As we continue to be bombarded daily with the relentless 24/7 news cycle regarding coronavirus disease 2019 (COVID-19), the reality is that healthcare employees are currently the most likely to be exposed to the disease in the United States.

EMPLOYER INFORMATION

If an employee exhibits symptoms of the COID-19 or the flu, can I ask them to leave work or stay home?

Employees who have been potentially exposed to COVID-19 (for example, through an ill family member or recent international travel) should stay home. In a pandemic situation, sending an employee home should pass the direct threat test and be allowable under the ADA.  However, sending employees home also implicates other laws, including the Family and Medical Leave Act (FMLA) and state sick leave laws, as well as employer leave policies.  Generally, employers may follow their normal sick leave procedures when dealing with leave for potential COVID-19 exposure. COVID-19 may qualify as a “serious health condition” qualifying an employee for protected medical leave to care for themselves or a sick family member under the FMLA, so FMLA notice requirements should also be observed.  The period of leave should be reasonable.

CMS guidance for  (which is applicable to any healthcare provider) recommends that hospitals have procedures in place to address any staff that develops signs and symptoms of a respiratory infection while on-the-job.  The CDC has issued specific risk assessment guidance for healthcare professionals.  The CDC continues to update this guidance as the exposure rapidly advances across our country. We recommend that you frequently review the  dedicated to COVID-19 for healthcare professionals for the most up-to-date information and contact your local and state health department for their specific requirements.

Supervisors should be trained to remain calm when faced with potential COVID-19 exposure in the workplace in order to avoid panic among the workforce.

If public health authorities request information about one of our employees, do the HIPAA privacy and security rules apply to our employee information?

HIPAA privacy restrictions only apply to “ covered entities” (healthcare providers or employer-sponsored group, health plans, or healthcare clearing houses) and business associates (vendors or persons who use or disclose PHI to provide services to a covered entity) in instances involving individually identifiable health information. Because employers are not considered covered entities, information contained in employment records does not implicate HIPAA restrictions  but is subject to confidentiality provisions under the Americans with Disabilities Act and may be protected by other laws. Additionally, if you are a healthcare provider and your employee is diagnosed and treated at your facility or practice, that employee consequently becomes a patient of the facility and the information created while the employee is being monitored, diagnosed or treated becomes protected health information (PHI).

If your company or organization sponsors a self-insured health plan, the Plan is considered to be a covered entity and is subject to the HIPAA Privacy Rule. State laws also have privacy requirements for individually identifiable information and may restrict disclosure of certain employee information.

Are healthcare workers especially likely to be affected by COVID-19?

Yes, while OSHA has assured employers that “most American workers are not at significant risk of infection,” it has identified industries that may be at an elevated risk of infection, including healthcare, deathcare or mortuary services, laboratories, airline operations, border protection, solid waste and wastewater management, and those involving travel to areas where the virus is spreading, including China. Specific guidance for control and prevention for each of these potentially high-risk industries is available on the OSHA website.  OSHA recommends “using a combination of standard precautions, contact precautions, airborne precautions, and eye protection” to protect healthcare workers. 

What resources and guidance are available for healthcare employers regarding COVID-19?

On March 7, 2020, the Centers for Diseases Control and Prevent issued updated  specifically for healthcare personnel, including topics such as risk assessment, monitoring, and work restrictions. The CDC recommends that healthcare settings take a “conservative approach” to employees who may have COVID-19, including looking out for a broader array of symptoms than recommended for other employers and committing to early testing of possible cases. To help employers make these tough decisions, the CDC has set out four categories of healthcare workers (high risk, medium risk, low risk, and no identifiable risk) and three different types of monitoring (self, active, and self with delegated supervision), with recommendations for each. A table setting these out is available on the CDC website. In short, the CDC recommends that all medium and high risk healthcare personnel be excluded from work for 14 days after their last exposure and subjected to active monitoring (daily communication about symptoms), while low risk personnel should work but practice self-monitoring with delegated supervision (such as testing temperatures and assessing symptoms prior to starting work).

The CDC has also issued  for laboratory workers with samples that may contain COVID-19. These include specific labeling guidelines, use of Personal Protective Equipment, and procedures for conducting testing and decontamination to minimize the risk of exposure to laboratory staff. Under these guidelines, certain activities involving manipulation of potentially infected specimens should only be conducted in a certified Class II Biological Safety Cabinet in a BSL-2 facility. Clinical laboratories performing routine studies and diagnostic tests should follow standard laboratory practices when handling specimens potentially infected by COVID-19.

What are my obligations as a healthcare employer under the Occupational Safety and Health Act to protect my employees from COVID-19?

While OSHA has not developed specific standards for COVID-19, it has emphasized that healthcare employers are responsible for following standards applicable to Bloodborne Pathogens (29 CFR 1910.1030), Personal Protective Equipment (29 CFR 1910.132), and Respiratory Protection (29 CFR 1910.134) as well as the General Duty Clause ((29 U.S.C. § 654(a)(1)). For employers who are in high-risk industries, including healthcare, OSHA recommends employers consider controls such as identifying and isolating suspected cases, environmental decontamination, and worker training, especially about the use of Personal Protective Equipment and analogous situations involving Bloodborne Pathogens.

OSHA’s General Duty Clause requires all employers to provide a safe work environment against known threats, which may now include COVID-19, so OSHA recommends that all employers stay vigilant to the evolving outbreak situation and adopt additional precautions as necessary. Violations of the General Duty Clause could result in fines of up to $70,000 for willful violations and up to $7,000 for each mistake.

What can I do if an employee refuses to treat patients infected with COVID-19 due to fear of infection?

Refusal to treat a patient can have serious consequences for the healthcare provider entity, the healthcare profession refusing to provide the care and, of course, the patient.  For example, the Emergency Medical Treatment and Active Labor Act (EMTALA), requires healthcare providers to treat patients who need emergency healthcare treatment.  Generally, only healthcare providers are liable for EMTALA violations, not the individual employees who work for the hospital.  To minimize the risk of EMTALA liability, healthcare employers should implement and strictly enforce policies prohibiting their employees from refusing to treat patients who have contracted, or are suspected of having contracted, COVID-19 and who need emergency care.  For licensed clinical care workers such as nurses, state licensing requirements may mandate a complaint be filed against the worker who refuses to treat, and the appropriate state licensing board may take further disciplinary action. Employers who implement policies prohibiting their employees from refusing to treat patients or enforce discipline for employees who do refuse to treat patients will have a straightforward legal defense against any claims of employment discrimination, provided that such policies are consistently enforced against all employees who refuse to treat.

PATIENT INFORMATION

How can we use and disclose patient information in an emergency?

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a  with reminders regarding access, use and disclosure of PHI in an emergency. See our FAQ below regarding disclosures to public health authorities, family and friends, the media and relief organizations.

Can we share information with a public health authority, like the CDC, and if so, how much?

HIPAA permits covered entities to disclose PHI as requested or as needed to a public health authority, such as the CDC or state and local health departments, regarding patients exposed to, suspected, or confirmed to have COVID-19. You may rely on the public health authority’s description of the type and amount of information needed as the “minimum necessary” information required. PHI can also be disclosed to foreign government agencies working with authorized public health authorities on matters related to the COVID-19 pandemic.

A public health authority is an agency or authority of the United States, state, local or tribal government, or a person or entity operating under its authority. If you are uncertain, please seek verification from the government. More information can be found .

Can we respond to media requests regarding patients exposed to, suspected or confirmed to have the coronavirus COVID-19?

Disclosure of identifiable patient information to the media, on social media, or through other channels is not permitted without a specific patient authorization. (See 45 CFR 164.508 for the requirements for a HIPAA authorization). You may disclose the fact that there was a patient who tested positive or that there was a death resulting from the virus, but may not disclose any identifiable information except with the patient’s or patient’s legal representative’s authorization.

If you are a hospital or other facility, and a patient has not objected to or requested a restriction regarding disclosure of facility directory information, then if requested by name, you may confirm that an individual is being treated at the facility and may provide basic information about the patient’s condition in general terms (e.g., critical or stable, deceased, or treated and released).

Can we disclose information to family, friends or caregivers about a patient diagnosed or being treated for coronavirus COVID-19?

In general, unless the patient has objected or requested a restriction, you may disclose information to a patient’s family members, friends or caregivers that the patient has identified as being involved in his or her care. You may also share the information with providers or government officials as necessary to locate or notify family members, guardians, friends or caregivers of a patient’s location, general condition, or death.

If you are a hospital that has initiated its disaster protocol, you may fall under the 1135 waiver for non-compliance after March 1, 2020 and up to the end of the emergency period for disclosures to family, friends or caregivers involved in patient’s care.

Can we disclose patient information to organizations like the American Red Cross?

In general, you may disclose information to the American Red Cross or other organizations authorized by to provide disaster relief efforts. Information is limited to the amount needed to coordinate notification of family, friends or care givers involved in the patient’s care of the patients location, general condition or death. Consent is not required if it would interfere with the organization’s ability to respond to the emergency.

If you are making a disclosure to a relief organization and are a hospital that has initiated its disaster protocol, you fall under the 1135 waiver that waives sanctions for HIPAA non-compliance after March 1, 2020 and up to the end of the emergency period.   

If you feel that disclosure of information is necessary to reduce or eliminate an imminent threat to public health and safety or a potential threat to the welfare of an individual, healthcare providers may rely on professional judgement in determining whether disclosure of identifiable patient information is necessary to prevent or lessen a serious and imminent threat to the health of a specific person or the public—consistent with state laws and the healthcare professional’s ethical standards. (See 45 CFR 164.512(j)). This includes disclosures to family, friends, caregivers and law enforcement.

If we use telehealth to treat or diagnose patients, are we required to comply with HIPAA security requirements?

The Coronavirus Appropriations Act Telehealth Services During Emergency Periods Act of 2020 expands the use of telehealth for Medicare beneficiaries during the emergency declaration period. Also, CMS has expanded the use of telehealth in Medicare Advantage plans, Part D and Medicaid/CHIP. In addition, most commercial payors have expanded use of telehealth to address the need to triage and monitor patients remotely.

Neither the Coronavirus Appropriations Act or HHS have waived compliance with the Security Rule; however, OCR has waived sanctions that may occur based on violations that occur through good-faith uses of non-public facing telehealth applications. For more see FAQ.

Since there is a declaration of emergency, can I use Skype, Google Hangouts or other audio-video app on a smart phone to provide telehealth services to patients?

You are still required to use HIPAA compliant telehealth technology, enter into business associate agreements with telehealth technology vendors, and comply with the minimum necessary standard for disclosures. 

HIPAA requires that remote patient monitoring and communication through use of smartphones, tablets or laptops is secure. When smart phones or tablets are used for patient communication:

  • use an encrypted communication method;
  • configure devices with unique username and password and recommended double factor authentication;
  • configure the devices to automatically wipe information after a limited number of failed access attempts and to be wiped remotely if lost or stolen; and
  • disable any automatic cloud backup of smartphone or tablet devices except as needed to back up or transfer information to the EHR or other patient record system.

Most telehealth vendors and communication services provide HIPAA compliance specifications to guide configuration of services to provide the recommended security settings for HIPAA compliance. See FAQ under TELEHEALTH for additional information and recommendations.

Is there any relief from enforcement for a breach related to disclosure of information in this emergency?

On March 17, 2020, Sec. Azar issued a 1135 Coronavirus COVID-19  waiving sanctions and penalties with regard to certain HIPAA provisions. If you are a hospital that has initiated its disaster protocol, you may fall under the 1135 waiver for non-compliance after March 15, 2020 and for up to 72 hours from the time the hospital implements its disaster protocol.  The waiver applies to the following:

  • the requirements to obtain a patient's agreement to speak with family members or friends involved in the patient’s care
  • the requirement to honor a patient’s request to opt out of the facility directory (as set forth in 45 C.F.R. § 164.510);
  • the requirement to distribute a notice of privacy practices (as set forth in 45 C.F.R. § 164.520); and
  • the patient’s right to request privacy restrictions (45 CFR 164.522(a)), and
  • the patient's right to request confidential communications. (45 CFR 164.522(b)).

The Waivers apply only to the Privacy Rule and do not waive compliance with the Security Rule, with the exception of telehealth use, or Breach Notification Rules. If a Breach arises based on an impermissible disclosure of PHI, you are still required to provide notice as required under 45 CFR 164.400, et. seq. The waiver only applies to sanctions for the specified area.

During the COVID-19 emergency, are we still required to follow the HIPAA privacy and security rules?

Yes. All covered entities and their business associates must still comply with the protections contained under the HIPAA Privacy Rule and Security Rules. It is important to remember in disclosing information to the CDC or other public health authorities to follow transmission security procedures, such as use of encrypted email or other secure electronic methods. HIPAA continues to require safeguarding of patient protected health information.


BILLING AND REIMBURSEMENT

What are the billing codes for COVID-19 tests?

Starting April 1, CMS will begin accepting new HCPCS codes for laboratory tests performed on or after February 4 on patients to diagnose COVID-19:

  • HCPCS Code U0001 for CDC testing labs to test for SARS-CoV-2
  • HCPCS Code U0002 for non-CDC lab tests for COVID-19

Local MACs will set pricing for these new codes.

How can I bill for services in diagnosing, treating or monitoring patients that may have coronavirus COVID-19?

In February, the CDC released  to support  related to the Coronavirus COVID-19 and notes that codes for conditions unrelated to the coronavirus may be needed to fully code scenarios in accordance with the current ICD-10-CM coding classification. The CDC guidance identifies several potential illnesses that may arise based on confirmed COVID-19 infections. The list includes pneumonia, acute chronic bronchitis, lower respiratory infection, and acute respiratory distress syndrome (ARDS). Guidance is also provided to code for encounters for observation both when the exposure results in positive or negative confirmation and for treatment of symptoms when there is no definitive diagnosis, such as for cough, shortness of breath and fever.

CMS has issued Medicare and Medicare Advantage  related to billing for services related to COVID-19 diagnosis, treatment and monitoring. In addition to diagnostic testing, guidance addresses reimbursement for in-patient stay, in-patient quarantine and monitoring, ambulatory, home or other alternative site treatment and monitoring, extended supply coverage, emergency ambulance transport, items or services paid for by federal, state or local government agencies, and new anti-viral drugs and preventative vaccines.

CMS also issued Medicaid/CHIP .

Benefits and coverage may vary between states.  your state agency for more information.

TELEHEALTH

Can I use telehealth to screen or treat patients from their homes?

Yes. You may provide the same telehealth services as currently permitted including services falling under the Medicare “Communication-based technology” services and those falling under Medicare “telehealth.” A list of the 2020 codes for telehealth services is available .

“Communication-Based Technology Services” (CBTS) are not subject to Medicare telehealth originating site restrictions. Two examples that may be useful during this immediate crisis are:

1)    Single consent for all CBTS annually including the amount of the patient’s co-pay

2)    “Virtual check-in” (Brief Communication Technology-based Service) or remote evaluation of pre-recorded patient information: professional evaluation of patient-transmitted information conducted via prerecorded “store and forward” video or image technology:

  • Previously established patient-physician relationship
  • Initiated by the patient
  • Used to determine whether or not an office visit or other services is necessary
  • Not related to a medical visit within the prior 7 days or that will lead to a visit within 24 hours
  • Verbal consent documented prior to the visit
  • Co-insurance and deductible apply
  • Bill for these virtual check-in services furnished through several communication technology modalities, such as telephone (HCPCS code G2012) or captured video or image (HCPCS code G2010)

3)    Patient Portal communication:

  • During a seven-day period
  • Initiated by the patient
  • Co-insurance and deductible apply
  • Billed using CPT codes 99421-99423 and HCPCS codes G2061-G206, as applicable
  • Available for use by clinicians who do not independently bill for evaluation and management visits (for example – physical therapists, occupational therapists, speech language pathologists, clinical psychologists)(G2016, G2062,G2063)

Current Medicare law limits the originating site for telehealth to specific geographic areas and locations and prohibits delivery of telehealth by phone. On March 6, the President

signed into law the : ‘‘Coronavirus Preparedness and Response Supplemental Appropriations Act, 2020’’ which includes emergency waivers of certain telehealth requirements under Section 101: ‘‘Telehealth Services During Certain Emergency Periods Act of 2020.’’ (Pub. Law No. 116-123).

CMS has issued a fact sheet outlining the availability of telehealth services for Medicare beneficiaries including coding and billing information. 

This law expands telehealth by granting HHS the authority to waive certain telehealth restrictions in in the event of declarations of emergency. The Emergency law waives Medicare restriction related to originating site and telehealth modality by permitting telehealth services in any geographic area and permitting delivery of telehealth services to patients in their homes and by phone with audio-video interaction, a capability provided by most smart phones. There are limitations:

  • provided by a “qualifying provider”(a physician or other practitioner (or a provider under the same TIN) who has provided Medicare services to the patient in the prior three years)
  • during the emergency period and in the emergency area identified by the president and the HHS Secretary
  • in compliance with state telehealth laws, such as scope of practice, and informed consent.

CMS has  state licensure requirements for Medicare and Medicaid during the period of emergency declaration (March 1, 2020 until some later date announced by CMS).

Since there is a declaration of emergency, can I use Skype, Google Hangouts or other audio-video app on a smart phone to provide telehealth services to patients?

You may use any HIPAA compliant non-public facing audio-video service. HIPAA and some state laws require that telehealth technology meet specified security requirements.

In a declaration of emergency, the HHS Secretary has the authority to issue an 1135 waiver of sanctions and penalties for failures to comply with specified provisions of HIPAA; on March 17, 2020,  that it will not impose penalties for noncompliance with HIPAA in connection with the good faith use of telehealth during the COVID-19 nationwide public health emergency. The waiver is effective as of March 17 and is not limited to use of telehealth to diagnose or treat the virus, but extends to all uses of telehealth during this time period.

While OCR does not endorse any specific telehealth app, it has identified several that may be appropriate: Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Skype for Business, UpDox, VSee, Zoom for Healthcare, Doxy.me, Google G Suite Hangouts Meet.

OCR recommends that providers notify patients that use of third-party applications pose privacy risks. 

OCR has specifically stated that “Facebook Live, Twitch, TikTok, and similar video communication applications are public facing, and should not be used in the provision of telehealth by covered health care providers.”

The HHS Office of Civil Rights  in February 2020 to covered entities and business associates regarding the permitted uses and disclosures of patient information that may be made to protect the public health in an emergency situation. This guidance reminded covered entities and business associates of the obligation to “continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures” and “apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information.”

Providers should remain cognizant of complying with HIPAA and applicable state data security laws in their use of telehealth services.

We recommend that HIPAA Covered Entities do the following when implementing telehealth technology services:

  • obtain assurances from telehealth vendors that the technology is HIPAA compliant and maintain a copy of the documentation
  • if possible, negotiate a specific indemnification provision in the services agreement in the event of a HIPAA violation or failure in technology compliance by the vendor
  • execute a business associate agreement with the vendor
  • obtain the vendor’s HIPAA implementation or configuration specifications and configure and use the services in accordance with vendor guidance
  • if personal devices are being used in delivery of telehealth, we recommend disabling certain features: Bluetooth, automatic functions to save photos or video to the phone/tablet photos, automatic posting to social media, automatic backup to cloud services and smart phones, tablets and laptops used for telehealth should be password protected, require double factor authentication, permit wiping remotely if lost or stolen, and enable wiping after a limited number of unsuccessful access attempts
  • verify that the service provides encrypted communication and transmission and enable encryption
  • notify the patient of the use of a third-party app and the privacy risks of use of a third-party app
  • obtain consent from the patient, if required under state law