Written by Dr. MedLaw
These are extraordinary times with extraordinary challenges but even within this unique framework the principles that doctors need to follow remain familiar.
Let’s look at a few topics that are giving doctors concern:
- In the office
Even if you have always made it a point to emphasize to your staff that PHI is never to be shared for non-work purposes, re-emphasize that again now, and do it in a written memo so that you have proof that you did so. The COVID-19 pandemic has caused stress and shock and there is simply too great a chance for a worried employee to vent that worry in a way that can identify a patient.
- Remote work
If you are considering having your non-medical staff work from home it is essential to bear in mind that while the OCR has relaxed some access rules (see next section) that HIPAA’s rules on patient confidentiality still apply to a covered entity’s employees wherever work is performed.
Any personal devices that an employee will use or any devices that you supply to them should be strongly password-protected and all PHI should be encrypted before it is transmitted. The connection must be secure. A VPN would be a very good idea. You should talk to your IT person about levels of security that can be set up, such as two-factor authentication or having to login again after a period of absence.
If the employees will be using their personal computers you will also want to specifically deal with that, at least with written instructions and best with a Bring Your Own Device (BYOD) Agreement. This can include issues such as what devices are acceptable, what passwords are acceptable, that data must be deleted after use rather than stored, that there must be disconnection from the network when the work is complete, and your right to access the employee’s device.
Also bear in mind that when people are at home that they can become too casual in how they handle information but you are still under the obligations of the HIPAA Security Rule’s Device and Media Controls standard that requires a covered entity to “Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information, into and out of a facility, and the movement of these items within the facility.” It is therefore essential to give any employees being sent to home to work a formal written policy on maintaining PHI safely and the employee required to sign that they received it. Make sure to cover that there is to be no discussion of PHI with family members, that the employee is to have a work area set up such that family members cannot observe the contents of what is being worked on, that the device may not be left on and unattended, that the device may not be shared, and that the device must be stored and transported with care.
Employees also have to be cautioned about disposal of paper containing PHI. Printing should be minimized and a cross-cut shredder should be used to destroy what is printed (supply one if the employee does not have one).
To extend medical access during the isolation period, the OCR is temporarily waiving penalties for the use of non-HIPAA compliant communication platforms and/or not having a Business Associates Agreement with the service used during the COVID-19 emergency.
The service must not be public facing, so Facebook Live, Twitch and TikTok may not be used but Skype, Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, and Zoom are all acceptable.
This deferral applies to using these services for any treatment or diagnostic purpose even if it is not directly related to COVID-19. This is because the purpose is to make up for not being able to come in to see you, which can cover any condition that would normally warrant a visit. In other words, if the discussion occurs during the period of the emergency you can review a patient’s bunion with them and you will be covered – the only issue is that it be a good faith medical purpose.
You should first inform the patient that what will be used is potentially not secure and get their express confirmation that they understand and agree. A good way to do this would be to create a standardized e-mail and have them reply affirmatively as proof of their agreement; you would then save that to your own files.
Of course, you should personally employ all appropriate privacy safeguards from your end. This is an extension of access, not a reduction of your own standards of compliance.
There is a cautionary point, though: This is to last during the emergency, a period for which there is no end-date. You will therefore need to stay alert for its termination so as to not incur the fines that will recommence at that time for what would again then be a HIPAA violation.
Maintaining office safety
Patients – even those seeing you for reasons not related to COVID-19 – are potential vectors of the virus to your staff and to other patients and you can therefore require that anyone coming to see you wear a mask and also keep it in place (such as no lowering of the mask to talk on the phone).
Because the doctor-patient relationship still remains a mutual contract that you have the right to withdraw from, you retain the right to refuse a patient who will not cooperate. Patients should be advised of the mask requirement before they come in. If they refuse and can be safely seen later, they should be given an appointment past the expected isolation period.
However, the law of abandonment still applies as well: you cannot summarily deny care to someone under active treatment (as opposed to just routine follow-up) without adequate notice to permit them to set up care elsewhere. If such patients are unwilling or unable to comply with your mask requirement then you should provide one.
You should also keep the issue of constructive abandonment in mind. This refers to a termination that is facially proper but in which the doctor does not actually believe that the patient will be able to secure alternative care. Typically this arises in the setting of patients who have unpopular insurance coverage or who require very specialized care but now it would come under the fact that doctors are not taking on new patients. Actual termination from your practice because of how a patient conducted themselves now is therefore something to deal with when the isolation regime has ended.
Although a severe disease is clearly a disability, potentially invoking the ADA and its protections for employees who need accommodation, the EEOC has specifically said that nothing in the ADA should be taken to interfere with employers following CDC or state/local public health recommendations. As an employer under OSHA obligations to maintain a safe workplace and a physician with a fiduciary duty to safeguard the health of your patients you may therefore take steps that you would normally be more limited in.
Current employees or those who have been made an offer of employment but have not yet started work can be denied access to your premises if they place others at a significant risk. This is actually not at variance with the general rule that accommodations must be reasonable and not interfere unduly with the conduct of the business such that, for example, you would never have to cordon off a section of your office to accommodate a worker who had been exposed but was not currently symptomatic; that worker can simply be sent home.
You can require that employees self-report any exposure, that they answer questions about symptoms, and even that they be tested if there is a sufficient medical basis for that. All information that you receive about an employee’s status should then, of course, be kept in a confidential file.
What you want to make sure of is that in your application of any restrictions that you remain even-handed and non-discriminatory and that all job and payment security that your practice offers is applied equally.
You can require that employees have their temperature checked. However, since fever is not the only symptom of a developing COVID-19 infection, employees should both be counseled to be mindful of how they feel generally and to report immediately if there is a change during the day, and be reminded that hygiene and PPE precautions apply fully even if their temperature is normal.
If an employee was exposed or has tested positive you will need to inform co-workers. However, you are also required to keep personal medical information confidential so you should ask for permission to reveal their identity. If they refuse this then you can contact other employees likely to have been exposed to them and simply tell them that that exposure may have taken place without naming the source. Of course, since in a small medical practice a sudden absence at this time can itself be revealing, you also have to firmly instruct – in a written memo, so you have proof – the employees who remain to not gossip among themselves or take their co-worker’s PHI outside the office. This memo should itself refer to all co-workers generally rather than naming the specific employee.
While an employee is on self-isolation you can ask as much as you need to know to determine if they can safely return to work. This will actually still be within the limitation that an employer must respect an employee’s medical confidentiality because you will be asking only the minimum information necessary to make a work-related determination.
You can also require that they provide a physician’s note saying that they are fit to return to work. However, since this may not be practically possible for them to get a substitute that would also serve your due diligence would be, as a physician yourself, creating a form listing the medical criteria that you want satisfied, such as being fever-free for at least a day without the use of antipyretics, and have them sign that.
All employees, including non-medical staff, should be required to engage in proper hygienic procedures because they are all in contact with surfaces that patients touch, air that patients breathe, and staff that patients interact with. If an at-will employee is not cooperating with hygienic conduct such as handwashing and the use of PPE you may fire them immediately just as you could for any other workplace failure. If they have contractual notice protections then you should inform them in writing (as proof against a wrongful termination claim) that proper hygienic procedures are an absolute requirement of their continued employment and follow that up with actual termination unless there is immediate rectification; even if you normally have a “strikes” policy the danger that they are creating will override that.
This is primarily a concern for retired doctors who are answering the call to come back to assist overwhelmed hospitals but who no longer have malpractice coverage.
The first thing to check is whether the state, as New York does, has an exemption from liability for COVID-19 care, or whether there is an emergency worker statute that either immunizes or indemnifies the doctor, or whether the hospital will be providing indemnification.
A Good Samaritan law cannot, however, be relied upon. These cover care outside of medical facilities that is rendered to individuals to whom the practitioner does not owe a duty. Even a hospital that is low on resources or overcrowded is still a hospital and if you are working as physician you will have a duty to all patients under your care and who you are on-call for.
The most essential issue in limiting liability, though, is self-assessment. In a setting in which your skills may not be as good as those of a specialist but you can still be of benefit to the patient an informed consenting discussion with the patient about any limitations can be adequate, but modern critical care and its technology are not roles that you can step into if, say, you have been in private practice as a neurologist for the last 30 years, and there is no on-the-spot training that can compensate for that, and the patients are in no position to select their caregivers.
In this regard, also bear in mind that even immunity laws, such as that in New York, do not cover gross negligence, which would be acting so recklessly that it shows a disregard for patient safety. Accepting to intubate a patient when the last time that you tried to do so was as a supervised intern would be such conduct, however well-intentioned you are, and would remove you from the law’s protection.
It is therefore up to you, if you do re-enter to help, to specify what you can do and what you cannot…and it is very likely that they will be glad to have you in the ER or clinic using your skills well.
In summary then, the challenges of the pandemic are huge, but following underlying principles can keep physicians out of the medicolegal woods.