Further Guidance on HIPAA and COVID Vaccination information

Some additional questions have come up in connection with the effect of HIPAA on the ability of a business or an individual to ask if someone is vaccinated. The following reflects the guidance from the Department of Health and Human Services, which is the federal agency tasked with enforcement of HIPAA’s privacy and security rules.

Does the HIPAA Privacy Rule prevent customers or clients of a business from disclosing whether they have received a COVID-19 vaccine?

Answer: No.

The Privacy Rule does not apply to individuals’ disclosures about their own health information, so any individual may disclose his or her own vaccination status as to COVID-19 or any other disease. The Privacy Rule applies only to covered entities (health insurance carriers, healthcare clearinghouses, and certain medical providers) and, to some extent their business associates (if they handle protected health information). Therefore, the Privacy Rule does not apply when an individual tells another person, such as a colleague or business owner, about their own vaccination status.

Does the HIPAA Privacy Rule prohibit a covered entity or business associate from requiring its workforce members to disclose to their employers or other parties whether the workforce members have received a COVID-19 vaccine?

Answer: No.

The Privacy Rule does not apply to employment records, including employment records held by covered entities and business associates acting in their capacity as employers. Thus, the Privacy Rule generally does not regulate what information can be requested from employees as part of the terms and conditions of employment that a covered entity or business associate may impose on its workforce, such as the ability of a covered entity or business associate to require its workforce members to provide documentation of their vaccination against COVID-19 or to disclose whether they have been vaccinated to their employer, other workforce members, patients, or members of the public.

For example, the Privacy Rule does not prohibit a covered entity or business associate from requiring or requesting each workforce member to:

  • Provide documentation of their COVID-19 or flu vaccination to their current or prospective employer.
  • Sign a HIPAA authorization for a covered health care provider to disclose the workforce member’s COVID-19 or varicella vaccination record to their employer.
  • Wear a mask–while in the employer’s facility, on the employer’s property, or in the normal course of performing their duties at another location.
  • Disclose whether they have received a COVID-19 vaccine in response to queries from current or prospective patients.

Other federal or state laws address whether an employer may require a workforce member to obtain any vaccinations as a condition of employment and provide documentation or other confirmation of vaccination. These laws also address how employers must treat medical information that they obtain from employees. For example, documentation or other confirmation of vaccination must be kept confidential and stored separately from the employee’s personnel files under Title I of the Americans with Disabilities Act (ADA).

The HIPAA Privacy Rule and COVID-19 Vaccine status

There are a number of questions that have come up in connection with the effect of HIPAA on the ability of a business or an individual to ask if someone is vaccinated. The Department of Health and Human Services, which is the federal agency tasked with enforcement of HIPAA’s privacy and security rules, has issued guidance on many questions on the subject of COVID-19 vaccination status.

Does the HIPAA Privacy Rule prohibit businesses or individuals from asking whether their customers or clients have received a COVID-19 vaccine?

The short answer is, No.

The Privacy Rule does not prohibit any individual or any entity such as a business, including HIPAA covered entities and their business associates, from asking whether an individual has received a particular vaccine, including COVID-19 vaccines.

The HIPAA Privacy rule only applies to covered entities, specifically, health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions, and, to some extent, their business associates. It does not apply to schools, employers, stores, restaurants. entertainment venues, or even another individual outside the medical profession.

In addition, the HIPAA Privacy Rule does not regulate the ability of covered entities and business associates to request information from patients or visitors. Rather, the Privacy Rule regulates how and when covered entities and business associates are permitted to use and disclose protected health information (PHI) (for example, PHI about whether an individual has received a COVID-19 vaccine) that covered entities and business associates create, receive, maintain, or transmit.

So, a covered entity (e.g., a covered doctor, hospital, or health plan) or business associate may ask whether an individual (e.g., a patient or visitor) has received a particular vaccine, including COVID-19 vaccines. After acquiring it, HIPAA would regulate how and when a covered entity or its business associate may use or disclose the information about an individual’s vaccination status.

As a result, the Privacy Rule does not apply:

  • When an individual is asked about their vaccination status by a school, employer, store, restaurant, entertainment venue, or another individual.
  • When an individual asks another individual, their doctor, or a service provider whether they are vaccinated.
  • When an individual asks a company, such as a home health agency, whether its workforce members are vaccinated.

Other state or federal laws do address whether individuals are required to disclose whether they have received a vaccine under certain circumstances.

 

Employers – The import of reviewing your electronic access policies

In two recent decisions discussed the below courts have substantially limited the remedies available to an employer whose employees leave with information taken from the business computer systems, under the Georgia Computer Systems Protection Act (GCSPA).

The Georgia Supreme Court reversed a conviction under the Georgia Computer Systems Protection Act (GCSPA) with significant consequences for employers. In that case an employee with the IT department of the City of Norcross had his bosses’ emails copied and forwarded to his private e-mail account. He was prosecuted for knowingly using a computer network without authority with the intent to obstruct, interrupt, or interfere with the system. The Supreme Court reversed on the grounds that the evidence did not show that what he did obstructed, interrupted, or interfered with the use of the computer system. The implication is that the GCSPA may not provide a civil remedy for an employer against a departing employee for merely copying or forwarding data from a computer system. Kinslow v. Georgia, (Supreme Court, S20G1001, June 21, 2021).

In addition, the U.S. Supreme Court held recently that the federal Computer Fraud and Abuse Act (CFAA) did not prohibit a Georgia police sergeant from using his work computer to access license plate information that he then sold. However, the Court held that “An individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off-limits to him.” Van Buren v. United States (2021). This likely will severely limit the ability of employers to pursue civil claims under the CFAA against departing employees who take information from a computer system to which they had authorized access.

What does this mean for Georgia employers?

It means that your company needs to be careful about information protection policies and procedures. Employees should only be given access to the proprietary information that is necessary to perform their job. Your computer use and email use policies should be updated to address restricted access and usage.  Employers should also have signed confidentiality agreements with their employees to protect valuable information.

 

Supreme Court Rules Homosexuality and Transgender Status are Legally Protected

This morning the United States Supreme Court issued its opinion in Bostock v. Clayton County, Georgia, (U.S. Supreme Court, No. 17-1618, June 15, 2020). The Court held that an employer who fires an individual for being gay or transgender violates Title VII of the Civil Rights Act of 1964.

The case is a collection of three appeals, and in each of these cases, an employer allegedly fired a long-time employee simply for being homosexual or transgender. Clayton County, Georgia, fired Gerald Bostock for conduct “unbecoming” a county employee shortly after he began participating in a gay recreational softball league. Altitude Express fired Donald Zarda days after he mentioned being gay. And R. G. & G. R. Harris Funeral Homes fired Aimee Stephens, who presented as a male when she was hired, after which she informed her employer that she planned to “live and work full-time as a woman.” Each employee sued, alleging sex discrimination under Title VII of the Civil Rights Act of 1964. The Eleventh Circuit held that Title VII does not prohibit employers from firing employees for being gay and so Mr. Bostock’s suit could be dismissed as a matter of law. The Second and Sixth Circuits, however, allowed the claims of Mr. Zarda and Ms. Stephens, respectively, to proceed.

Justice Gorsuch’s opinion holds that homosexuality and transgender status are inextricably bound up with sex. In effect, sex is a “but for” cause of the discrimination inherent in discharging transgender or homosexual employees on the basis of their sexual orientation or gender identity. Accordingly, discharging an employee on the basis of sexual orientation or gender identity is discharge on the basis of sex, and therefore a violation of the terms of Title VII. His opinion was joined by Chief Justice Roberts and Justices Ginsburg, Breyer, Sotomayor, and Kagan. Justice Alito filed a dissenting opinion in which Justice Thomas joined. Justice Kavanaugh filed a dissenting opinion of his own.

The decision extends the reach of Title VII to all claims involving discrimination on the basis of sexual orientation and gender identity in employment.

 

COVID-19

Paid Leave under the Families First Coronavirus Relief Act

The Families First Coronavirus Response Act (FFCRA) requires certain employers to give employees paid sick leave or expanded family and medical leave for reasons related to the coronavirus pandemic. These provisions will apply from April 1, 2020 through December 31, 2020. The FFCRA’s provisions on paid sick leave and expanded family and medical leave amend the provisions of the Family Medical Leave Act (FMLA).

Claims for Violation of Emergency Leave Portions of the FFCRA.

If you are a qualified employee, you may have an claim under the FFCRA if your employer wrongly denied your request for paid emergency sick leave or emergency expanded FMLA leave, refused to reinstate you after your leave (depending on the number of employees), otherwise interfered with your leave request, or has taken some action against you in retaliation for requesting leave.

If you’re successful in making an FFCRA claim, then you could recover the following types of damages.

  • Lost Back Pay. Back pay means the wages, salary, and benefits you lost as a result of your employer’s wrongful actions. Back pay covers such lost earnings from the date of termination (or other action by your employer) to the date of the judgment in your case.
  • Lost Front Pay. Front pay means your wages, salary, and benefits you will lose in the future as a result of your employer’s actions (from the date of the judgment to some point in the future). For example, if you’re unlikely to find a new job for another year, you may be awarded front pay for that year.
  • Liquidated Damages. “Liquidated damages” are amounts automatically awarded unless your employer can show that it acted in good faith. Liquidated damages under the FMLA are equal to the amount you win in lost back and front pay.
  • Attorneys’ Fees and Costs. The court will also award your attorneys’ fees and costs if you win your FMLA case.
  • Injunctions. You may also win court orders in a FFCRA lawsuit that your employer must take some action to comply with the law. For example, the court may order your employer to grant you the leave that you’ve been denied or to reinstate you to the job you held before taking leave, or to force the employer to change some company policy or practice.

It is important to note that private lawsuits for violation of emergency expanded FMLA leave, are only available if the employer otherwise falls within the FMLA, or, in other words, has more than 50 employees. In all other cases, involving smaller employers, FMLA violations are investigated by the Wage and Hour Division of the U.S. Department of Labor.

Claims for Failure to Provide Emergency Paid Sick Leave

The terms of the Emergency Paid Sick Leave Act provide that failure to provide sick leave as required by the Act is considered to be a failure to pay the minimum wage as required by the terms of the Fair Labor Standards Act (FLSA). Such failure to provide paid sick leave is subject to the enforcement terms of the FLSA, meaning that any similarly situated employee can bring a lawsuit to recover for the wages and overtime due, as well as liquidated damages, reasonable attorney’s fees, and court costs.

What Paid Sick Leave and Expanded Family Medical Leave Is Available?

Generally, the FFCRA provides that employees of covered employers are eligible for:

  • Two weeks (up to 80 hours) of paid sick leave at the employee’s regular rate of pay if the employee is unable to work because he or she is quarantined (pursuant to a Federal, State, or local government order or the advice of a health care provider), and/or experiencing coronavirus symptoms and seeking a medical diagnosis; or
  • Two weeks (up to 80 hours) of paid sick leave at two-thirds the employee’s regular rate of pay if the employee is unable to work because of a bona fide need to care for an individual subject to quarantine (pursuant to a Federal, State, or local government order or the advice of a health care provider), or to care for a child (under 18 years of age) whose school or child care provider is closed or unavailable for reasons related to the coronavirus, and/or the employee is experiencing a substantially similar condition as specified by the Secretary of Health and Human Services, in consultation with the Secretaries of the Treasury and Labor; and
  • Up to an additional 10 weeks of paid expanded family and medical leave at two-thirds the employee’s regular rate of pay where an employee, who has been employed for at least 30 calendar days, is unable to work due to a bona fide need for leave to care for a child whose school or child care provider is closed or unavailable for reasons related to coronavirus.

Who Are The Covered Employers?

The paid sick leave and expanded family and medical leave provisions of the FFCRA apply to certain public employers, and private employers with fewer than 500 employees. Most employees of the federal government are covered by Title II of the Family and Medical Leave Act, which was not amended by this Act, and are therefore not covered by the expanded family and medical leave provisions of the FFCRA. However, federal employees covered by Title II of the Family and Medical Leave Act are covered by the paid sick leave provision.

Small businesses with fewer than 50 employees may qualify for exemption from the requirement to provide leave due to school closings or child care unavailability if the leave requirements would jeopardize the viability of the business as a going concern.  We can help Employers determine if they may be exempt.

Who Are The Covered Employees?

All employees of covered employers are eligible for two weeks of paid sick time for specified reasons related to coronavirus. Employees employed for at least 30 days are eligible for up to an additional 10 weeks of paid family leave to care for a child under certain circumstances related to coronavirus. (Special rules apply to potentially limit the availability of paid leave for healthcare providers and emergency responders during the pandemic.)

Notice: Where leave is foreseeable, an employee should provide notice of leave to the employer as is practicable. After the first workday of paid sick time, an employer may require employees to follow reasonable notice procedures in order to continue receiving paid sick time.

What Are the Qualifying Reasons for Leave?

Under the FFCRA, an employee qualifies for paid sick time if the employee is unable to work (or unable to telework) due to a need for leave because the employee:

  1. is subject to a Federal, State, or local quarantine or isolation order related to coronavirus;
  2. has been advised by a health care provider to self-quarantine related to coronavirus;
  3. is experiencing coronavirus symptoms and is seeking a medical diagnosis;
  4. is caring for an individual subject to an order described in (1) or self-quarantine as described in (2);
  5. is caring for a child whose school or place of care is closed (or child care provider is unavailable) for reasons related to coronavirus; or
  6. is experiencing any other substantially-similar condition specified by the Secretary of Health and Human Services, in consultation with the Secretaries of Labor and Treasury.

How Long Does Leave Last?

For purposes of quarantining or isolation, a full-time employee is eligible for 80 hours of leave, and a part-time employee is eligible for the number of hours of leave that the employee works on average over a two-week period.

To care for a child whose school or place of care has been closed, a full-time employee is eligible for up to 12 weeks of leave (two weeks of paid sick leave followed by up to 10 weeks of paid expanded family & medical leave) at 40 hours a week, and a part-time employee is eligible for leave for the number of hours that the employee is normally scheduled to work over that period.

How Is Pay Calculated?

If employees are taking leave to be in quarantine or seek coronavirus treatment, they are entitled to pay at either their regular rate or the applicable minimum wage, whichever is higher, up to $511 per day and $5,110 in the aggregate (over a 2-week period).

Employees taking leave to care for someone quarantined are entitled to pay at 2/3 their regular rate or 2/3 the applicable minimum wage, whichever is higher, up to $200 per day and $2,000 in the aggregate (over a 2-week period).

Employees taking leave to care for a child whose school or place of care has closed are entitled to pay at 2/3 their regular rate or 2/3 the applicable minimum wage, whichever is higher, up to $200 per day and $12,000 in the aggregate (over a 12-week period).

If you have any additional questions about the availability of paid leave, then call us at (912) 401-0121.

 

Guidelines for reimbursement under the FFCRA

The Department of Labor and the IRS have lots of regulations and guidelines to apply the FFCRA and requirements for employers to obtain their reimbursements.  If you would like guidance on any of the following, contact our office:

1)      How to apply accrued employer supplied paid time off with the FFCRA required pay.

2)      Leave request forms that will help you obtain the documentation you will need to obtain reimbursement.

3)      Information regarding exemption from the leave requirements for healthcare providers and businesses under 50 employees, including exemption documentation.

4)      Layoffs, furloughs, or terminations.

Call us at 912-401-0121.