HIPAA and COVID-19 Responses

By Matt Fisher, Esq
Twitter: @matt_r_fisher
Host of Healthcare de Jure#HCdeJure

Responses to and really reopening plans as part of the effort to address COVID-19 have raised a number of privacy concerns. When privacy and healthcare come up together, the discussion inevitably turns to HIPAA. Unfortunately, the discussions around HIPAA, as is so often the case, result in a number of misconceptions or misstatements as to the actual impact of HIPAA. In repeating the pattern of past issues around misconceptions, HIPAA is being identified as a barrier to certain actions or an excuse to not share information. On the whole, the privacy concerns focus on what data can be shared in what contexts as well as the actions that can be taken. The issues are occurring in a variety of settings as well from retail stores to offices to professional sports to mobile applications.

As already hinted, many of the limitations being identified as to the sharing of information about COVID-19 exposure or positive tests do not appropriately lean on HIPAA as the basis for not disclosing.

Retail Settings
Privacy and COVID-19 are running into conflict when it comes to what stores, restaurants, or other locations are requiring of patrons. A number of places want patrons to wear masks when on the premises. As an initial point, the stores and other locations are calling for masks by all patrons as a means of mitigating risk to both employees and patrons. The requirements seem to track public health advice or requirements from state or local governments.

Despite these requirements, some patrons asserted that being forced to wear a mask essentially forced a disclosure of the patron’s health condition, which in turn was claimed to be a HIPAA violation. Assertions in this regard contained a number of analytical errors. First, the requirement to wear a mask does not reveal anything about a patron or other individual’s health condition. In fact, much of the push to wear masks is to help keep germs from spreading generally since it is very difficult to know if a person is actually infected with COVID-19. From that perspective, wearing a mask does nothing to reveal an actual health condition or imply the existence of a health condition.

The second problem with the assertion is that HIPAA does not apply to retail locations in interactions with patrons. As a quick reminder, HIPAA applies to covered entities (health plans, health care providers, and health care clearinghouses), business associate (entities or individuals performing a service for or on behalf of a covered entity), and subcontractors of business associates. The list of entities subject to HIPAA demonstrates what is really a relatively limited scope for HIPAA. It does not actually apply to all health information. In light of that admittedly brief description of who must comply with HIPAA, it should be self evident that retail stores should almost never fit into any of the categories when interacting with patrons. Instead, the interaction is a commercial one for services with no relation to healthcare. On that premise, HIPAA does not apply and should not be the reason asserted for not wearing a mask.

The shift back to office life from the early extreme days of work from home offers another area of potential privacy concern. In trying to follow state mandated reopening guidelines, some offices may request employees to provide information about activities outside of work, be subject to temperature scans, log information into apps, or other similar requirements that are designed to obtain information about each employee’s health status. An employee may wonder what will happen to that data and how the data could be utilized.

Despite much of the information arguably relating to an employee’s health though, HIPAA is unlikely to apply. The information is being collected in the employment context and as part of work functions. That is to say, the data are not be collected in connection with a health plan or delivery of healthcare services. Instead, the data are desired to generate an understanding of potential risks among employees and theoretically create a safe workspace. While HIPAA does not apply in this context, some form of privacy protection could still potentially apply. The privacy protections will depend upon any expectations or rights granted by an employer along with potential variations by jurisdiction.

While HIPAA should not be expected to apply to the office setting, there is one somewhat attenuated way where it could come to bear. Specifically, some employers maintain self-funded health plans, which part of an employer’s operations are subject to HIPAA. The self-funded health plan is a health plan for purposes of the HIPAA definition of a covered entity. The prospect of HIPAA applying should not be viewed as a way of pushing privacy though. If it were to apply, the data would need to be collected as part of the operation of the plan. It should not be expected that plan operations would be implicated by COVID-19 back to work requirements. The circumstances of when HIPAA could potentially apply just introduce unnecessary complication and confusion though and should not be seen as likely to arise.

Professional Sports
The return of professional (and likely college) sports with COVID-19 still rampant raises a lot of questions around protection of players, staff, and fans (if attendance becomes allowed). In more normal times, many track the injury or other health status of players. While the regular reports do not seem to generate much concern, positive tests for COVID-19 are driving more statements around privacy and what information can or should be shared. In the instance of athletes, whether HIPAA applies is a bit more nuanced, but also ultimately likely not all that determinative.

Whether HIPAA applies to an injury report or COVID-19 test for an athlete depends on who does the treatment. If the clinician is employed by the team, then HIPAA likely does not apply. Even though the clinician is a health care provider, to be a covered entity the health care provider also needs to engage in an electronic transaction (this really means submitting a billing claim electronically). For a clinician employed by a team, all of the care is probably provided without any charge to insurance, which means the clinician operates outside of HIPAA. However, if the athlete goes to their personal physician or other clinician, then that physician or other clinician is very likely bound by HIPAA and information should not be shared.

That does not end the analysis though. In many, if not all, instances, an athlete must sign an authorization for release of medical information to their team. In this case, the team is the employer and receiving the health information in an employment context since the medical information bears on the athlete’s ability to perform. Given the authorization and the context of how it is received, the information once transferred to the team comes out from under the protection of HIPAA. Further, the athlete has also probably signed a waiver to enable the team to make injury reports.

In light of the various waivers, the initial stance from Major League Baseball of not identifying which players test positive for COVID-19 is interesting. The tests are reportedly being administered by MLB and not through private physicians. Those elements would argue toward HIPAA not applying. However, the players association suggested that it fought to have COVID-19 results kept confidential for privacy reasons. While there is a privacy interest in not having the information posted, HIPAA is not that reason and any player absence without a stated injury reason will create the clear implication of a positive test since non-COVID-19 issues will still be reported.

Contact Tracing
Collecting information is the inherent premise of contact tracing as determining who has COVID-19 and who did or could have encountered that person is necessary to contain spread. In the past contact tracing would have been done solely or predominantly through manual contacts. The rise of technology and mobile applications resulted in apps being pushed to the fore as a way of running the contact tracing. As with any app though, there are a lot of questions as to the scope of information being collected and where that information will go.

Before what will be a very cursory consideration of privacy concerns, the main question is whether HIPAA applies to contact tracing. In many instances contact tracing efforts are being conducted by state departments of public health or other state agencies. The focus of the contact tracing then is public health. In performing public health functions, the agencies are not likely to be subject to HIPAA. A public health agency may be subject to HIPAA while administering a Medicaid program, but general public health activities are not usually a covered entity function. Since contact tracing likely falls into general public health functions, it is not anticipated that HIPAA applies.

Despite the absence of HIPAA protections, there is not a vacuum of privacy protections. Instead, privacy laws governing state agency operations are often in place on the state level. Many states also have other privacy laws that could potentially apply and offer protections. A lot of it can be opaque though, which makes use of the contact tracing apps difficult.

On top of potential privacy laws covering the agencies, another question is what happens when data flows through the company running the app. Data in the hands of a technology company raises the biggest questions. To understand the privacy implications it will be necessary to review the terms of use and privacy policy of that company. It is possible (if not likely) that the company is not fully bound by the requirements applicable to a state agency. While some of the biggest technology companies promised to respect privacy along with pushing severe privacy restrictions down to agencies or others using the apps, that position can always change. Time will tell, but slow adoption is demonstrating the real concerns of individuals.

Privacy or Public Health
The concerns raised by the different scenarios demonstrate the privacy is not being disregarded even during the pandemic or being ignored in plans for coming out of the pandemic. The issues must be balanced though since neither will go away. Finding that delicate balance will be challenging and should consider all perspectives.

This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.