Coronavirus has made a difference in your practice procedures. But…have you reviewed and updated your Procedures and Policies Manual?


Coronavirus has made a difference in your practice procedures. You’ve reorganized your waiting room and check in procedures to comply with social distancing. Staff are required to wear masks and increased personal protection equipment (PPE). Sanitizing has been brought to a new level. Patients must wear masks and notify you of their arrival before entering the waiting room.

But…have you reviewed and updated your Procedures and Policies manual? With the new normal brought on by the outbreak of human coronavirus and the resultant school closings, travel bans, social distancing, community “lockdowns” and other concerns throughout the world, it is time to review your office procedures and HIPAA regulations relative to patient rights and public safety.

Understandably, the public, and especially healthcare employees, are concerned about contracting this mysterious, pneumonia-like virus rapidly spreading around the world since numbers of confirmed cases spike each day as more people are tested and/or show symptoms. The CCD and local government agencies want to track testing, exposure, recoveries and deaths to determine where the virus is heading.

At the time of writing this article, the Department of Health of Human Services had declared a public health emergency with respect to coronavirus. Under the public health emergency, covered entities must understand what their obligations with respect to use and disclosure of PHI are.

What is the HIPAA Public Health ExeMption?

The HIPAA Privacy Rule recognizes that public health authorities and others who ensure public health and safety, be given access to PHI to carry out public health activities. The Privacy Rule also recognizes that public health reports made by covered entities play an important role in identifying threats to individual and public health and safety. As such, the Privacy Rule allows covered entities to disclose PHI without authorization for certain public health purposes.

Under the HIPAA public health exemption (which applies, among other reasons, when a public health emergency has been declared), covered entities may, without written patient authorization, disclose PHI to public health authorities legally authorized to receive it, for the purposes of preventing or controlling disease, injury, or disability. Disease, injury, and disability prevention and control measures and activities include reporting of disease or injury, and reporting of vital events, such as deaths.

Under the HIPAA public health exemption, a covered entity may also disclose written patient authorization, disclose PHI to conduct public health surveillance, investigations, or interventions.
Covered entities may also, if directed to do so by a public health authority, disclose PHI to a foreign government agency acting in collaboration with that authority. Covered entities that ARE public authorities may use and disclose PHI for:

  • The purpose of preventing or controlling disease;
  • The purpose of preventing or controlling injury;
  • The purpose of preventing or controlling disability.

Disease, injury, and disability prevention and control measures and activities include:

  • Reporting of disease or injury;
  • Reporting of vital events (i.e., births, deaths); and
  • Conducting public health surveillance, investigations, or interventions

Covered entities may also, if directed to do so by a public health authority, disclose PHI to a foreign government agency acting in collaboration with that authority. Covered entities that ARE public authorities may use and disclose PHI for:

  • The purpose of preventing or controlling disease
  • The purpose of preventing or controlling injury
  • The purpose of preventing or controlling disability.

What is a Public Health Authority?

The HIPAA Privacy Rule defines a “public health authority” as:

  • An agency or authority of the United States government;
  • A state;
  • A territory;
  • A political subdivision of a state or territory; or
  • An Indian tribe

That is responsible for public health matters as part of its official mandate. 

Public health authorities also include individuals and entities acting under a grant of authority from, or under a contract with, a public health agency.

Examples of a public health authority include:

  • State and local health departments;
  • The federal Food and Drug Administration (FDA);
  • The federal Centers for Disease Control and Prevention (CDC); and
  • The federal Occupational Safety and Health Administration (OSHA).

Generally, covered entities must reasonably limit the PHI disclosed for public health purposes, to the minimum amount necessary to accomplish the public health purpose. 

However, covered entities are not required to make a “minimum necessary determination” for public health disclosures that are either made under an individual’s authorization, or made for disclosures that are required by other law. 

For disclosures to a public health authority, covered entities may reasonably rely on a minimum necessary determination made by the public health authority that is requesting the protected health information.

For routine and recurring public health disclosures, covered entities may develop standard protocols, as part of their minimum necessary policies and procedures, that address the types and amount of protected health information that may be disclosed for such purposes. 

When Else Does the HIPAA Public Health Exception Apply?

The Privacy Rule recognizes the important role that persons or entities other than public health authorities play in certain essential public health activities. As such, covered entities may, under the Privacy Rule, disclose protected health information, without authorization, for the following public health activities: 

  • Child abuse or neglect. Covered entities may disclose PHI to report known or suspected child abuse or neglect, provided the report is made to a public health or other appropriate government authority authorized to receive such reports under law. Such authorities may include (among other entities) social services departments of local governments, and police departments.
  • Quality, safety or effectiveness of a product or activity regulated by the FDA. Covered entities may disclose PHI to persons (e.g., individuals, entities, partnerships, and corporations) subject to Food and Drug Administration jurisdiction, if the disclosure is for a public health purpose that is related to the quality, safety or effectiveness of an FDA-regulated product or activity for which that person has responsibility.
    Examples of purposes or activities for which such disclosures may be made include (but are not limited to):
    • Collecting or reporting product defects or problems (including problems regarding use or labeling).
    • Tracking FDA-regulated products;
    • Enabling product recalls, repairs, or replacement
  • Persons at risk of contracting or spreading a disease. A covered entity may disclose protected health information to a person who is at risk of contracting or spreading a disease or condition, if other law authorizes the covered entity to notify such individuals as necessary to carry out public health interventions or investigations.
  • Workplace medical surveillance. A covered health care provider who provides a health care service to an individual at the request of the individual’s employer, or provides the service in the capacity of a member of the employer’s workforce, may disclose the individual’s PHI to the employer for the purposes of workplace medical surveillance or the evaluation of work-related illness and injuries to the extent the employer needs that information to comply with OSHA, the Mine Safety and Health Administration (MSHA), or the requirements of State laws having a similar purpose. In such instances, the covered provider must give written notice to the individual that the information will be disclosed to the individual’s employer. As an alternative to having to give written notice to the individual, the notice may be posted at the worksite, if that is where the service is provided.

Understandably, your staff is concerned when patients report with symptoms of the novel coronavirus COVID-19 which have included mild to severe respiratory illness with fever, cough, and difficulty breathing. Fears about contracting the virus could lead healthcare employees to impermissible looking at protected health information (PHI) and sharing information of patients presenting with these symptoms.

Although healthcare employees are encouraged to answer patient questions about coronavirus and take precautions when dealing with patients presenting with upper respiratory symptoms, they must remember they may not access or disclose patient records for an unauthorized purpose. Curiosity may tempt employees to look up a patient’s medical record to see if the record includes evidence of any discussions a patient may have had with a provider about coronavirus. However, employees should especially resist this temptation with respect to patients who have sought treatment for mild to severe respiratory illness. HIPAA regulations still apply and under HIPAA, employees may only access or disclose patient records when specifically authorized to do so as part of their job, or when required to do so under law.

Review and/or update privacy procedures in your Policies and Procedures manual to reinforce this HIPAA rule.


During the COVID-19 pandemic, emergency HIPAA waivers made it easier for physicians to provide virtual services. For many, the pandemic and subsequent shutdowns may have resulted in offering telehealth services never before considered. However, these relaxed rules were never meant to be permanent. Eventually, the government will clamp down on telehealth HIPAA compliance with violation penalties as high as $50,000 per occurrence.

Complying with the stricter HIPAA telehealth regulations when the COVID-19 waivers expire is essential to your ability to continue to offer these much-sought-after services. Now is the time to review your telehealth procedures to assure you are complying with the normal HIPAA requirements. Be sure your virtual platform complies with HIPAA rules before the relaxed regulations were put into place. Review all rules with staff who may have become accustomed to the relaxed telehealth rules allowed during the height of the pandemic.


The new normal also applies to your employment policies to comply with new State and Federal COVID-19 employment rules. You must also ensure compliance with other related government agencies and laws that have been modified due to changing circumstances (i.e. Americans with Disabilities Act (ADA),  Equal Employment Opportunity Commission, (EEOC), United States Department of Labor (DOL), etc.).

The new employment laws affect everything from what you are required to pay when an employee is out sick to the safety of the work environment within your practice. Ignoring these new employment regulations really isn't an option - it leaves your practice seriously exposed to legal and governmental audits and penalties. Following are several 
employment policy questions you must consider adding to your Policies and Procedures manual.

  • If testing is available, can you legally test employees for COVID-19?
  • Are you violating ADA laws if you require pregnant or high risk staff to stay home?
  • Can you require staff to use accumulated PTO as compensation if you send them home?
  • How do you know if you are required to comply with Federal Families First Coronavirus Act?
  • If an employee reports that they've tested positive to COVID-19, can you inform other staff?
  • What are your obligations to the Emergency Family & Medical Leave Expansion Act (EFMLEA)?
  • What obligations do you have related to the Emergency Paid Sick Leave Act (EPSL)?
  • Are you required to comply with both State and Federal employment regulations?
  • How can you reduce your liability if an employee becomes infected with COVID-19 at work?
  • What is the best way to document the communication of new employment policies?
  • If employees work from home, are you required to reimburse home expenses (i.e. internet, etc.)?
  • Do you have an obligation to report employees with symptoms of COVID-19?
  • When is it safe to let a COVID-19-positive employee return to work?
  • How long must you hold a position open for an employee who can't come to work?
  • How high does an employee's temperature need to be to be sent home?
  • What should you do if you tell an employee to go home and they refuse?
  • Are there documentation requirements for COVID-19-positive employees?
  • Are you required by EFMLEA and EPSL to pay an employee for time they don't actually work?
  • If an employee tests positive for COVID-19, are you required to record an OSHA incidence?
  • How do you amend your FMLA and leave policies to align with updated COVID-19 regulations?
  • How does COVID-19 change your American with Disabilities Act (ADA) compliance?
  • Are there specific PPE items that you are required to provide to staff?


HIPAA rules and employment regulations as well as your entire Policies and Procedures Manual should be reviewed, updated and reissued to all employees periodically. In the face of a public health emergency such as the coronavirus, it is imperative that all employees are reminded of how important it is to follow the HIPAA privacy rules regarding PHI and that all new rules regarding patient safety and employee matters are recognized.

This article will be published in the September/October 2020 issue of The Journal of Medical Practice Management®




Embracing Change <iframe width="560" height="315" src="" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe> Essentials of Health Law

Join AAPL today


How One Fast-Food Chain Keeps Its Turnover Rates Absurdly Low
5 Tips for Managing an Underperformer — Remotely