COVID-19: Need-to-Know Employer Information on Data Privacy and Recent Governmental Actions
Giving Notice of COVID-19 in the Workplace
When exposure or potential exposure situations call for notice to individuals who may be at transmission risk, they naturally want to know the name of the person who is the potential transmission source. May a company disclose the personal data collected from employees – such as an employee’s health condition (e.g., symptoms of illness) or medical diagnosis (e.g., a presumptive or confirmed COVID-19 diagnosis), including the employee’s identity, to its other employees?
We generally do not recommend disclosing the identity of someone infected, unless that person gives voluntary consent, and there is no legal requirement (at least currently) to do so. Of course, co-workers may figure out who is missing from work and connect the dots once the company has disclosed to at least a subset of employees that an employee has been diagnosed with COVID-19 (which is what a company should do if it learns of such diagnosis). When issuing such notices, we advise using phrases such as a colleague who works in a specific area or attended a certain meeting, etc., without providing a name.
Disclosing Medical Information
What about disclosing personal data collected from employees to third parties? If your company is getting general health data as a “covered entity” through its self-insured plan (i.e., the information is collected through a provider who sends it to the plan), then that information would be subject to the Health Insurance Portability and Accountability Act (HIPAA), and generally that information cannot be disclosed without an employee’s authorization. However, if the information the self-insured plan is collecting is specific to a threat like the coronavirus, the U.S. Department of Health and Human Services (HHS) has stated that HIPAA allows disclosure “[,]without a patient’s authorization, [of] protected health information about the patient as necessary to treat the patient or to treat a different patient.” 45 CFR §§ 164.502(a)(1)(ii), 164.506(c). In emergencies, HIPAA also allows disclosures to:
Public health officials, 45 CFR §§ 164.501 and 164.512(b)(1)(i)
Foreign public health officials working with U.S. officials, 45 CFR 164.512(b)(1)(i)
Persons at risk, if authorized by state authorities under the circumstances, 45 CFR 164.512(b)(1)(iv)
Friends or family acting as caretakers, 45 CFR 164.510(b)
As to other applicable employment law, the Equal Employment Opportunity Commission (EEOC) generally requires that any disability or medical information be kept confidential and disclosed on a need-to-know basis only. If your company feels it’s important to disclose personal medical information to an employee’s co-workers, we recommend that you seek consent from the employee first and consult with legal counsel before making such a disclosure without a documented, voluntary consent.
There are various other data protection requirements that U.S. employers should keep in mind in their COVID-19 prevention and response efforts. Below is a list of several relevant laws.
Putting all these laws together, we generally recommend that companies limit the individuals who have access to employees’ personal data (i.e., disclosing only to those who need to know to perform their job functions) and collect the minimum amount of information necessary. Companies also should safeguard any health care information they collect, particularly because many states have added health/medical information as a “trigger” for notification, should that information ever be breached.
Related Statutes and Guidance
California Consumer Privacy Act (CCPA) – Requires privacy notices to employees in California about collected personal data. See here.
The Americans with Disabilities Act (ADA) and Rehabilitation Act – Describes anti-discrimination rules that often dovetail with privacy concerns. The EEOC has issued guidance under these laws, describing how to address specific issues related to a flu epidemic. See
HIPAA – Protects health care data held by health plans, health care providers and health care clearinghouses, and their business associates generally but allows personal health information (PHI) to be disclosed in some emergencies. See here.
State Health Laws – May determine who has the authority to declare a public emergency and how that status affects data-sharing.
State Data Breach Notification Laws – May require notification if any collected health/medical information is lost, hacked or stolen. By our current count, the following states trigger notice on health/medical information or health ID numbers:
Health or medical information: AL, AR, CA, DE, FL, IL, MD, MO, MT, ND, OR, PR, RI, SD, TX, VA (med statute), WA, WY, NAIC
Health insurance number: AL, AZ, CO, DE, FL, MD (to access health account), MO, NV, ND, OR, VA (med statute), WA, WY
State COVID-19 Developments – States with some of the highest numbers of reported cases of COVID-19 have recently issued guidance on existing employment laws or have adopted emergency rules to expand benefits for employees and employers who are affected by COVID-19. In addition, a number of state laws have been proposed in response to COVID-19 that would give employees additional benefits.
The U.S. Department of Labor (DOL) has issued guidance to states on how they can be flexible with their unemployment benefits eligibility requirements for employees affected by COVID-19. This includes extending benefits to employees whose employers temporarily cease operations in response to COVID-19, employees who miss work because of quarantine, and employee who choose not to work to avoid exposure or to care for a family member.
The Washington Employment Security Department (ESD) has adopted emergency rules to expand unemployment benefits for employees affected by COVID-19 due to shutdown of operations or quarantine. The ESD has also provided FAQs about using paid family and medical leave for COVID-19. In addition, ESD has provided a guide of common COVID-19 scenarios and the benefits available to employees in each scenario that can be found here.
Colorado has adopted emergency rules on paid sick leave for COVID-19 that took effect on March 11, 2020, and will be in effect for 30 days or longer (if Colorado’s state of emergency continues beyond that). The emergency rules require employers in certain industries or jobs to provide up to four days of paid sick leave to employees with flu-like symptoms who are being tested for COVID-19. The covered industries are leisure and hospitality; food services; child care; education, including transportation, food service and related work at educational establishments; home health, if working with elderly, disabled, ill or otherwise high-risk individuals; nursing homes and community living facilities. If employers already provide paid sick leave that meets the requirements of these rules and the leave has not already been exhausted, then no additional leave is required.
The California Labor Commissioner’s Office has issued guidance on using paid sick leave for self-quarantine if quarantine is recommended by civil authorities or an employee has traveled to a high-risk area. However, employers cannot require employees to use it for this purpose.
The California Employment Development Department has issued guidance on programs available to employees such as:
State disability benefits for those who are exposed to or have COVID-19
State-paid family leave benefits for employees caring for an ill or quarantined family member with COVID-19
Unemployment benefits for employees if their employer has reduced hours or operations due to COVID-19
The California Division of Occupational Safety and Health (Cal/OSHA) has issued guidance on requirements to protect workers from coronavirus.
State Employer Assistance – In addition to assisting employees, states are also providing assistance for employers affected by COVID-19.
Washington is allowing employers to request relief from unemployment benefit charges during temporary shut-downs due to quarantine and making standby available for eligible part-time workers along with full-time workers.
California’s guidance also includes resources for employers on handling COVID-19 related issues regarding workplace health and safety, reduced work hours, potential closure or layoffs, and tax issues.
Many states are proposing laws or rules in response to COVID-19 such as:
Colorado: Proposal would expand unemployment insurance eligibility for quarantined employees.
Hawaii: Proposal urges state and private health care networks to allow sick employees to take time off without fear of retaliation or retribution.
Kentucky: Proposal provides paid sick leave for employees.
Maryland: Proposal prohibits employers from terminating quarantined or isolated employees.
New York: Proposal prevents employers from terminating or otherwise penalizing employees who are unable to work due to COVID-19.
It is anticipated that more states will follow suit and provide guidance along with additional benefits and relief for employees and employers. Faegre Drinker will continue to monitor and report on these developments.