Privacy and Security Considerations for Employers Grappling with Introducing Social Distancing and Contact Tracing Technologies in the Workplace
As employers continue their efforts to safely bring employees back to the workplace, many have moved beyond initial pre-entry wellness checks or questionnaires and are considering technology solutions that monitor social distancing and conduct contact tracing in real-time. Along with introducing these enhanced capabilities, the question of the privacy and security of employee personally identifiable information (“PII”) and protected health information (“PHI”) continues to loom.
In order to isolate and contain the spread of COVID-19, one critical component of an effective workplace safety plan is for employers to be able to monitor social distancing practices and to notify employees that they need to self-quarantine if they have come in close contact with an individual in the workplace who has symptoms of, or tested positive for, COVID-19. Also known as “contact tracing”, the faster that affected individuals can be notified and isolated the slower the virus will spread. Technology developers have stepped up to automate the contact tracing process and there has been a proliferation of mobile tracking tools, including phone apps that monitor social distancing practices and conduct contact tracing in near real-time that can be used in the workplace. Yet, these tools raise an intricate web of considerations under applicable privacy, security and other consumer protection rules and regulations.
The following addresses common questions employers are currently facing:
Are employers required to use HIPAA-compliant mobile tracking tools in the workplace for social distancing and contact tracing purposes?
Even though the information about an individual’s COVID-19 status may be health related, as a general rule, employers are not covered entities regulated by HIPAA. That being said, employers should make efforts to limit the amount of information being collected to serve the intended goals and not retain it longer than needed. For example, an employer interested in adopting an app approach for contact tracing may want to consider an app that relies on Bluetooth technologies rather than geo-tracking capabilities so that they can provide a notification to individuals who have come in close contact with an affected individual rather than the specific geographic location information about employees or specific status of individuals.
How can my organization implement mobile tracking tools without collecting medical information or PHI?
An employer who wants to limit data collection can deploy mobile tracking technological tools, such as lanyards or wrist bands worn by employees in the confines of the workplace, which can be used to identify an employee’s location in the workplace throughout the work day and used to identify close contact with other individuals to remind employees to maintain a safe distance from others. With respect to contact tracing, these tools do not have to collect medical information or PHI. Many rely on an employee self-reporting that they are experiencing symptoms of COVID-19 or that they tested positive for COVID-19. This would cause the sensors in the lanyard and located throughout the workplace to identify the other employees that would need to be notified that they may have come in close contact with someone who reported symptoms or tested positive for COVID-19, and the areas in the workplace that the exposed individual had been to ensure that those areas are cleaned and appropriately sanitized.
How could a non-HIPAA compliant mobile tracking tool collect PHI (such as COVID-19 test results)?
An individual may authorize a health care provider, like a lab or their physician, to disclose their electronic PHI through a mobile application that is not subject to HIPAA requirements. The authorization must meet HIPAA’s requirements for a valid authorization and, if an employer requires the use of a mobile app that relies on such authorization, the employer should also provide clear notice to employees about what information will be collected, how it will be used, with whom it will be shared, and how long it will be retained. Employers should review the terms of service for any tools they seek to deploy to determine if there are options that should be disabled or whether employees must take action on their devices to disable certain functions. Employers should also consider whether an alternative for employees that might need an accommodation is needed if they are unable to use the mobile app that the employer wishes to deploy.
How can my organization vet mobile tracking tools?
From the outset, it is important to undertake diligence regarding the vendor providing the tool or app. Some technology developers may be well-established companies with robust privacy and security procedures and controls, while others may be entities that have not yet invested in, or developed compliant, procedures and controls. It is also critical to undertake diligence regarding the manner in which the information and data transmitted to, collected and stored by the tool or app will be handled. Consider asking the vendor the following types of questions:
- What information is collected through the tracking tool or app and is it encrypted?
- Will the vendor company utilize any information collected through the tool or app for any purpose (e.g., for research, analytics, marketing, or whether it can be sold)?
- Is the information collected through the tool or app shared with any third parties (including public health authorities)?
- Does the tool or app send data to any domestic government (or international) sites or apps?
- How is the information obtained?
- Is the information actively or passively (through the user’s URL or web behavior) collected?
- Does the tool or app utilize Bluetooth technology (e.g., proximity notification) or GPS (location identification)?
- Who owns the data?
- How long will the data be kept, where will it be retained and what safeguards will be in place to protect it? (e.g., data back-up, disaster recovery and/or contingency plans)?
- What security and privacy standards/protections does the vendor have in place for its tools or apps?
- What data breach notification requirements does the vendor have in place?
- What happens if there is a breach?
- Does the vendor carry cyber insurance?
- Has the app developed user friendly notifications with information for employers to pass along to employees that will instruct them on how to download the app to their phone, including an appropriate Privacy Notice and instructions on how to mitigate risks, for example instructions on how to disable the app from connecting to other functions on their phones?
- Does the app itself include a notice that comports with the organization’s requirements to obtain consent from employees to collect information and proper consent to share the information with their employer?
It is critical to verify that the data is retained only for the required amount of time, and meets requirements for each state and locale in which your organization has reporting obligations. It is necessary to review the tool or app’s privacy policies and service agreement terms and, to pay careful attention to the vendor’s service agreement representations and any carve outs for adherence to applicable law. Given the evolving laws in this area, as well as the evolving definition of “close contact”, it is also important for employers to stay abreast of changes that may impact the tools and apps in use and address any updates that may need to be made. In the event that a vaccine is widely distributed and accepted by employees, contact tracing efforts may become moot.
How can individuals protect their personal data when using mobile tracking tools for social distancing and contact tracing purposes?
Though most contact tracing tools and apps are unlikely to be covered by HIPAA, employers should ensure that they obtain clear, conspicuous, and specific consent/authorization from the employee to obtain and store their data, and specific requirements to do so will vary based on applicable state law. In theory an employee could limit his or her employer’s right to access only certain types of data (including non-PHI data). To enable an employee to do so, the employer should ensure that the app authorization can be tailored to permit such narrow authorization. Otherwise, with most app authorizations being provided via click wrap text, it is unlikely that an individual can modify the authorization to limit such data access.
To the extent the mobile tracking tool or app seeks to collect PHI, the new Interoperability Rules place the burden on the individual to decide whether they would like to share their PHI with a third party. These Rules permit individuals to access and transfer their electronic protected health information (“e-PHI”) to mobile apps and other tracking tools through application programming interfaces (“APIs”). The Office of the National Coordinator for Health Information Technology (“ONC”) Final Rule, which became effective on June 30, 2020, requires developers of certified health IT to include secure, standards-based APIs to support patients’ access and control of their e-PHI.
What is the best way for an employer to approach contact tracing in the workplace?
Since many Americans spend a significant portion of time at work, employers are uniquely situated and can play an important role in slowing the spread of COVID-19. As such, state re-opening plans require employers to develop a plan to bring employees back to the workplace safely. But without authority from a federal or state mandate to use an app to contact trace, employers face a number of legal challenges.
If the employer offers an app as a value added feature of its group health plan, the data becomes HIPAA protected and the app developer has to agree to enter into a BAA with the health plan. The data would then become part of the group health plan, which makes data sharing from the health plan back to the employer complicated because: (i) the health plan cannot report individual employee health information back to the employer; and (ii) any aggregated and de-identified sharing would have to comport to all of the company’s and employee’s state/city/county authority data sharing and reporting requirements.
To address privacy concerns, employers should collect only the data that is needed to know when an employee is suspected or actually infected by the virus so that other employees that have been exposed to the infected employee can be warned of their potential exposure and can be instructed to take measures to isolate and get tested.
Employers should be mindful that, as with any collection of sensitive data, information can be hacked. Contact tracing apps and technologies could collect personal information, including information considered medical or biometric identifiers, that is potentially subject to state breach notification laws.
Finally, being transparent, clear and frequently communicating about any changes goes a long way in helping employees understand the important role they play in keeping themselves, their families and their fellow employees safe.
Are state government apps that have been developed for contact tracing purposes required to be HIPAA-compliant?
No. The information collected through apps developed and deployed by state governments is being used for a public health service. State government apps rely on individuals voluntarily downloading the app to their device. Generally, these apps can use Bluetooth to sense close contacts and exchange a secure random code with the close contact’s phone. These apps can also use the positive COVID-19 test results reported to the state and Bluetooth to recognize when one individual who has downloaded the app has been exposed to another individual who has tested positive for the virus and send an anonymized exposure alert to close contacts.
Are employees tracked when they leave the workplace site and travel for business domestically? What about internationally?
Perhaps. The details of data collection depend upon the design of the mobile tool or app and the authorization provided by the individual. Inadvertent data collection or use may heighten an organization’s compliance risk.
If employees work remotely, is contact tracing necessary?
Employers may need to consider application of mobile tracking tools to remote- work employees. Protocols should consider work schedules which include hybrid work arrangements and any business travel to other employer work locations.
Must the mobile tracking tools track employees nationally and internationally? Should employers track employees 24/7?
It depends upon the goal of the organization’s contact tracing, and its governmental and regulatory reporting requirements. Arguably, contact tracing can best work when all movement is tracked and data is provided back to individuals in real-time about exposure risk. However, this must be balanced with privacy and security concerns. Limiting data collection for contact tracing purposes to the employee’s location within the confines of the workplace during the regular work day would be the least invasive.
Do employees have rights to have their data deleted or will it reside indefinitely in a larger data set (Big data?)
Data retention depends upon obligations in state law/international law. A definitive timeline for data retention is not entirely clear at this time. So, employers should hold onto the data for now. However, employers should review and update their data retention policies as federal, state, and international guidance is issued and applicable statutes of limitations are analyzed. Some technologies may also allow individuals to delete their data and these should be evaluated. Employers should keep any data retained separate from employee personnel files and it should not be used for employment purposes.
What types of updates should employers make to their privacy and security policies to address use of mobile tracking tools in the workplace and breach response procedures?
Employers should ensure that their privacy and security policies address the types of tools and apps utilized. Specific changes will depend upon the type of tool or app utilized, the data collected, and whether the tool or app is administered internally or through an employer’s health plan.
What can an employer do to mitigate risk?
Vet the mobile tracking tool or app vendor and developer and the tools or apps themselves to ensure that they comply with the organization’s applicable reporting policies and applicable privacy and security laws. Then, review the service agreement with the vendor or provider and any authorization that the employee may be required to sign to ensure compliance with applicable law. The employer may also want to review their cyber insurance policies and make sure that the terms of services and other agreements appropriately allocate cyber risk and breach responsibilities between the parties and that the vendor has adequate cyber/breach coverage.
As with implementing any new organization-wide policy, employers should consider developing communication or a training session where employees can be provided with information about the technology, a notice that is clear and understandable, and affords them the opportunity consent to participate by agreeing to download the app or activate the technology.
What should an employer do next?
All employers and organizations are grappling with re-opening and the social distancing and contact tracing requirements for employees returning to the workplace. Employers must carefully consider the privacy and security implications of using mobile tracking tools and apps because these technologies may remain active in the workplace for the foreseeable future and will likely shape how workplace surveillance technology will be used in the future. Therefore, employers should be mindful to vet the apps they choose, review the service agreements and negotiate the privacy and security provisions to ensure that personal information is protected and used appropriately and that the appropriate cyber breach protocols are in place. For organizations that have already deployed these tools and apps without evaluating these considerations, it would be advisable to revisit these issues and address them. As the law changes, consideration should also be given to re-evaluating whether the tool or app remains compliant. Organizations should also develop a communications plan for employees in order to address their concerns about utilizing these tools and apps, educate them on how their data is protected and cybersecurity best practices, and obtain any required consents.