OSHA: We have an employee out with COVID-19. What is the current timeline for healthcare workers to return to work?
The CDC guidance says that employees experiencing a mild to moderate case of COVID-19 who are not moderately to severely immunocompromised may return to work after 7 days have passed since symptoms first occurred (day 0), and COVID-19 testing is performed. If a NAAT (PCR) test is negative on day 5, then they can return to work on day 7. If an antigen test (home tests are an example) is negative on day 5, then repeat the test 48 hours later. If both tests are negative, the employee can return to work.
If either test is positive on day 5 or 7, or if a test was not performed, they can return to work on day 10. Employees must be fever free for 24 hours without the use of a fever reducer and their symptoms must be improved. Additional guidance can be found at https://www.cdc.gov/coronavirus/2019-ncov/hcp/guidance-risk-assesment-hcp.html.
Policies should be updated and reviewed with staff as needed. TMC clients with portal access have the Pandemic Preparedness Plan available as a resource.
HIPAA: Are Sanctions Policies a HIPAA requirement?
Yes, under both the privacy AND security rule, it is a requirement. According to HHS:
“Regulated entities are responsible for protecting the privacy and security of protected health information (PHI) by training their workforce, adopting written policies and procedures, and sanctioning workforce members who violate those policies and procedures. Sanction policies are specifically required by both the Privacy Rule and the Security Rule:
- The Privacy Rule requires covered entities to “have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of [the Privacy Rule] or [the Breach Notification Rule] of this part.”
- The Security Rule requires covered entities and business associates to: “[a]pply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.”