May 22, 2022

Volume XII, Number 142


May 20, 2022

Subscribe to Latest Legal News and Analysis

May 19, 2022

Subscribe to Latest Legal News and Analysis

COVID-19: Need-to-Know Employer Information on Data Privacy and Recent Governmental Actions

Giving Notice of COVID-19 in the Workplace

When exposure or potential exposure situations call for notice to individuals who may be at transmission risk, they naturally want to know the name of the person who is the potential transmission source. May a company disclose the personal data collected from employees – such as an employee’s health condition (e.g., symptoms of illness) or medical diagnosis (e.g., a presumptive or confirmed COVID-19 diagnosis), including the employee’s identity, to its other employees?

We generally do not recommend disclosing the identity of someone infected, unless that person gives voluntary consent, and there is no legal requirement (at least currently) to do so. Of course, co-workers may figure out who is missing from work and connect the dots once the company has disclosed to at least a subset of employees that an employee has been diagnosed with COVID-19 (which is what a company should do if it learns of such diagnosis). When issuing such notices, we advise using phrases such as a colleague who works in a specific area or attended a certain meeting, etc., without providing a name.

Disclosing Medical Information

What about disclosing personal data collected from employees to third parties? If your company is getting general health data as a “covered entity” through its self-insured plan (i.e., the information is collected through a provider who sends it to the plan), then that information would be subject to the Health Insurance Portability and Accountability Act (HIPAA), and generally that information cannot be disclosed without an employee’s authorization. However, if the information the self-insured plan is collecting is specific to a threat like the coronavirus, the U.S. Department of Health and Human Services (HHS) has stated that HIPAA allows disclosure “[,]without a patient’s authorization, [of] protected health information about the patient as necessary to treat the patient or to treat a different patient.” 45 CFR §§ 164.502(a)(1)(ii), 164.506(c). In emergencies, HIPAA also allows disclosures to:

  • Public health officials, 45 CFR §§ 164.501 and 164.512(b)(1)(i)

  • Foreign public health officials working with U.S. officials, 45 CFR 164.512(b)(1)(i)

  • Persons at risk, if authorized by state authorities under the circumstances, 45 CFR 164.512(b)(1)(iv)

  • Friends or family acting as caretakers, 45 CFR 164.510(b)

As to other applicable employment law, the Equal Employment Opportunity Commission (EEOC) generally requires that any disability or medical information be kept confidential and disclosed on a need-to-know basis only. If your company feels it’s important to disclose personal medical information to an employee’s co-workers, we recommend that you seek consent from the employee first and consult with legal counsel before making such a disclosure without a documented, voluntary consent.

There are various other data protection requirements that U.S. employers should keep in mind in their COVID-19 prevention and response efforts. Below is a list of several relevant laws. 

Putting all these laws together, we generally recommend that companies limit the individuals who have access to employees’ personal data (i.e., disclosing only to those who need to know to perform their job functions) and collect the minimum amount of information necessary. Companies also should safeguard any health care information they collect, particularly because many states have added health/medical information as a “trigger” for notification, should that information ever be breached.

Related Statutes and Guidance

California Consumer Privacy Act (CCPA) – Requires privacy notices to employees in California about collected personal data. See here.

The Americans with Disabilities Act (ADA) and Rehabilitation Act – Describes anti-discrimination rules that often dovetail with privacy concerns. The EEOC has issued guidance under these laws, describing how to address specific issues related to a flu epidemic. See

HIPAA – Protects health care data held by health plans, health care providers and health care clearinghouses, and their business associates generally but allows personal health information (PHI) to be disclosed in some emergencies. See here.

State Health Laws – May determine who has the authority to declare a public emergency and how that status affects data-sharing.

State Data Breach Notification Laws – May require notification if any collected health/medical information is lost, hacked or stolen. By our current count, the following states trigger notice on health/medical information or health ID numbers:

  • Health or medical information: AL, AR, CA, DE, FL, IL, MD, MO, MT, ND, OR, PR, RI, SD, TX, VA (med statute), WA, WY, NAIC

  • Health insurance number: AL, AZ, CO, DE, FL, MD (to access health account), MO, NV, ND, OR, VA (med statute), WA, WY

State COVID-19 Developments – States with some of the highest numbers of reported cases of COVID-19 have recently issued guidance on existing employment laws or have adopted emergency rules to expand benefits for employees and employers who are affected by COVID-19. In addition, a number of state laws have been proposed in response to COVID-19 that would give employees additional benefits.

The U.S. Department of Labor (DOL) has issued guidance to states on how they can be flexible with their unemployment benefits eligibility requirements for employees affected by COVID-19. This includes extending benefits to employees whose employers temporarily cease operations in response to COVID-19, employees who miss work because of quarantine, and employee who choose not to work to avoid exposure or to care for a family member.

The Washington Employment Security Department (ESD) has adopted emergency rules to expand unemployment benefits for employees affected by COVID-19 due to shutdown of operations or quarantine. The ESD has also provided FAQs about using paid family and medical leave for COVID-19. In addition, ESD has provided a guide of common COVID-19 scenarios and the benefits available to employees in each scenario that can be found here.

Colorado has adopted emergency rules on paid sick leave for COVID-19 that took effect on March 11, 2020, and will be in effect for 30 days or longer (if Colorado’s state of emergency continues beyond that). The emergency rules require employers in certain industries or jobs to provide up to four days of paid sick leave to employees with flu-like symptoms who are being tested for COVID-19. The covered industries are leisure and hospitality; food services; child care; education, including transportation, food service and related work at educational establishments; home health, if working with elderly, disabled, ill or otherwise high-risk individuals; nursing homes and community living facilities. If employers already provide paid sick leave that meets the requirements of these rules and the leave has not already been exhausted, then no additional leave is required.

The California Labor Commissioner’s Office has issued guidance on using paid sick leave for self-quarantine if quarantine is recommended by civil authorities or an employee has traveled to a high-risk area. However, employers cannot require employees to use it for this purpose.

The California Employment Development Department has issued guidance on programs available to employees such as:

  • State disability benefits for those who are exposed to or have COVID-19

  • State-paid family leave benefits for employees caring for an ill or quarantined family member with COVID-19

  • Unemployment benefits for employees if their employer has reduced hours or operations due to COVID-19

The California Division of Occupational Safety and Health (Cal/OSHA) has issued guidance on requirements to protect workers from coronavirus.

State Employer Assistance – In addition to assisting employees, states are also providing assistance for employers affected by COVID-19.

Washington is allowing employers to request relief from unemployment benefit charges during temporary shut-downs due to quarantine and making standby available for eligible part-time workers along with full-time workers.

California’s guidance also includes resources for employers on handling COVID-19 related issues regarding workplace health and safety, reduced work hours, potential closure or layoffs, and tax issues.

Many states are proposing laws or rules in response to COVID-19 such as:

  • Colorado: Proposal would expand unemployment insurance eligibility for quarantined employees.

  • Hawaii: Proposal urges state and private health care networks to allow sick employees to take time off without fear of retaliation or retribution.

  • Kentucky: Proposal provides paid sick leave for employees.

  • Maryland: Proposal prohibits employers from terminating quarantined or isolated employees.

  • New York: Proposal prevents employers from terminating or otherwise penalizing employees who are unable to work due to COVID-19.

It is anticipated that more states will follow suit and provide guidance along with additional benefits and relief for employees and employers. Faegre Drinker will continue to monitor and report on these developments.

© 2022 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.National Law Review, Volume X, Number 77

About this Author

Susan W. Kline Labor & Employment Litigation Attorney Faegre Drinker Law Firm Indianapolis

A former human resources function leader and employment litigator with trial experience, Susan Kline is dedicated to helping employers take practical, effective and balanced action in HR legal matters to promote the organization’s overall business interests. Susan helps clients manage employment-related matters by providing counseling, training, and policy advice and review services on issues such as leave and disability management, workforce restructurings, human resources processes, employee discipline and discharge, and employment agreements.

317 237 1059
Paul Luehr Cybersecurity Lawyer Faegre Drinker

Paul Luehr partners with clients to optimize their privacy and cybersecurity practices, from risk management to incident response. As the leader of the firm's privacy and cybersecurity team, Paul understands that cybersecurity crises can be profoundly costly, and they can strike organizations across a wide range of industries. Drawing from 25 years on the cutting edge of data privacy and cybersecurity — including experience investigating and prosecuting cybercrimes with the Federal Trade Commission (FTC) and the Department of Justice (DOJ) — Paul helps clients avoid becoming a cautionary...

612 766 7195
Daniel Prokott Employment Attorney Faegre Drinker

Dan Prokott advises businesses regarding complex workplace matters. He represents employers of all sizes, including multinational public and private companies, established and emerging private businesses, and nonprofit organizations.

Employment Counseling

Dan advises employers on:

  • Hiring practices, including issues related to non-discrimination, non-competition, pre-employment testing, background checks and state law compliance
  • Reviewing and drafting offer-of-employment letters and employee handbooks
  • Preparing executive and sales compensation...
612 766 7713
Mary Will Ethics and Compliance Faegre Drinker Law Firm

Mary Will is professional responsibility counsel to Faegre Baker Daniels. In that capacity, she advises Faegre Baker Daniels and its lawyers regarding conflicts of interest, ethics and other legal matters. Mary also advises employers on employment laws and workplace actions. She partners with clients to provide business strategies and solutions tailored to their specific needs, taking into account the business environment and culture in which each employer operates.

Compliance, Training and Transactions

Mary works closely with FaegreBD’s corporate lawyers on the employment...

303 607 3771