The ongoing battle against COVID-19 has raised privacy concerns in the United States and throughout the world. Governments are collecting health information and tracking individual movements using cellphone data. Researchers are processing and analyzing protected health information. Companies are trying to monitor the health of their personnel to ensure that workplaces are safe.
This client alert focuses on companies' efforts to ensure health and safety. Most of these efforts will fall within existing exceptions to privacy laws for epidemics and public health emergencies. Regulators have also been flexible, and some have suspended enforcement activities or waived penalties during this time of crisis. Yet privacy laws and regulations continue to apply, and companies must continue to comply with them. To assist companies in doing so, this alert addresses some frequently asked questions.
The HIPAA Privacy Rule
What is HIPAA?
HIPAA is the acronym for the Health Insurance Portability and
Accountability Act, a U.S. law that protects the health information
of individuals. HIPAA has various sections, including a
section that protects privacy known as the HIPAA Privacy Rule.
Does HIPAA apply to our company?
If it does, you probably already know it. The HIPAA Privacy
Rule does not apply to every business or employer. It applies
only to "covered entities" and "business
associates." "Covered entities" include health
care providers, health plans and health care clearinghouses, while
"business associates" are typically those who perform
functions and provide services to covered entities. 45 C.F.R.
§ 160.103.
Does HIPAA apply to our company if we offer a group health plan
to our employees?
No, in that circumstance the HIPAA Privacy Rule would apply to the
health plan, but not to your company. There are, however,
exceptions, which might apply if, for example, your company
self-insures or offers an on-site employee health clinic.
If HIPAA applies, can we share an employee's health
information with public health authorities?
Yes, covered entities may disclose protected health information to
"a public health authority authorized by law to collect or
receive such information for the purpose of preventing or
controlling disease." 45 C.F.R. §
512(b)(1)(i). Indeed, some states make such
disclosures mandatory. Moreover, if directed by a public
health authority, covered entities may also disclose protected
information to a foreign government agency. Id.
Business associates may only use or disclose protected health information as set forth in their business associate contract or as required by law. Generally, this means that the business associate may not use or disclose protected health information in a way that the covered entity cannot. See 45 C.F.R. § 164.504(e).
Do we need permission from the employee to disclose their health
information to a public health authority?
No, covered entities can make this type of disclosure without the
individual's authorization. See generally 45 C.F.R.
§ 164.512.
Are there other types of permitted disclosures under
HIPAA?
Yes, among other permitted disclosures, covered entities may
disclose protected health information, if necessary, to treat the
affected individual or someone else. See 45 C.F.R. §
164.506. Covered entities may also disclose protected health
information to "a person who may have been exposed to a
communicable disease or may otherwise be at risk of contracting or
spreading a disease or condition," provided that the covered
entity or public health authority is authorized by law to do so
"in the conduct of a public health intervention or
investigation." 45 C.F.R. § 164.512(b)(1)(iv).
Does HIPAA permit a covered entity to share an
individual's health information with their family or
friends?
A covered entity may disclose to a family member, relative,
close personal friend, or other person identified by the
individual, the protected health information directly relevant to
that person's involvement with the individual's health care
or payment. See 45 C.F.R. § 164.510(b). When
possible, the covered entity should get verbal permission from the
employee to make such a disclosure or be reasonably able to infer
that the employee would not object. Id.
Under HIPAA, are there limits to what we can disclose?
Yes, for most disclosures, a covered entity must make reasonable
efforts to disclose only the "minimum necessary" to
accomplish the purpose of the disclosure. 45 C.F.R. §
164.502(b).
Where can we go for more information about HIPAA and
COVID-19?
In February, the Department of Health and Human Services
("HHS") provided guidance about the HIPAA Privacy Rule as
it relates to COVID-19. Office of Civil Rights, HHS, Bulletin,
HIPAA Privacy and Novel Coronavirus, available at https://www.hhs.gov/sites/defa.... HHS
has since issued other COVID-19 guidance and there is more to
come. Among other things, the new CARES Act directs HHS
to "issue guidance on the sharing of patients' protected
health information," including compliance with certain HIPAA
regulations. CARES Act § 4223.
Are there other privacy laws that might apply to HIPAA
disclosures?
Yes, there may be state and local laws, regulations, or ordinances
that affect HIPAA disclosures.
California Consumer Privacy Act ("CCPA")
Has the CCPA taken effect yet?
The CCPA became effective on January 1, 2020, with penalties for
violation to become effective on July 1, 2020. Although the
penalties for violation are not yet in effect, plaintiffs'
lawyers have already filed at least nine putative class action
cases alleging violations of the CCPA against companies such as
Zoom.
Does the CCPA permit disclosure of employee health
information?
The CCPA does not generally prevent a business from disclosing
personal health information. However, it provides California
residents with the right to request, among other things, that
covered businesses disclose "the categories of third parties
with whom the business shares personal information."
Cal. Civ. Code § 1798.110(a)(4). This does not apply to,
among others, covered entities under HIPAA.
Workplace Protections
Has the EEOC issued any guidance on employees' rights in the
workplace?
The U.S. Equal Employment Opportunity Commission
("EEOC") enforces workplace anti-discrimination laws,
including the Americans with Disabilities Act (ADA). While
the ADA is not a privacy law, per se, it sets forth certain rules
about medical examinations and inquiries. The EEOC had
previously provided guidance on influenza epidemics, which it has
now updated to account for the COVID-19 pandemic. EEOC,
Pandemic Preparedness in the Workplace and the Americans with
Disabilities Act, https://www.eeoc.gov/facts/pan....
Can we inquire about employees' health, symptoms, or travel
as a condition to letting them return to work?
Yes, during a pandemic, an ADA-covered employer may ask employees
who report feeling ill at work or call in sick if they are
experiencing symptoms of the pandemic virus. For employees
returning from travel (whether business or personal), an
ADA-covered employer does not need to wait until the employee
exhibits symptoms of the pandemic virus to ask questions regarding
potential exposure to the pandemic during the travel.
Can we take the temperature of employees?
Taking someone's temperature is a medical examination, but
because the COVID-19 pandemic is widespread, the EEOC permits an
employer to measure employees' body temperature.
Can we require employees to stay home if they have symptoms of
COVID-19?
The ADA does not prevent an employer from telling symptomatic
employees to leave the workplace or stay home.
Can we disclose the name of an employee who tests positive for
COVID-19 to fellow employees for precautionary purposes?
No. If an employee has a confirmed case of COVID-19, the CDC
recommends that an employer inform fellow employees of their
possible exposure to COVID-19 in the workplace, but maintain
confidentiality under the ADA. This means that the employer
should not identify the affected employee by name.
Can we require employees to wash their hands regularly?
According to the EEOC, mandating infection control practices, such
as regular hand washing, or coughing and sneezing etiquette, does
not implicate the ADA.
Can we require employees to wear masks or gloves to reduce the
possibility of COVID-19 infection?
According to the EEOC, an employer may require employees to wear
personal protective equipment during a pandemic. However, the
employer has to make reasonable accommodations for disabled
employees who cannot comply (e.g., those who may be allergic to
latex gloves).
Once there is a COVID-19 vaccine, can we require employees to
get it?
An ADA-covered employer may encourage employees to get the
vaccine, but cannot necessarily require them to take
it. Among other things, the ADA and Title VII of the Civil
Rights Act of 1964 provide certain exemptions to mandatory
vaccines.
Are there state or local rules that we also need to
consider?
In addition to the ADA, an employer should also review and comply
with state and local rules governing privacy in the
workplace. Some states have statutes that provide
confidentiality protections for employee medical information, such
as California's Confidentiality of Medical Information Act.
The EU's General Data Protection Regulation ("GDPR")
Does the GDPR permit the processing of employee health
information?
The GDPR protects "data concerning health," including
COVID-19 status, as a special category of personal data under
Article 9. However, the GDPR permits the processing of such
data when, among other things, it is necessary for (a) "the
purposes of preventative or occupational medicine, for the
assessment of the working capacity of the employee, medical
diagnosis, the provision of health or social care or treatment, or
the management of health or social care systems and services";
or (b) "reasons of public interest in the area of public
health, such as protecting against serious cross border threats to
health." GDPR Art. 9(2)(h) & (i). In these
circumstances, it is not necessary to obtain the consent of the
individual. Id.
Has there been any guidance from the EDPB?
On March 19, 2020, the European Data Protection Board
("EDPB") issued a statement in which it declared that,
"[d]ata protection rules (such as the GDPR) do not hinder
measures taken in the fight against the coronavirus
pandemic." However, the EDPB also "underline[d]
that even in these exceptional times, the data controller and
processor must ensure the protection of the personal data of the
data subjects." European Data Protection Board,
Statement on the Processing of Personal Data in the Context of the
COVID-19 Outbreak (Mar.19, 2020).
Did the EDPB address workplace protections?
The EDPB recognized that processing health data may be necessary
to ensure health and safety at the work place. However, it
cautioned that such processing should be for specific and explicit
purposes, affected individuals should receive transparent
information, and adequate security measures and confidentiality
policies should ensure that the information is not disclosed to
unauthorized parties. The EDPB stated that employers may
disclose that an employee is infected with COVID-19 to
"colleagues and externals" but should not communicate
more information than is necessary. Finally, the EDPB noted
that most workplace protections will be a question of member state
law. European Data Protection Board, Statement on the
Processing of Personal Data in the Context of the COVID-19 Outbreak
(Mar. 19, 2020).
Has there been any guidance from EU Member States?
Various EU member states have issued their own guidance on data
protection during the COVID-19 pandemic. To give just two
examples:
The UK's data protection authority, the Information Commissioner's Office or ICO, advises that it is "unlikely your organisation will have to share information with authorities about specific individuals, but if it is necessary then data protection law won't stop you from doing so." The ICO also suggests that companies "keep staff informed about cases in your organisation. Remember, you probably don't need to name individuals and you shouldn't provide more information than necessary. You have an obligation to ensure the health and safety of your employees, as well as a duty of care. Data protection doesn't prevent you doing this." ICO, Data Protection and Coronavirus: What You Need to Know, https://ico.org.uk/for-organis.../.
The French data protection agency, the Commission Nationale de l'Informatique et des Libertés or CNIL, also permits disclosures to health authorities, but is more protective of employee rights in the workplace. The CNIL recognizes that employees have a responsibility to inform an employer about COVID-19 symptoms, but it prohibits the employer from searching for possible symptoms in a generalized and systematic way or through individual inquiries and requests. The CNIL notes that this means that employers cannot take daily temperature readings of employees or visitors or make use of questionnaires and surveys. CNIL, Coronavirus (COVID-19): Les Rappels de la CNIL sur la Collecte de Données Personnelles (Mar. 6, 2020).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.