The coronavirus has been spreading rapidly throughout the world, and organizations are making sure to take stringent measures to protect the health of their workforce. Self-reporting obligations, medical information questionnaires, medical examinations, and temperature screenings are some of the actions taken by employers to avoid the COVID-19 from entering into the workplace.
Even in this pandemic, organizations cannot avoid the privacy risks related to collecting medical information under state and federal law. In this article, we discuss the most asked questions about an employer’s secrecy obligations in this critical time.
1. What health-related details can employers ask their employees during COVID-19?
Employers can ask for the following information:
- A positive result, or any other diagnosis, related to COVID-19.
- Whether the employee has been asked to self-quarantine by a health official within the preceding 14 days.
- Symptoms of infection with COVID-19, e.g., fever of or over 100.4°F, cough, shortness of breath, sore throat.
- “Close contact” (as defined by the Centres for Disease Control) with any person who has tested positive for, or has been diagnosed with, COVID-19 infection within the previous 14 days.
- Whether the employee has traveled to a country for which the CDC has issued a Level 3 travel health notice.
- It also depends on the geographic location – whether the employee is considered “high risk” for COVID-19 infection or not. For example, if an individual is above age 60, pregnant, or suffering from lung disease, diabetes, heart disease, HIV, asthma, or similar conditions.
2. Should employers check employees’ temperature before allowing them to enter into the workplace?
Yes, they can. But employers should implement a temperature control protocol to ensure that temperature controls are designed to reduce the threat posed to the workplace by an employee with COVID-19. In particular, temperature controls should be safe, accurate, regularly implemented, and should protect the privacy of employees. For instance, all employees should be checked by trained individuals, and the results should be kept confidential.
3. Can health care employers with access to COVID-19 test kits need employees to be tested?
Guidance released on 21 March 2020 by the Equal Employment Opportunity Commission indicates that employers may require testing of all workers, regardless of whether the employee demonstrates symptoms of COVID-19, based on the fact that COVID-19 presents a “direct danger” to the workforce. This is an aggressive approach and should not be carried out without consulting counsel first.
4. Does the Health Insurance Portability and Accountability Act (HIPAA) apply to the health information gathered by employers?
In general, it does not. HIPAA imposes obligations only on covered entities to safeguard Protected Health Information (PHI), which are defined to include health plans, health care clearinghouses, and health care providers. An employer behaving as an employer does not fall under HIPAA. Other laws may apply, such as the American Disability Act (ADA), or state confidentiality laws.
5. Can employers ask employees to agree to the disclosure of their positive test for COVID-19 infection?
The confidentiality provision of the ADA has no explicit exemption for reports with the consent of the employee. Although there may be a risk of relying on the approval of an employee, this risk could be mitigated by taking the following steps:
- Obtaining written agreement from the employee.
- Informing the employee that the consent is purely voluntary and can be revoked at any time.
- Limiting the disclosure subject to the consent of specifically identified employees who have been in close contact with the infected employee during the 14 days period.
Is Remote Working a Threat to a Company’s Data Security?
Speaking of COVID-19 and organizations’ privacy, most employees are working from home. That being said, employees are now using their personal equipment (smartphones, computers, and laptops). Therefore, organizations are more concerned about their data security and privacy. Here are some tips that can help you keep your company’s data secure:
- Keep everything transparent between the organization and employees. For instance, if any changes are made to a company’s internal practices – each employee should be informed individually.
- Use a VPN service to avoid cyberattacks, like passwords or data stolen. Also, whether you are working from home, or connected at a café – a VPN protects you on public Wi-Fi.
- Install antivirus software to keep your system safe from viruses, malware, trojans, spyware, phishing attacks as well as other cyber threats.
- Furthermore, in light of the current circumstances, companies may need to carry out a data protection impact assessment whenever the processing is “likely to result in a high risk for the rights and freedoms” for individuals (art. 35 of the GDPR).