COVID-19 Document Handling Protocol—a Good Idea? HIPAA & HITECH Act Blog by Jonathan P. Tomes

Although HIPAA does not require a protocol or policy for the handling of documents containing PHI if doing so involves a risk, the requirement for risk analysis and risk management would seem to imply that considering in a risk analysis what, if any, reasonable and appropriate security measures should be implemented would be a good idea.

Although the spread of the COVID-19 virus on various surfaces is not, as yet, fully known, the Centers for Disease Control (“CDC”) has emphasized that the coronavirus does not spread easily on surfaces but is more readily spread by human-to-human contact, such as by sneezing, coughing, talking, and the like.

The CDC website notes, “It may be possible that a person can get COVID-19 by touching a surface or object that has the virus on it and then touching their own mouth, nose, or possibly their eyes, This is not thought to be the main way the virus spreads, but we are still learning more about this virus.”

Kathryn Watson reported, “CDC says COVID-19 not caught easily from surfaces and 40% of transmission occurs before people feel sick.” CBS News, May 22, 2020, at

WebMD has published an article discussing how long the virus lives on various surfaces. The most relevant surfaces are these:

·         Wood, such as furniture: 5 days.

·         Plastic: 2 to 3 days.

·         Stainless steel: 2 to 3 days.

·         Cardboard: 24 hours.

·         Paper: The length of time varies. Some strains of coronavirus live for only a few minutes on paper, while others live for up to 5 days.

WebMD, “How Long Does the Coronavirus Live on Surfaces?” undated, at

Alice here, but not trying to sell you anything this time. Some other links that might be helpful include the following provided by my daughter Elizabeth McCart, Program Specialist at National Institutes of Health (“NIH”) in Baltimore:

Back to Jon: It would seem that a risk analysis of the possibility of catching COVID-19 by touching a COVID-19 related document, such as the patient’s or client’s or resident’s attestation that he or she is not suffering the list of symptoms, has not travelled out of the country, and has not been exposed to someone who has the disease, although perhaps not likely, is a serious enough risk to consider preventing it with a thorough risk analysis and implementing a protocol to try to prevent it.

Thus, although not required by HIPAA in terms, having a document handling protocol may well be reasonable and appropriate—if not to protect the PHI on the documents, then to protect the workforce members that handle the documents. Part of a HIPAA disaster or emergency mode operation plan should include what happens if the disaster renders enough workforce members unable to carry out necessary functions. So preventing that inoperability would seem important.

Normally, a sample document handling protocol would be reserved for our Premium Members, but now during this pandemic, as with other resources, we are providing it to all of our readers, for free, with our thanks for reading our blog posts and buying our HIPAA tools, as follows:


COVID-19 Document Handling Protocol


[Name of organization] has adopted this COVID Document Handling Protocol to comply with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) (hereinafter “HIPAA”); the Department of Health and Human Services (“DHHS”) security and privacy regulations; and the Joint Commission on Accreditation of Healthcare Organizations accreditation standards, as well as our duty to protect the confidentiality and integrity of confidential medical information as required by law, professional ethics, and accreditation requirements. In addition, this Protocol will help protect our workforce members and patients [clients] [residents] from this potentially life-threatening virus and assist in ensuring our continued operations during the pandemic. All workforce members of [name of organization] must comply with this policy. Familiarity with the policy and demonstrated competence in the requirements of the policy are an important part of every [name of organization] workforce member’s responsibilities.


This COVID-19 Document Handling Protocol is based on the following assumptions:

  • COVID-19 is a serious health hazard that can result in intense medical treatment and even death. To date, no vaccine has proven effective, nor has any treatment resulted in an easy and quick cure. Even if a vaccine is approved and is effective, some time will elapse before the virus can be contained, so precautions against exposure will remain necessary for some time.
  • Although COVID-19 is primarily transmitted though aerial contact, such as by sneezing, coughing, talking, and the like, particularly in enclosed areas, it may be transmitted by contact with infected surfaces, such as documents, receptacles containing documents, and surfaces, such as desks and counters, among others.
  • The health of our patients [clients] [residents], our workforce members, visitors, and others who may enter our facility is of the highest importance.
  • The ability of our workforce members to perform their duties without becoming infected is certainly of the highest importance.


This protocol is intended to implement reasonable and appropriate security measures to prevent COVID-19 infections among patients [clients] [residents], our workforce members, visitors, and others to maintain their health and allow for continued effective health care operations.


The [clinical director] [infectious disease officer][director of health information management][office manager][other] is responsible for implementing this protocol.

All workforce members and others with access to health information must comply with this protocol protecting the security and confidentiality of health information and individuals’ health from COVID-19 infection as specified below.

COVID Document Handling Protocol

The responsible officer will ensure that workforce members and others who handle documents, particularly COVID-19 related documents, such as attestations of no symptoms, consents to testing, medical histories, and the like, follow these guidelines:

  • Avoid skin-to-skin contact.
  • Respect physical distance of 2 meters (6 feet).
  • Wear COVID-PPE, including gloves and face masks [others?].
  • Prevent face to face positioning with others.
  • Refrain from sharing tools or equipment.
  • Reduce contact time.
  • If feasible, promote and use alternative document handling methods, such as digital signatures, taking orders by phone/email, signing delivery documentation on behalf of customers, email document pictures.
  • Avoid as much as possible the exchange of utensils, devices, and paperwork.
  • Where a physical exchange of documentation/paperwork cannot be avoided, take the following precautions:
  1. Use disposable gloves, face mask, eye protection [other(s)?].
  2. Wash entirely often (including nails and back of hand) with soap and water for at least 20 seconds after exchanging/ touching paperwork.
  3. Assign a tray to deposit paperwork, separated 2 meters / 6 feet from an individual workstation.
  4. Place visual stand-up marks on the floor for proper distance (2 meters / 6 feet) and a barrier to shield the interaction between personnel.
  5. Disinfect the counter frequently.
  6. All personnel with high physical interaction/exposure should wear masks, gloves, and eye protection gear or face shield.
  7. Clean and disinfect workplace and environmental surfaces: remove dirt, and use disinfecting products.
  8. Remember that these documents likely contain PHI, so safeguard them from unauthorized access, viewing, removal, or destruction.


All workforce members, including officers, agents, employees, volunteers, and students of [name of organization] must adhere to this policy, and all supervisors are responsible for enforcing this policy. [Name of organization] will not tolerate violations of this policy. Violation of this policy is grounds for disciplinary action, up to and including termination of employment and criminal or professional sanctions in accordance with [name of organization]’s medical information sanction policy and personnel rules and regulations.

_________________________________     _______________________

Signature of Workforce Member                                  Date

_________________________________      ___________________________

Title of Workforce Member                                            Printed Name of Workforce Member

_________________________________      ______________________________

Witness                                                                               Printed Name of Witness






On October 5th, 2020, posted in: HIPAA Compliance Blog by
seo by: k.c. seo