When employees are required to show their employers proof of a positive COVID-19 test before they get sick leave or a vaccination before returning to work, the implications are profound—but they don’t enter the realm of the HIPAA privacy rule.
“It has nothing to do with HIPAA,” said attorney Kirk Nahra, partner with WilmerHale. “HIPAA is not an overall health information privacy law. There have always been gaps in what was covered by HIPAA,” which have become more apparent with the advent of mobile apps, wearables and patient support sites.
The success of the health care system depends on data and protecting its privacy, but organizations are running into complicated situations that weren’t anticipated by the 2003 HIPAA privacy and 2005 security regulations. Although hospitals, insurers and clearinghouses are “reasonably comfortable with HIPAA rules,” he said, “we are seeing tensions.”
One of the tensions involves patients’ access to their own data. For example, when patients receive information about their medical records and it moves from the provider through a mobile app, it’s not regulated by HIPAA. “We have this tension in making it easier for patients to access,” which may dilute the security, and “so far the decision has primarily favored access over security, but we are trying to make sure it’s not a zero-sum game.”