Many employers in the US are grappling with appropriate efforts to contain and protect the workforce against COVID-19.  Those efforts include employee and visitor screening activities that range from requiring all personnel to provide an affirmation upon admission to a worksite to taking vital signs or other hands-on screenings.  But are those screening activities lawful under applicable privacy and confidentiality laws in the US?  And what should employers do when they have reason to suspect someone is infected?  Are there obligations to inform other employees or health authorities?

HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) imposes restrictions on disclosures of protected health information only on a covered entity’s or business associate’s workforce.  As such, unless a disclosure is made by or on behalf of an employer’s Group Health Plan, HIPAA should not generally apply to the scenarios described above, since the Group Health Plan is considered to be a separate legal entity under HIPAA, and we assume that none of these activities would be paid for by the Group Health Plan under covered insurance transactions.  Business associates are generally persons or entities that perform functions or activities on behalf of a covered entity, such as a Group Health Plan, which as noted should not be implicated here.  Accordingly, HIPAA’s Privacy Rule does not apply to the collection, use, or disclosures of individually identifiable health information made by an employing entity in the context of worksite COVID-19 screening activities. 

BIPA

The Illinois Biometric Information Privacy Act (BIPA) restricts the collection, use, or other processing of biometric identifiers by entities (including employers), unless certain requirements are met.  Those requirements include, among others, informing individuals that biometric information is being collected or stored; informing individuals about the purpose and length that this information will be retained; obtaining a “written release” for the collection, use, and storage of that information; and establishing and posting a policy on these issues.  In the context of an employer performing COVID-19 worksite screening activities seeking to obtain body temperature through a hand-held thermometer or a scan for temperature, BIPA should not apply because the term “biometric identifier” generally refers to “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”  Photographs or human biological samples used for testing or screening, or demographic data, are specifically excluded.  Performing temperature scans or other basic screening activities should, therefore, not fall within the definition of “biometric identifier” that triggers the application of BIPA, unless specific data is collected.

Other State Privacy Laws

At the state level, several states have generic medical confidentiality laws, but those laws should generally not restrict worksite screening activities.  California, for example, has the Confidentiality of Medical Records Act.  This law generally restricts the disclosure of “medical information” without first obtaining authorization, subject to numerous statutory exceptions.  The term “medical information,” however, refers to “individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care services plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment.”  An employer performing worksite screening activities would generally fall outside the scope of this definition.  Texas also has the Medical Record Privacy Act that imposes similar restrictions on medical information.  That statute, however, specifically exempts an “employer” from its scope.

Americans with Disabilities Act

Finally, even if worksite screening activities are permissible, employers must still take steps to protect the confidentiality of affected employees.  Title II of the Americans with Disabilities Act (ADA) (42 USC § 12101 et seq.) establishes the basic rule is that, with limited exceptions, employers must keep confidential any medical information they learn about an applicant or employee (42 USC § 12112(d)(3)(B)).  Information could be confidential, even if it contains no medical diagnosis or treatment course, and even if it is not generated by a health care professional.  For example, an employee’s request for a reasonable accommodation for COVID-19 treatment or recovery may be considered medical information subject to the ADA’s confidentiality requirements.

ADA also restricts an employer from requiring a medical examination, or making certain disability inquiries of employee, unless that examination or inquiry is shown to be job-related and consistent with business necessity.  Employers may, however, perform voluntary medical examinations as part of a worksite employee health program, and inquire about the ability of an employee to perform job-related functions.  (42 USC § 12112(d)(4)).  The extent and frequency of those medical examinations in the context of COVID-19 worksite screening, and the mandatory or voluntary nature of those activities, should, therefore, be carefully considered with counsel.

Regulatory Guidance for Employers

The Centers for Disease Control and Prevention recommends employers take the following steps at worksites:

  • Separate sick employees.  If upon arrival to work, an employee becomes sick, separate that employee from others, and send them home immediately.  This includes visitors and other non-employees. 
  • Actively encourage sick employees to stay home, and not return to the workplace until they are free of fever (100.4° F [37.8° C] or greater using an oral thermometer), signs of a fever, and any other symptoms for at least 24 hours, without the use of fever-reducing or other symptom-altering medicines (e.g. cough suppressants).
  • Do not require a healthcare provider’s note for employees who are sick with acute respiratory illness to validate their illness or to return to work.  This is because healthcare provider offices and medical facilities may be extremely busy, and unavailable to provide documentation in a timely way.
  • Review and be prepared to follow a “Business Infectious Disease Outbreak Response Plan” based on the present condition in each worksite.
  • Coordinating with state and local health officials is strongly encouraged.  Since the intensity of an outbreak may differ according to geographic location, local health officials will be issuing guidance specific to their communities.

Further Information

For your convenient reference, here’s a list of available guidance from government authorities:

Centers for Disease Control and Prevention: Interim Guidance for Businesses and Employers to Plan and Respond to Coronavirus Disease 2019 (COVID-19), February 2020

Health & Human Services: Bulletin on HIPAA Privacy and Novel Coronavirus

Baker McKenzie’s Coronavirus Resource Center.

COVID-19: Essential Action Items for US Employers to Take Now (March 2020)

If you have any questions about this article or any privacy law issue, please do not hesitate to reach out to authors Brian HengesbaughHarry Valetk, Amy de La Lama, Brandon Moseberry or Mike Egan.

Author

Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.

Author

Harry is a partner based in New York. He advises global organizations on privacy and data security compliance requirements. His practice is focused on delivering commercially practical advice on designing security, privacy, and technologically compliant solutions.

Author

Amy de La Lama has assisted a wide array of companies in addressing legal issues related to global privacy and data collection, data security, information technology and related restrictions on data collection and movement.

Author

Brandon Moseberry advises global consumer, information technology, manufacturing, medical device, and financial institutions, among other clients, on a wide range of global data privacy, cybersecurity, direct marketing, social media, behavioral advertising, and related matters.

Author

Michael advises clients across various industries, including global online businesses, pharmaceutical companies, healthcare providers, manufacturers, financial institutions, sourcing providers, retail companies, and other organizations regarding the legal aspects of global privacy and data protection, data security, information technology, and related restrictions on data collection and transfer.

Write A Comment