Employers are currently working to protect their workforces against COVID-19. Efforts might include employee and visitor screening activities including taking vital signs or body temperature through a hand-held thermometer or a scan for temperature. Are those screening activities lawful under applicable privacy and confidentiality laws in the US and are there obligations to inform other employees or health authorities?
HIPAA & Covered Entity Disclosure
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) imposes restrictions on disclosures of protected health information on the workforce of a covered entity (health care providers, health plans and health care clearinghouses in the United State) and their services providers (business associates). HIPAA’s Privacy Rule does not apply to the collection, use, or disclosures of individually identifiable health information made by an employer in the context of worksite COVID-19 screening activities that is paid by the employer.
The Office for Civil Rights of the US Department of Health and Human Services, which enforces HIPAA, has released helpful guidance on COVID-19-related uses and disclosures (See https://www.hhs.gov/sites/default/files/february-2020-hipaa-and-novel-coronavirus.pdf ). Under HIPAA, Covered Entity health care providers may disclose PHI about individuals who are suspected of having contracted COVID-19 to public health authorities that are authorized by law to receive such information for preventing or controlling the spread of disease. “Public health authorities” include agencies or authorities of the United States government, a State, a territory, a political subdivision of a State or territory, or Indian tribe that is responsible for public health matters as part of its official mandate, as well as a person or entity acting under a grant of authority from, or under a contract with, a public health agency. Under HIPAA, health care providers may also, at the direction of a public health authority, disclose PHI to a foreign government agency. Some states have mandatory legal requirements to report infectious disease cases, such as COVID-19, to state or local public health authorities.
Generic State Medical Confidentiality Laws
Several states have enacted generic medical confidentiality laws; however, those laws generally do not restrict worksite screening activities. For example, in California, the Confidentiality of Medical Records Act generally restricts the disclosure of medical information without first obtaining authorization, which is subject to numerous statutory exceptions. However, an employer performing worksite screening activities generally falls outside the scope of the definition of medical information under the Act. Another example is the state of Texas where the Medical Record Privacy Act imposes similar restrictions on medical information. However, the Act specifically exempts an “employer” from its scope.
The Illinois Biometric Information Privacy Act (BIPA) restricts the collection, use, or other processing of biometric identifiers by entities, unless certain requirements are met. In the context of an employer performing COVID-19 worksite screening activities seeking to obtain body temperature through a hand-held thermometer or a scan for temperature, BIPA should not apply because the term “biometric identifier” generally refers to “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”
Except under limited circumstances, employers should not disclose the identity of an employee suspected of having or diagnosed with coronavirus. Under the Americans with Disabilities Act, 42 USC § 12101 et seq. (ADA), employee medical information must be kept confidential and may only be shared in very limited circumstances. Information could be confidential even if it contains no medical diagnosis or treatment course, and even if it is not generated by a health care professional. For example, an employee’s request for a reasonable accommodation for COVID-19 treatment or recovery may be considered medical information subject to the ADA’s confidentiality requirements.
In an employment context, the employer should make every effort to protect the medical confidentiality of the individual while still providing sufficient information to the workplace for them to take appropriate steps. In almost every case, this can be done without sharing the name of the person who was infected.
In a company-wide notice, an employer should:
• Send a general communication reporting that there has been a suspected/confirmed case of coronavirus in the workplace and urging employees to be vigilant in observing for symptoms and stay away from the office if symptoms occur and consult with a medical provider.
• Note how the company is taking all appropriate steps to manage the situation in accordance with official guidance.
• Refer employees to guidance materials provided by public health agencies, including the Centers for Disease Control and Prevention (CDC).
• Designate individuals and provide contact information for employees to direct questions/concerns (preferably HR or a similar role).
ADA places restrictions on the inquiries that an employer can make into an employee’s medical status, and the EEOC considers taking an employee’s temperature to be a “medical examination” under the ADA (see https://www.eeoc.gov/facts/pandemic_flu.html ). The ADA prohibits employers from requiring medical examinations and making disability-related inquiries unless (1) the employer can show that the inquiry or exam is job-related and consistent with business necessity, or (2) the employer has a reasonable belief that the employee poses a “direct threat” to the health or safety of the individual or others that cannot otherwise be eliminated or reduced by reasonable accommodation.
Taking an employee’s temperature may be unlawful if it is not job-related and consistent with business necessity. The inquiry and evaluation into whether taking a temperature is job-related and consistent with business necessity is fact-specific and will vary among employers and situations. The EEOC’s position during a pandemic is that employers should rely on the latest CDC and state or local public health assessments to determine whether the pandemic rises to the level of a “direct threat” (see https://www.eeoc.gov/facts/pandemic_flu.html#4). The assessment by the CDC as to the severity of COVID-19 will provide the objective evidence needed for a medical examination. If COVID-19 coronavirus becomes widespread in the community, as determined by state or local health authorities or the CDC, then employers may take an employee’s temperature at work. However, as a practical matter, an employee may be infected with the COVID-19 coronavirus without exhibiting recognized symptoms such as a fever, so temperature checks may not be the most effective method for protecting your workforce. The extent and frequency of any medical examinations in the context of COVID-19 worksite screening, and the mandatory or voluntary nature of those activities should carefully be discussed with legal counsel.
Regulatory Guidance for Employers
In an Interim Guidance for Businesses and Employers, The Centers for Disease Control and Prevention states that: “If an employee is confirmed to have COVID-19, employers should inform fellow employees of their possible exposure to COVID-19 in the workplace but maintain confidentiality as required by the Americans with Disabilities Act (ADA).” The CDC recommends that employers take the following steps at the workplace:
• Separate sick employees. If upon arrival to work, an employee becomes sick, separate that employee from others, and send them home immediately. This includes visitors and other non-employees.
• Actively encourage sick employees to stay home, and not return to the workplace until they are free of fever (100.4° F [37.8° C] or greater using an oral thermometer), signs of a fever, and any other symptoms for at least 24 hours, without the use of fever-reducing or other symptom-altering medicines (e.g. cough suppressants).
• Do not require a healthcare provider’s note for employees who are sick with acute respiratory illness to validate their illness or to return to work. This is because healthcare provider offices and medical facilities may be extremely busy, and unavailable to provide documentation in a timely way.
• Review and be prepared to follow a “Business Infectious Disease Outbreak Response Plan” based on the present condition in each worksite.
• Coordinating with state and local health officials is strongly encouraged. Since the intensity of an outbreak may differ according to geographic location, local health officials will be issuing guidance specific to their communities.
For more information on the Interim Guidance for Businesses and Employers issued by the CDC, please see https://www.cdc.gov/coronavirus/2019-ncov/php/risk-assessment.html. This is for the record.
For The Public Record is a monthly blog featuring thought leadership from the most seasoned experts at ClearStar, across all functions of the background screening process. Click here to subscribe.