Privacy Considerations for Navigating COVID-19

COVID-19 Update

As companies develop policies and procedures to respond to the COVID-19 outbreak, company leadership would do well to consider the limitations and prohibitions on the processing of employee information under federal and state privacy laws, as well as those in any internal company policies. Set forth below are the top privacy practices employers should ensure they implement when collecting, using and disclosing health and medical information provided by an infected or potentially infected employee.

  • Ensure that your company’s collection of personal information in connection with COVID-19 is consistent with existing company policy and applicable laws. In the event employers collect personal information from infected or potentially infected employees, employers should ensure that such collection is done in accordance with company policy and applicable federal and state privacy laws. Company leadership may need to consider whether the company’s privacy and data security policies require revision, in light of COVID-19 and any resultant precautions. For example, company leadership should consider whether its information collection and disclosure practices in connection with COVID-19 are in accordance with the Health Insurance Portability and Accountability Act (HIPAA) and the HIPAA Privacy Rule. The HIPAA Privacy Rule permits the use and disclosure of personal health information (PHI) without an individual’s consent in connection with treatment, payment and healthcare operations. The rule also permits incidental uses and disclosures without consent in certain circumstances. Any other use or disclosure of PHI requires an individual’s consent.

    It is also worth noting that the HIPAA Privacy Rule allows patient information to be shared to assist in nationwide public health emergencies and to assist patients in receiving the care they need.  However, this emergency waiver only applies to certain employers. For more information on how the HIPAA rules apply in emergency situations see here.

    Additionally, employers should take care not to inadvertently trigger, and run afoul of, federal privacy protections such as the U.S. Equal Employment Opportunity Commission, Genetic Information Nondiscrimination Act (GINA), Americans with Disabilities Act, or Occupational Safety and Health Act through their personal information collection activities while safeguarding the workplace. For example, asking employees about their health or the health of their family members could implicate GINA because such questions may result in the acquisition of genetic information. In addition, new employee privacy disclosures mandated under the California Consumer Privacy Act may not currently cover data collection for purposes of mitigating workforce health risks and may need to be quickly revised before employers undertake such activity.
  • Limit your collection of employee medical information to what is necessary. Employers may need to collect personal information from employees in order to safeguard the workplace and employees. This information, for example, may include the identity of employees or family members who have traveled to impacted areas, have been exposed to COVID-19 and/or are showing symptoms of COVID-19. In doing so, employers should limit the collection of an infected or potentially infected employee’s or employee’s family members’ health and medical information to what is strictly necessary to protect the workplace environment or as required by law. Whatever information is collected should be transmitted in a secure manner, and any unneeded information should be securely destroyed as soon as it is identified.
  • Maintain the confidentiality and privacy of infected or potentially infected employees. To ensure compliance with applicable company policy and federal and state privacy laws, employers should take care not to reveal the identity of an infected or potentially infected employee and should only communicate the existence of such to other employees on a “need to know” basis and with the employee’s consent. As much as possible, employers should not disclose the identity of an actually or potentially infected employee or provide any information that would allow other employees to identify that person. Likewise, employers should limit access to the employee’s records and communications regarding their condition to designated employees on a need-to-know basis.

In summary, companies must balance the responsible sharing of information with employees and the public, while making sure any information sharing is done in accordance with established privacy principles, company policy and applicable laws.

For more information and assistance with ensuring your privacy policies and procedures align with federal and state privacy laws, please reach out to a member of Manatt’s Privacy and Data Security team.

For regular updates on the major challenges companies are facing, please visit our COVID-19 resources page and subscribe for timely updates in your inbox here.

manatt-black

ATTORNEY ADVERTISING

pursuant to New York DR 2-101(f)

© 2020 Manatt, Phelps & Phillips, LLP.

All rights reserved