Protecting Employee and Patient Privacy in the New Normal

Over the last several weeks, most of the United States has been in various phases of “re-opening” due to the COVID-19 pandemic shutdowns. As physical offices open back up, many employers are refreshing their telecommuting policies or initiating their own “return to work” programs.  Because this is such uncharted territory, many organizations have been engaging in dialogue about how to safely bring their employees back to the workplace.  Of course, this reintroduction is occurring under a “new normal” regulatory schema that intends to maintain employee privacy.

The COVID-19 pandemic has challenged the healthcare sector in unimaginable ways and as a consequence, government regulators have been forced to make seemingly instantaneous changes to complex laws (and/or issue additional guidance) in a host of compliance areas including HIPAA, the ADA, and other EEO Laws.

Per HIPAA, employee records are distinct from patient records, even if the information on your employee record is health-related (doctor’s note or other health information pertinent to sick leave, worker’s compensation, etc.).  However, the American with Disabilities Act (ADA) requires all medical information about a particular employee to be stored separately from the employee’s personnel file while also requiring limited access to this confidential information. In any healthcare organization, there are certainly instances when an employee has become a patient, maybe even a COVID-19 patient in this current climate. In such cases, there might be sensitive details related to the employee’s health in both their medical and patient record. HIPAA and ADA protections would apply, but it is important to ensure the organization has policies in place to monitor and protect both silos of information as well as who within the organization needs to have access to or knowledge of the employee’s health situation.

Healthcare Privacy Officers work to ensure patient medical data are protected.  Employees who are patients have unique privacy interests that should not be overlooked when developing any new policies or protocols. Policies on what information should be disclosed to managers and co-workers about an employee’s absence, for example, can ensure the proper care is taken to meet compliance regulations. Similarly, technology is needed to monitor for abuse of access rights, such as when employees snoop on medical records.

One way to ensure the privacy of patient and employee medical records is upheld is to implement a technology solution that can help Privacy Officers carry out these policies. Machine learning solutions like SecureLink’s Patient Privacy Monitoring solution assist Privacy teams in monitoring for inappropriate uses of medical data by learning how to differentiate normal from irregular access patterns.

The SecureLink Patient Privacy Monitoring solution also includes a contact tracing system that leverages the access log to identify employee exposure and trace back infections. Contact tracing allows healthcare organizations to quickly notify employees who have come into contact with a patient who later tests positive for COVID, or even comes into contact with another employee who later tests positive. Being able to take action early is essential to protect the health and privacy of employees.

Inappropriately accessing medical records is an ongoing issue, even during the current COVID-19 pandemic. With hospitals being at the center of the response, and also a place where the virus is likely to spread, it is important that policies, procedures, and systems are put in place to track inappropriate access to patient records including employees snooping on co-worker’s COVID statuses.

The U.S. Equal Employment Opportunity Commission (EEOC) has published a list of resources on what employers should know about COVID-19, the ADA, the Rehabilitation Act, and other EEO laws that can be useful for Privacy Officers and compliance teams:

Photo of Elizabeth B. Ruszczyk

Elizabeth B. Ruszczyk, JD, CIPP, CHC, CHRP

Elizabeth B. Ruszczyk, Esq., most recently served the Vice President and Chief Compliance and Privacy Officer at UF Health. UF Health is a private, not-for-profit healthcare system affiliated with the University of Florida and its Health Science Center campuses in Gainesville and Jacksonville. From 2016 – 2019, Ms. Ruszczyk also simultaneously served as the Executive Associate Vice President, Chief Compliance and Privacy Officer for the University of Florida. Ms. Ruszczyk possesses nearly 20 years of extensive experience developing and implementing all aspects of privacy and compliance programs for health systems and academic research institutions. Prior to her tenure at UF Health, Ms. Ruszczyk worked as a commercial litigation associate with Smith, Gambrell & Russell, LLP., in the firm’s Jacksonville, Florida office. Currently, Ms. Ruszczyk provides specialty consulting services in the fields of healthcare privacy and compliance.