The COVID-19 pandemic has presented many novel challenges and questions for employers, from administration of Families First Coronavirus Response Act (“FFCRA”) leave to managing performance of remote workers. For healthcare providers, these challenges and questions have been only one of many burdens of operating during a pandemic. As vaccines become more widely available, the pandemic raises new challenges, some unique to employers in the healthcare industry. This article focuses on issues surrounding employee privacy that are specific to healthcare employers that provide COVID-19 related medical services to their employees.
Specific Issues for Healthcare Employers
Privacy issues around employee vaccination and testing records can become much more complicated for healthcare employers. The thorniest issue here is HIPAA compliance. Typically, employee medical information is exempted from the definition of Protected Health Information (“PHI”). As an example, a provider’s note regarding a need for accommodation, or the reason for protected leave, does not become PHI simply because the employer receiving it is a healthcare provider. But COVID-19 has blurred some lines between employee and patient. Some healthcare employers have provided post-exposure testing, routine testing, or vaccinations to employees. Although this care is crucial to keeping the healthcare system working during a pandemic, it presents complex questions about the PHI created from such care.
When a covered entity provides care to one of its employees in the capacity of a healthcare provider, the employee-patient is no different than any other patient for HIPAA purposes. For example, if an employee visits the emergency department of a hospital at which they work, the covered entity’s HR department and the employee-patient’s manager have no more access to the employee-patient’s PHI than the HR department or manager of a non-employee’s employer. Absent a signed release from the employee-patient or another lawful basis for disclosure under HIPAA, the covered entity cannot use the PHI in its possession to make employment decisions or for other employment-related purposes. Similarly, if an employee independently makes an appointment with a covered entity for a COVID-19 test or vaccine, the resulting PHI requires the same protections under HIPAA as any other patient’s PHI.
At the other end of the spectrum, an employee-patient’s voluntary disclosure of a test result to their covered entity-employer—even if obtained from a covered entity—does not require the full spectrum of HIPAA protections. PHI-type information (such as a test result) that an employee-patient voluntarily discloses to the covered entity’s HR department for employment purposes is outside of the regulatory definition of PHI. This PHI may be treated as any other employee health information—that is, kept in a separate, confidential medical record.
This inquiry becomes more complex when testing or vaccination is directly tied to an employment function. Determining when a sufficient connection exists is a fact-intensive question. Although Oregon healthcare employers cannot require employee vaccinations, employers can require routine testing as a condition of employment, and may provide a separate process for employees’ routine COVID-19 tests. Employers might also provide a financial incentive to employees who receive the COVID-19 vaccine. Under either scenario, the healthcare services are provided to the employee primarily in the employment context rather than as a healthcare provider. But a post-exposure test might look different under this analysis, as there is an underlying medical basis for the test regardless of the employment reasons for requiring such tests. The medical information generated by these healthcare services then might be an employment record exempt from HIPAA’s definition of PHI. However, these distinctions remain unclear. The following scenarios illustrate some examples of these fact-intensive circumstances.
Hospital employs Registered Nurse A, Billing Specialist B, and Security Guard C. Hospital requires employees who have COVID-19 symptoms to stay home from work until 72 hours after the symptoms abate. Hospital requires employees who were within close contact with a person with COVID-19 without PPE to stay home from work until 14 days after the contact.
Scenario 1: A has regular, close contact with patients who have COVID-19, while wearing PPE. As a condition of employment, Hospital requires A to have weekly COVID-19 tests, at Hospital’s expense. A receives those tests at the Hospital in the same testing facility as the general public.
Scenario 2: Same Scenario as 1, but A receives weekly tests in a different facility from the general public. Hospital routes all employee tests through a separate process from the public’s tests.
Scenario 3: B develops flu-like symptoms, and takes five days off from work to recover. B schedules a COVID-19 test at Hospital during this time off. To document their eligibility for emergency sick leave under the FFCRA, B sends a copy of their test results to Hospital’s HR department.
Scenario 4: Hospital determines that C was exposed to COVID-19 while at work, and informs C of this exposure. C desires a COVID-19 test and schedules a test at Hospital’s testing facility, which is open to the public. Hospital wishes to know C’s test results to determine whether C exposed other employees.
Scenario 5: C later obtains a COVID-19 vaccination at Hospital. Hospital offers all employees who receive a COVID-19 vaccine a cash bonus. C provides a record of his vaccination to Hospital’s HR department to receive the bonus.
In scenarios 1, 3, 4, and 5, the employees have most likely received healthcare services from Hospital in its capacity as a healthcare provider rather than as an employer. Hospital’s HR department cannot use or access the employees’ PHI without a properly executed release of information authorization (“ROI”). In scenarios 3 and 5, the employees voluntarily disclosed their health information to Hospital’s HR department. The HR department’s privacy obligations are the same with respect to this information as they would be for information from another healthcare provider.
Scenario 2 presents the most compelling case for application of the employer exemption to the definition of PHI for a COVID-19 test or vaccination. There are clear indications that the Hospital is providing the test for strictly employment reasons, and there is a clear delineation between the Hospital’s general provision of healthcare services to patients and its employment-related testing of employees. In contrast, in Scenario 1, A may view obtaining a weekly test at Hospital rather than at another facility as a matter of convenience when selecting a healthcare provider.
Scenarios 1 and 4 present a more muddled question. The employees received COVID-19 testing from the Hospital on the same terms as the public. The circumstances of the test do not clearly show a connection to the employer’s employment functions. However, there are potentially applicable bases to disclose limited PHI without the employee’s authorization. Under 45 CFR § 164.512(b)(1)(v), a covered entity may disclose PHI generated about an employee when (1) the covered entity provides healthcare to the employee at the employer’s request, (2) the purpose of the healthcare is either medical surveillance of the workplace or evaluation of a work-related injury or illness, (3) the disclosure is limited to the findings of the evaluation or surveillance, (4) the employer needs the PHI to comply with state or federal occupational-health law, and (5) the covered entity provides written notice of the disclosure at the time of care. The overarching “minimum necessary” standard would also apply to such a disclosure.
The most stringent criteria of this employment-related screening exception is the need for PHI to comply with state or federal occupational-health law. Conceivably, an employer could articulate a need to screen symptomatic employees exposed to COVID-19 to fulfill reporting requirements, such as an OSHA 300 log. However, routine testing regardless of exposure is not necessary for these reporting obligations. Some state laws regarding vaccination of healthcare workers, such as ORS 433.416, require documentation that a vaccine was offered, but not whether it was administered. Unless the covered entity has some affirmative obligation to access PHI for compliance purposes, its use or disclosure for employment purposes is impermissible without an ROI. Additionally, because even the § 164.512 exception requires written notice, the additional burden of obtaining an ROI allowing disclosure of test results is minimal.
Further complicating matters, it is also possible that paying for employee tests further implicates HIPAA. In addition to medical providers, group health plans are also covered entities. And under a broad reading of the definition of group health plan, testing may fall within the definition of a “medical benefit,” the provision of which can render an employer as a self-insured benefit plan if more than 50 employees are covered. So an employer might need to ensure HIPAA compliance if paying directly for employees’ COVID-19 testing. Even for a covered entity used to HIPAA compliance with respect to patient PHI, healthcare employers should be aware of the potential repercussions of making direct payments for COVID-19 testing.
All said, covered entities providing COVID-19 testing or vaccinations to their employees should default to treating employee PHI as they would any other PHI. There are no clear scenarios where a covered entity’s HR staff can review employee PHI without qualification. Because the exceptions are narrow and unclear, a covered entity should obtain an ROI before accessing its employees’ PHI in its own records. If the employee refuses to give that authorization, the covered entity should carefully analyze the existence of any exceptions allowing use or disclosure, and consult legal counsel where necessary.
General Considerations for Medical Privacy
Most employers are familiar with handling employee medical data confidentially under the Americans with Disabilities Act (“ADA”). Medical information related to an employee, whether requested by the employer or voluntarily disclosed by the employee, generally must be treated as a confidential medical record. This treatment requires maintaining the medical record separately from a general employment file and limiting access to individuals allowed by law to access the information. Although not all medical information falls within the scope of the ADA privacy protections, erring on the side of privacy is a best practice.
The ADA’s medical-information provisions have been part of an employer’s COVID-19 considerations since the beginning of the pandemic. Information such as symptom checks and reports of underlying conditions that create an elevated risk of severe COVID-19 symptoms remains subject to the ADA’s requirements. Records of vaccinations are less clear. The EEOC has implied that the fact of vaccination itself is not medical information requiring confidential treatment, but cautions that the documentation proving vaccination occurred may contain medical information. The safest route is to maintain any vaccination records provided by an employee as a confidential medical record for ADA purposes.