ARTICLE
3 August 2020

Coronavirus Tracking Programs Need To Comply With Privacy Laws

MM
McLane Middleton, Professional Association

Contributor

Founded in 1919, McLane Middleton, Professional Association has been committed to serving their clients, community and colleagues for over 100 years.  They are one of New England’s premier full-service law firms with offices in Woburn and Boston, Massachusetts and Manchester, Concord and Portsmouth, New Hampshire. 
Companies reopening their offices and facilities will be collecting sensitive personal and health information about their employees to track COVID-19 symptoms.
United States Coronavirus (COVID-19)

Companies reopening their offices and facilities will be collecting sensitive personal and health information about their employees (as well as about customers, vendors, and other visitors) to track COVID-19 symptoms. Although the Americans with Disabilities Act (ADA) typically places strict limits on the collection, use, and disclosure of health information about employees, the ongoing pandemic has prompted the Equal Employment Opportunity Commission and Centers for Disease Control and Prevention to permit the widespread gathering of health information in the workplace in an effort to stem the spread of the coronavirus.

While ADA limitations have been eased, privacy laws have not. Various state, federal, and foreign privacy regulations impose strict requirements on companies collecting and using health information and other sensitive or personal information. For example, companies must:

  1. Notify individuals about the purposes for the collection, use, and disclosure of personal and health information and (in certain instances) obtain consent from individuals before engaging in such collection, use, and disclosure.
  2. Ensure that the collection, use, and disclosure of personal and health information is only for purposes that are specifically permitted by privacy laws.
  3. Notify individuals of their rights with respect to personal and health information, and honor those rights whenever exercised by individuals.
  4. Implement robust security controls that are appropriate to protect the sensitive of the information collected, used, and disclosed.

Because many companies have not previously engaged in the widespread handling of sensitive personal and health information, they likely are unfamiliar with the privacy requirements that apply to such information, and are unaware of and unprepared to implement the controls required by the regulations above, and others like them. Consequently, as businesses reopen, return employees to the workplace, and operate during the pandemic, they should work with an experienced privacy attorney to conduct a privacy risk assessment and implement the controls necessary under applicable privacy law.

For more information on the specific privacy laws that may govern how your business collects health information as part of its COVID-19 prevention efforts, please see New Privacy Concerns Emerge as Businesses Reopen.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More