Examples of COVID-19 Screening, Social Distancing, and Contact Tracing Technologies and Related Legal and Practical Issues
As organizations work feverishly to return to business in many areas of the country, they are mobilizing to meet the myriad of challenges for providing safe environments for their workers, customers, students, patients, and visitors. Chief among these challenges are screening for COVID-19 symptoms, observing social distancing, contact tracing, and wearing masks. Fortunately, innovators are rising to meet this need, developing a range of technologies – wearables, apps, devices, kiosks, AI, etc. – all designed to support these efforts. But, for many organizations, the question is what technologies are out there and what should they be thinking about in deciding to adopt one or more of them.
Wading through the wide variety of COVID19-related technologies can be like scrolling through your cable provider’s movie guide – lots of time spent, not sure what to choose. So, to help you get a quick, bird’s eye view of some of the kinds of technologies being developed and which may be available, please see our table of “Selected COVID19 Distancing, Screening, Contact Tracing, and Other Technologies” (Table)*.
Needless to say, compiling, implementing, enforcing, and documenting extensive and sometimes conflicting federal, state, and local mandates and recommendations for screening, distancing, contact tracing, and mask wearing requires a significant and on-going effort. Technologies, such as those listed in the Table, can help. Some of the features of these technologies include:
Wearables that alert the wearer that he or she is getting too close to a colleague may boost an organization’s efforts to adhere to distancing requirements.
Kiosks with thermal scanning capabilities may facilitate temperature screening in a faster more efficient way while minimizing contact that might further spread of COVID-19.
Apps that track the locations of individuals could automate otherwise laborious manual contact tracing activities.
The advantages of these technologies can be substantial, quickening the path to compliance and opening the organization’s doors to business. However, organizations should proceed carefully to examine not only whether the particular solution will have the desired effect, but whether it can be implemented in a compliant manner with minimal legal risk. Below are some questions organizations should be considering:
What is the organization's goal for the technology?
If the goals of the organization is to keep workers who may have COVID19 from entering its facility, then screening technologies are something the organization may consider. However, if the goal is the identify other workers who may have been exposed to a COVID19 positive co-worker, the contact tracing technologies may be more appropriate. To this end, it is important to consider the organization's goals prior to selecting technologies for implementation.
Does the technology work?
For temperature taking/scanning technology, this may mean validation of the accuracy of the device. When looking at contact tracing, accuracy will similarly be key in your efforts to identify co-workers who may be potentially impacted by COVID19.
Will the technology require employees to incur expenses that must be reimbursed?
In some states, the implementation of this technology may require reimbursement if workers must incur costs or expenses as part of the implementation. For example, if an app requires an employee to have a mobile device for work purposes, expense reimbursement obligations with respect to that device may exist.
Is bargaining with the union required?
As organizations look to these technologies, there may be numerous instances where the organization will need to consult, and possibly engage in bargaining with, the applicable union(s). Depending on which technology is being contemplated may dictate whether the organization’s efforts are supported or challenged.
Is notice/consent required?
This may be a difficult question to answer without having an understanding of the data that the technology is collecting. For example, collecting the geolocation of employees as well as their COVID status, and interactions with others all are likely elements of personal information under the California Consumer Privacy Act (CCPA) which applies to employees that reside in California if the organization is subject to the law. Similarly, electronic tracking of workers or the collection of worker’s biometric information (facial scans, etc.) may require notice and/or consent depending on the state of implementation. If the technology requires access to an employee’s personally-owned device, notice and consent are likely required, but most certainly a best-practice. While many think HIPAA is implicated in the collection of workers’ temperature or responses to screening questions, this is often not the case unless a third-party provider or lab (i.e., a covered entity) is performing the screening, in which case an authorization is needed to share the results with the employer.
Will workers participate?
Determining whether technology implementation may require notice or consent is discussed above. However, if implementation and/or usage is voluntary the effectiveness of the technology in meeting the organization's goals may be substantially impacted. Regardless of whether implementation is voluntary or required, it is important for organizations to communicate with their workers to explain the goals of the technology, answer questions regarding same, and address concerns over privacy and relates issues in order to ensure buy-in and effectiveness.
How is data collected, shared, secured, returned?
Understanding the answers to these questions are imperative in order to help ensure compliance. This is especially true as there are numerous laws that may be implicated when data is collected from workers. These include the Americans with Disabilities Act (ADA), the Genetic Information Nondiscrimination Act (GINA), state laws, CCPA, and the General Data Protection Regulation (GDPR). In addition to statutory or regulatory mandates, the organization will also need to consider existing contracts or services agreements which may provide for or limit the collection, sharing, storage, or return of data. Finally, whether mandated by law or contract, organizations should still consider best practices to help ensure the privacy and security of the data it is responsible for.
Are employees implementing the technology capable, trained?
Should “managers” be viewing dashboards that provide extensive information about many of the organization’s workers? In these uncertain times, an organization may be left with no choice other than to expand the list of individuals who may have access to workers’ personal information. However, when doing so organizations still need to be mindful of the ADA’s confidentiality requirements, discrimination, as well as state laws protecting against discrimination for lawful off-duty conduct (that may be discovered during the monitoring process). Addressing privacy and security obligations through a confidentiality agreement may be one way to help address these concerns.
What is the relationship with the vendor?
The organization’s relationship with the vendor is an established way of contract or service agreement. It is important for these contracts/agreements to include confidentiality, data security, and similar provisions. This is most important if the vendor will be maintaining, storing, accessing, or utilizing the information collected about the organization’s workers.
When should we stop using the technology?
The Equal Employment Opportunity Commission (EEOC) has said that currently, COVID19 meets the ADA’s direct threat standard and thus organizations may screen, take the temperatures of, and test workers prior to permitting those workers on site. The EEOC has not yet expressly addressed contact tracing. As organizations look to the future, and the hopeful end to the COVID19 pandemic, they will need to consider when the state of the pandemic no longer supports the use of these technologies. The EEOC may provide that guidance, however, organizations may still have reasons to continue utilizing some of these technologies. For example, contract tracing may continue to help slow/limit spread within an organization. Similarly, organizations may face contractual demands from customers or clients who are looking to limit future risks or outbreaks related to COVID19. At points during this process, organizations also will need to consider whether and how long to retain the data collected.
In short, in 2020 we have extensive technology at our disposal and/or in development which may play a crucial role in helping organizations address COVID-19, ensuring a safe and health workplace and workforce, and preventing future pandemics. Nevertheless, organizations must consider the legal risks, challenges, and requirements with any such technology prior to implementation.
*As noted, the Table is for general information purposes only. We have sampled none of these products or services. Neither the selection of these products and services nor the exclusion of others is in any way intended as an endorsement of, or opposition to, any type of product, service, application, or any manufacturer. The listing is intended solely to provide readers with a general, high-level overview of the kinds of products being developed to address certain aspects of COVID19 remediation. This is by no means an exhaustive list. All readers must carefully evaluate their own specific needs for COVID19 mitigation and compliance, review the specific features and specifications of any technology being considered, configure and install same with qualified information systems specialists, and obtain experienced and informed legal counsel concerning the applicable legal and compliance requirements concerning the selection and implementation of any technology solution.