News & Insights
Mar 22, 2020
As we continue to be bombarded daily with the relentless 24/7 news cycle regarding coronavirus disease 2019 (COVID-19), the reality is that healthcare employees are currently the most likely to be exposed to the disease in the United States.
Employees who have been potentially exposed to COVID-19 (for example, through an ill family member or recent international travel) should stay home. In a pandemic situation, sending an employee home should pass the direct threat test and be allowable under the ADA. However, sending employees home also implicates other laws, including the Family and Medical Leave Act (FMLA) and state sick leave laws, as well as employer leave policies. Generally, employers may follow their normal sick leave procedures when dealing with leave for potential COVID-19 exposure. COVID-19 may qualify as a “serious health condition” qualifying an employee for protected medical leave to care for themselves or a sick family member under the FMLA, so FMLA notice requirements should also be observed. The period of leave should be reasonable.
CMS guidance for hospitals (which is applicable to any healthcare provider) recommends that hospitals have procedures in place to address any staff that develops signs and symptoms of a respiratory infection while on-the-job. The CDC has issued specific risk assessment guidance for healthcare professionals. The CDC continues to update this guidance as the exposure rapidly advances across our country. We recommend that you frequently review the CDC website dedicated to COVID-19 for healthcare professionals for the most up-to-date information and contact your local and state health department for their specific requirements.
Supervisors should be trained to remain calm when faced with potential COVID-19 exposure in the workplace in order to avoid panic among the workforce.
HIPAA privacy restrictions only apply to “ covered entities” (healthcare providers or employer-sponsored group, health plans, or healthcare clearing houses) and business associates (vendors or persons who use or disclose PHI to provide services to a covered entity) in instances involving individually identifiable health information. Because employers are not considered covered entities, information contained in employment records does not implicate HIPAA restrictions but is subject to confidentiality provisions under the Americans with Disabilities Act and may be protected by other laws. Additionally, if you are a healthcare provider and your employee is diagnosed and treated at your facility or practice, that employee consequently becomes a patient of the facility and the information created while the employee is being monitored, diagnosed or treated becomes protected health information (PHI).
If your company or organization sponsors a self-insured health plan, the Plan is considered to be a covered entity and is subject to the HIPAA Privacy Rule. State laws also have privacy requirements for individually identifiable information and may restrict disclosure of certain employee information.
Yes, while OSHA has assured employers that “most American workers are not at significant risk of infection,” it has identified industries that may be at an elevated risk of infection, including healthcare, deathcare or mortuary services, laboratories, airline operations, border protection, solid waste and wastewater management, and those involving travel to areas where the virus is spreading, including China. Specific guidance for control and prevention for each of these potentially high-risk industries is available on the OSHA website. OSHA recommends “using a combination of standard precautions, contact precautions, airborne precautions, and eye protection” to protect healthcare workers.
On March 7, 2020, the Centers for Diseases Control and Prevent issued updated interim guidance specifically for healthcare personnel, including topics such as risk assessment, monitoring, and work restrictions. The CDC recommends that healthcare settings take a “conservative approach” to employees who may have COVID-19, including looking out for a broader array of symptoms than recommended for other employers and committing to early testing of possible cases. To help employers make these tough decisions, the CDC has set out four categories of healthcare workers (high risk, medium risk, low risk, and no identifiable risk) and three different types of monitoring (self, active, and self with delegated supervision), with recommendations for each. A table setting these out is available on the CDC website. In short, the CDC recommends that all medium and high risk healthcare personnel be excluded from work for 14 days after their last exposure and subjected to active monitoring (daily communication about symptoms), while low risk personnel should work but practice self-monitoring with delegated supervision (such as testing temperatures and assessing symptoms prior to starting work).
The CDC has also issued interim laboratory biosafety guidelines for laboratory workers with samples that may contain COVID-19. These include specific labeling guidelines, use of Personal Protective Equipment, and procedures for conducting testing and decontamination to minimize the risk of exposure to laboratory staff. Under these guidelines, certain activities involving manipulation of potentially infected specimens should only be conducted in a certified Class II Biological Safety Cabinet in a BSL-2 facility. Clinical laboratories performing routine studies and diagnostic tests should follow standard laboratory practices when handling specimens potentially infected by COVID-19.
While OSHA has not developed specific standards for COVID-19, it has emphasized that healthcare employers are responsible for following standards applicable to Bloodborne Pathogens (29 CFR 1910.1030), Personal Protective Equipment (29 CFR 1910.132), and Respiratory Protection (29 CFR 1910.134) as well as the General Duty Clause ((29 U.S.C. § 654(a)(1)). For employers who are in high-risk industries, including healthcare, OSHA recommends employers consider controls such as identifying and isolating suspected cases, environmental decontamination, and worker training, especially about the use of Personal Protective Equipment and analogous situations involving Bloodborne Pathogens.
OSHA’s General Duty Clause requires all employers to provide a safe work environment against known threats, which may now include COVID-19, so OSHA recommends that all employers stay vigilant to the evolving outbreak situation and adopt additional precautions as necessary. Violations of the General Duty Clause could result in fines of up to $70,000 for willful violations and up to $7,000 for each mistake.
Refusal to treat a patient can have serious consequences for the healthcare provider entity, the healthcare profession refusing to provide the care and, of course, the patient. For example, the Emergency Medical Treatment and Active Labor Act (EMTALA), requires healthcare providers to treat patients who need emergency healthcare treatment. Generally, only healthcare providers are liable for EMTALA violations, not the individual employees who work for the hospital. To minimize the risk of EMTALA liability, healthcare employers should implement and strictly enforce policies prohibiting their employees from refusing to treat patients who have contracted, or are suspected of having contracted, COVID-19 and who need emergency care. For licensed clinical care workers such as nurses, state licensing requirements may mandate a complaint be filed against the worker who refuses to treat, and the appropriate state licensing board may take further disciplinary action. Employers who implement policies prohibiting their employees from refusing to treat patients or enforce discipline for employees who do refuse to treat patients will have a straightforward legal defense against any claims of employment discrimination, provided that such policies are consistently enforced against all employees who refuse to treat.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a February 2020 HIPAA Bulletin with reminders regarding access, use and disclosure of PHI in an emergency. See our FAQ below regarding disclosures to public health authorities, family and friends, the media and relief organizations.
HIPAA permits covered entities to disclose PHI as requested or as needed to a public health authority, such as the CDC or state and local health departments, regarding patients exposed to, suspected, or confirmed to have COVID-19. You may rely on the public health authority’s description of the type and amount of information needed as the “minimum necessary” information required. PHI can also be disclosed to foreign government agencies working with authorized public health authorities on matters related to the COVID-19 pandemic.
A public health authority is an agency or authority of the United States, state, local or tribal government, or a person or entity operating under its authority. If you are uncertain, please seek verification from the government. More information can be found here.
Disclosure of identifiable patient information to the media, on social media, or through other channels is not permitted without a specific patient authorization. (See 45 CFR 164.508 for the requirements for a HIPAA authorization). You may disclose the fact that there was a patient who tested positive or that there was a death resulting from the virus, but may not disclose any identifiable information except with the patient’s or patient’s legal representative’s authorization.
If you are a hospital or other facility, and a patient has not objected to or requested a restriction regarding disclosure of facility directory information, then if requested by name, you may confirm that an individual is being treated at the facility and may provide basic information about the patient’s condition in general terms (e.g., critical or stable, deceased, or treated and released).
In general, unless the patient has objected or requested a restriction, you may disclose information to a patient’s family members, friends or caregivers that the patient has identified as being involved in his or her care. You may also share the information with providers or government officials as necessary to locate or notify family members, guardians, friends or caregivers of a patient’s location, general condition, or death.
If you are a hospital that has initiated its disaster protocol, you may fall under the 1135 waiver for non-compliance after March 1, 2020 and up to the end of the emergency period for disclosures to family, friends or caregivers involved in patient’s care.
In general, you may disclose information to the American Red Cross or other organizations authorized by to provide disaster relief efforts. Information is limited to the amount needed to coordinate notification of family, friends or care givers involved in the patient’s care of the patients location, general condition or death. Consent is not required if it would interfere with the organization’s ability to respond to the emergency.
If you are making a disclosure to a relief organization and are a hospital that has initiated its disaster protocol, you fall under the 1135 waiver that waives sanctions for HIPAA non-compliance after March 1, 2020 and up to the end of the emergency period.
If you feel that disclosure of information is necessary to reduce or eliminate an imminent threat to public health and safety or a potential threat to the welfare of an individual, healthcare providers may rely on professional judgement in determining whether disclosure of identifiable patient information is necessary to prevent or lessen a serious and imminent threat to the health of a specific person or the public—consistent with state laws and the healthcare professional’s ethical standards. (See 45 CFR 164.512(j)). This includes disclosures to family, friends, caregivers and law enforcement.
The Coronavirus Appropriations Act Telehealth Services During Emergency Periods Act of 2020 expands the use of telehealth for Medicare beneficiaries during the emergency declaration period. Also, CMS has expanded the use of telehealth in Medicare Advantage plans, Part D and Medicaid/CHIP. In addition, most commercial payors have expanded use of telehealth to address the need to triage and monitor patients remotely.
Neither the Coronavirus Appropriations Act or HHS have waived compliance with the Security Rule; however, OCR has waived sanctions that may occur based on violations that occur through good-faith uses of non-public facing telehealth applications. For more see FAQ.
You are still required to use HIPAA compliant telehealth technology, enter into business associate agreements with telehealth technology vendors, and comply with the minimum necessary standard for disclosures.
HIPAA requires that remote patient monitoring and communication through use of smartphones, tablets or laptops is secure. When smart phones or tablets are used for patient communication:
Most telehealth vendors and communication services provide HIPAA compliance specifications to guide configuration of services to provide the recommended security settings for HIPAA compliance. See FAQ under TELEHEALTH for additional information and recommendations.
On March 17, 2020, Sec. Azar issued a 1135 Coronavirus COVID-19 Waiver waiving sanctions and penalties with regard to certain HIPAA provisions. If you are a hospital that has initiated its disaster protocol, you may fall under the 1135 waiver for non-compliance after March 15, 2020 and for up to 72 hours from the time the hospital implements its disaster protocol. The waiver applies to the following:
The Waivers apply only to the Privacy Rule and do not waive compliance with the Security Rule, with the exception of telehealth use, or Breach Notification Rules. If a Breach arises based on an impermissible disclosure of PHI, you are still required to provide notice as required under 45 CFR 164.400, et. seq. The waiver only applies to sanctions for the specified area.
Yes. All covered entities and their business associates must still comply with the protections contained under the HIPAA Privacy Rule and Security Rules. It is important to remember in disclosing information to the CDC or other public health authorities to follow transmission security procedures, such as use of encrypted email or other secure electronic methods. HIPAA continues to require safeguarding of patient protected health information.
BILLING AND REIMBURSEMENT
Starting April 1, CMS will begin accepting new HCPCS codes for laboratory tests performed on or after February 4 on patients to diagnose COVID-19:
Local MACs will set pricing for these new codes.
In February, the CDC released interim coding guidance to support coding of encounters related to the Coronavirus COVID-19 and notes that codes for conditions unrelated to the coronavirus may be needed to fully code scenarios in accordance with the current ICD-10-CM coding classification. The CDC guidance identifies several potential illnesses that may arise based on confirmed COVID-19 infections. The list includes pneumonia, acute chronic bronchitis, lower respiratory infection, and acute respiratory distress syndrome (ARDS). Guidance is also provided to code for encounters for observation both when the exposure results in positive or negative confirmation and for treatment of symptoms when there is no definitive diagnosis, such as for cough, shortness of breath and fever.
CMS has issued Medicare and Medicare Advantage coverage and payment guidance related to billing for services related to COVID-19 diagnosis, treatment and monitoring. In addition to diagnostic testing, guidance addresses reimbursement for in-patient stay, in-patient quarantine and monitoring, ambulatory, home or other alternative site treatment and monitoring, extended supply coverage, emergency ambulance transport, items or services paid for by federal, state or local government agencies, and new anti-viral drugs and preventative vaccines.
CMS also issued Medicaid/CHIP coverage guidance.
Benefits and coverage may vary between states. Contact your state agency for more information.
Yes. You may provide the same telehealth services as currently permitted including services falling under the Medicare “Communication-based technology” services and those falling under Medicare “telehealth.” A list of the 2020 codes for telehealth services is available here.
“Communication-Based Technology Services” (CBTS) are not subject to Medicare telehealth originating site restrictions. Two examples that may be useful during this immediate crisis are:
1) Single consent for all CBTS annually including the amount of the patient’s co-pay
2) “Virtual check-in” (Brief Communication Technology-based Service) or remote evaluation of pre-recorded patient information: professional evaluation of patient-transmitted information conducted via prerecorded “store and forward” video or image technology:
3) Patient Portal communication:
Current Medicare law limits the originating site for telehealth to specific geographic areas and locations and prohibits delivery of telehealth by phone. On March 6, the President
signed into law the emergency spending bill: ‘‘Coronavirus Preparedness and Response Supplemental Appropriations Act, 2020’’ which includes emergency waivers of certain telehealth requirements under Section 101: ‘‘Telehealth Services During Certain Emergency Periods Act of 2020.’’ (Pub. Law No. 116-123).
CMS has issued a fact sheet outlining the availability of telehealth services for Medicare beneficiaries including coding and billing information. https://www.cms.gov/newsroom/fact-sheets/medicare-telemedicine-health-care-provider-fact-sheet
This law expands telehealth by granting HHS the authority to waive certain telehealth restrictions in in the event of declarations of emergency. The Emergency law waives Medicare restriction related to originating site and telehealth modality by permitting telehealth services in any geographic area and permitting delivery of telehealth services to patients in their homes and by phone with audio-video interaction, a capability provided by most smart phones. There are limitations:
CMS has temporarily waived state licensure requirements for Medicare and Medicaid during the period of emergency declaration (March 1, 2020 until some later date announced by CMS).
You may use any HIPAA compliant non-public facing audio-video service. HIPAA and some state laws require that telehealth technology meet specified security requirements.
In a declaration of emergency, the HHS Secretary has the authority to issue an 1135 waiver of sanctions and penalties for failures to comply with specified provisions of HIPAA; on March 17, 2020, OCR announced that it will not impose penalties for noncompliance with HIPAA in connection with the good faith use of telehealth during the COVID-19 nationwide public health emergency. The waiver is effective as of March 17 and is not limited to use of telehealth to diagnose or treat the virus, but extends to all uses of telehealth during this time period.
While OCR does not endorse any specific telehealth app, it has identified several that may be appropriate: Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Skype for Business, UpDox, VSee, Zoom for Healthcare, Doxy.me, Google G Suite Hangouts Meet.
OCR recommends that providers notify patients that use of third-party applications pose privacy risks.
OCR has specifically stated that “Facebook Live, Twitch, TikTok, and similar video communication applications are public facing, and should not be used in the provision of telehealth by covered health care providers.”
The HHS Office of Civil Rights issued guidance in February 2020 to covered entities and business associates regarding the permitted uses and disclosures of patient information that may be made to protect the public health in an emergency situation. This guidance reminded covered entities and business associates of the obligation to “continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures” and “apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information.”
Providers should remain cognizant of complying with HIPAA and applicable state data security laws in their use of telehealth services.
We recommend that HIPAA Covered Entities do the following when implementing telehealth technology services:
CLICK HERE TO SUBSCRIBE TO Coronavirus CONTENT
Whether a current or prospective client, we are here to help your business thrive. Please send us a message and we will respond to your needs as soon as possible.
SEND US A MESSAGE