), implementing a system of secure communication to protect the integrity of ePHI and a system to monitor communications containing ePHI to prevent accidental or malicious breaches. Telehealth providers and platforms providing services to patients who are not covered under this emergency waiver must continue to implement security and privacy protocols to protect ePHI and address potential breaches.

Employers Should Take Note of These Guidelines

Also of note is how the COVID-19 pandemic affects employers’ obligations under HIPAA, the Americans with Disabilities Act (“ADA”) and the Rehabilitation Act. Employers are not considered a HIPAA covered entity nor a business associate unless they are acting in a limited capacity as a sponsor of a covered health plan. However, employers need to be careful when addressing questions that come up about the collection, processing, and disclosure of medical information from employees, their family members, and visitors to their facilities. The Equal Employment Opportunity Commission (“EEOC”) provides some helpful examples to consider such as the following:

• How much information may an employer request from an employee who calls in sick, in order to protect the rest of its workforce during the COVID-19 pandemic?

During a pandemic, ADA-covered employers may ask such employees if they are experiencing symptoms of the pandemic virus. For COVID-19, these include symptoms such as fever, chills, cough, shortness of breath, or sore throat. Employers must maintain all information about employee illness as a confidential medical record in compliance with the ADA.

• When may an ADA-covered employer take the body temperature of employees during the COVID-19 pandemic?

Generally, measuring an employee’s body temperature is a medical examination. Because the CDC and state/local health authorities have acknowledged community spread of COVID-19 and issued attendant precautions, employers may measure employees’ body temperature. However, employers should be aware that some people with COVID-19 do not have a fever.

• Does the ADA allow employers to require employees to stay home if they have symptoms of the COVID-19?

Yes. The CDC states that employees who become ill with symptoms of COVID-19 should leave the workplace. The ADA does not interfere with employers following this advice.

• When employees return to work, does the ADA allow employers to require doctors’ notes certifying their fitness for duty?

Yes. Such inquiries are permitted under the ADA either because they would not be disability-related or, if the pandemic influenza were truly severe, they would be justified under the ADA standards for disability-related inquiries of employees. As a practical matter, however, doctors and other health care professionals may be too busy during and immediately after a pandemic outbreak to provide fitness-for-duty documentation. Therefore, new approaches may be necessary, such as reliance on local clinics to provide a form, a stamp, or an e-mail to certify that an individual does not have the pandemic virus.

More information on the expansion of benefits can be found in Centers for Medicare and Medicaid’s press release at https://www.cms.gov/newsroom/press-releases/president-trump-expands-telehealth-benefits-medicare-beneficiaries-during-covid-19-outbreak.

More information from the EEOC regarding employers’ responsibilities under the ADA can be found at .

Employers should navigate these issues carefully and consult with counsel to determine the most appropriate steps to addressing Covid-19 issues, as workplace situations will continue to evolve during the pandemic.