Employee Privacy in the Age of COVID-19

The recent outbreak of COVID-19 has brought into sharp focus the need for employers to have a comprehensive plan for business continuity and incident response. As employers evaluate their plans, a critical privacy question has arisen: “Can we (or should we) collect and share the diagnoses of employees who test positive for the disease?”

This question raises a host of issues related to privacy compliance and data ethics that are difficult to operationalize. To help determine where they should land on this important issue, employers should first consider current regulatory guidance.

What Regulators Are Saying:

Center for Disease Control (general guidance for employers):

If an employee is confirmed to have contracted COVID-19, their diagnosis must be kept confidential.

Office for Civil Rights, U.S. Department of Health and Human Services (interpreting the Health Insurance Portability and Accountability Act (HIPAA)):

The HIPAA Privacy Rule only applies to organizations that are considered a Covered Entity under HIPAA, i.e., organizations that provide healthcare services or administrative or vendor support to a healthcare provider.

U.S. Equal Employment Opportunity Commission (interpreting the Americans with Disabilities Act and employee privacy generally):

Employers may ask employees if they are experiencing influenza-like symptoms, such as fever, chills, cough, or sore throat. Employers may also measure employees’ body temperature. However, employers must maintain all information about employee illnesses as a confidential medical record.

Commission Nationale de I’informatique et des Libertés (French Data Protection Authority, interpreting the General Data Protection Regulation (GDPR)):

Employers must refrain from collecting information related to possible symptoms exhibited by employees or their relatives. It is therefore impermissible to conduct mandatory readings of the body temperatures of employees or onsite visitors. The assessment and collection of information relating to symptoms of coronavirus and information on the recent movements of certain people is the exclusive responsibility of public health authorities.

Garante per la Protezione dei Dati Personali (Italian Data Protection Authority, interpreting the GDPR):

Reflecting the seriousness of the outbreak in Italy, contrary to French guidance, Italian authorities are permitting employers to collect information about coronavirus symptoms or the location of their employees.[1] However, GDPR privacy principles (e.g., minimization and retention) and other relevant requirements (e.g., privacy notice and technical/organizational controls) are still in effect.

Practical Guidance:

In light of the disjointed and, at times, conflicting regulatory guidance on employee privacy during this crisis, below are a series of golden rules that can serve as a practical benchmark for employers.

  1. An employee’s COVID-19 status is not subject to HIPAA, but it should still be viewed as confidential. The U.S. Department of Health and Human Services has made it clear that employee-health information falls outside the scope of HIPAA. This notwithstanding, the Center for Disease Control and Prevention’s latest guidance reminds employers of the need to continue treating coronavirus diagnoses as confidential information. This matches guidance coming out of Europe and is also generally consistent with the average individual’s reasonable expectation of privacy concerning their health-related information.
  2. Employers are permitted to collect information regarding employees’ COVID-19 status. Although there are some restrictions in the European Union (so proceed with caution), the general guidance in the United States is that U.S. employers are permitted to make inquiries of employees’ COVID-19 status.  They should however refrain from asking employees whether they suffer from a pre-existing medical condition that might make them more vulnerable to the disease.
  3. Employers can and should share with other employees when a colleague has tested positive. For public-health reasons, it is important that employees be notified when someone they have been in contact with has tested positive for the coronavirus. Employers can notify an entire office or wing of a building of such information, as opposed to communicating it globally or companywide. Employees who receive such a notice will have the option of contacting a health professional to be tested for the coronavirus. It is important to remember that the infected person’s privacy and confidentiality should be respected and that no names or other identifying details should be given to co-workers, except executive leadership, as appropriate.
  4. Employers in the U.S may conduct medical inquiries and perform temperature tests. Current regulatory guidance permits employers to inquire whether their employees are experiencing influenza-like symptoms. Employers are also permitted to conduct temperature tests. Importantly, this guidance exists only in the context of a pandemic, and should not be considered standard operating procedure once this crisis ends.
  5. Employees should be notified ahead of time how their employer will process and maintain information regarding their COVID-19 status. Notice has always been one of the foundational principles of privacy. Employees should be regularly informed of any updates regarding the organization’s business continuity plan for coronavirus or how their information will be treated should they come forward with a positive diagnosis. This is something employers can do today.
  6. Information regarding employees’ COVID-19 status should be closely protected. As a final catchall, employers must remember that historic privacy and data protection principles still apply to employees’ COVID-19 status. Employers should aim to collect the minimum amount of information necessary and retain that information only for as long as it is relevant. Access to such information should be further limited to those within the organization who need to be made aware of a potential diagnosis, with strong data governance standards continuing to apply to that information moving forward. Performing a Data Protection Impact Assessment (DPIA) can help in this effort.
We have an experienced team of experts that is happy to assist organizations with navigating the difficult intersection of coronavirus prevention and employee privacy. Beyond our privacy expertise, our talented group of industry practitioners and former regulators has the experience and capabilities to assist organizations with issues related to business continuity, crisis management, and incident response. Please do not hesitate to contact us should you need any assistance during this challenging time.

[1] English translation is currently unavailable.

Author

Jason Sarfati

Jason Sarfati, Director of Privacy and Data Ethics with Treliant, is an experienced attorney and consultant who specializes in addressing the privacy, data protection, and cybersecurity challenges faced by large multinational organizations. He advises companies on how to comply with international, federal, and state privacy laws that govern the collection,…