Privacy Considerations for Employers and Health Care Providers When Communicating about Coronavirus-Infected Individuals
This alert focuses on the ongoing and developing privacy issues that have arisen for employers and healthcare providers communicating about the 2019 novel coronavirus (COVID-19). Specifically, we will discuss the steps that employers and healthcare companies need to consider when communicating to its employees, the media and general public, and government officials when an individual has been diagnosed with the coronavirus or may have been exposed to the coronavirus.
Employer Communications about an Employee
If someone in the workplace may be infected with coronavirus, can I disclose the name of the affected employee to office personnel?
As a general rule, an employer should not disclose the identity of an employee diagnosed with (or suspected of having) coronavirus. Under the Americans with Disabilities Act (ADA), employee medical information must be kept confidential and may only be shared in very limited circumstances. Moreover, an inaccurate or false disclosure of someone’s coronavirus status could potentially subject an employer to common law defamation or invasion of privacy claims.
In an employer-employee context, the employer should make every effort to protect the medical confidentiality of the individual while still providing sufficient information to the workplace for them to take appropriate steps. In almost every case, this can be done without sharing the name of the person who was infected.
From a privacy compliance perspective, what information should an employer share to the rest of the workplace if an employee is or may be infected?
In a company-wide notice, an employer should:
Send a general communication reporting that there has been a suspected/confirmed case of coronavirus in the workplace and urging employees to be vigilant in observing for symptoms and stay away from the office if symptoms occur and consult with a medical provider.
Note how the company is taking all appropriate steps to manage the situation in accordance with official guidance.
Refer employees to guidance materials provided by public health agencies, including the Centers for Disease Control and Prevention (CDC).
Designate individuals and provide contact information for employees to direct questions/concerns (preferably HR or a similar role).
Should additional personal information be shared about the affected person with those employees who may have been in close contact with the affected person?
To the extent that there may be a smaller population of people who may have been at a higher risk of close contact with the affected person (e.g., shared cubicle block, officemate, in meetings with the person in recent days, etc.), HR should reach out separately to that population to indicate that their exposure profile may have been more extensive and that they should conduct a risk assessment of their potential exposure and remain vigilant for the onset of any symptoms and see their healthcare provider should symptoms occur. After hearing such news, affected colleagues will likely inquire as to the name of the affected individual. However, in both company-wide and more limited communications, employers should not disclose the identity of the infected person (absent consent from the affected employee) – this includes revealing the name and health information of the individual explicitly by name or implicitly through verbal hints or clues, absent the consent of the affected employee.
Indeed, in an Interim Guidance for Businesses and Employers, the CDC stated that: “If an employee is confirmed to have COVID-19, employers should inform fellow employees of their possible exposure to COVID-19 in the workplace but maintain confidentiality as required by the Americans with Disabilities Act (ADA).”
France and United Kingdom Considerations
Similar to the United States, in both France and the UK, employers should not generally disclose the identity of an employee diagnosed with (or suspected of having coronavirus), unless it is necessary to do so. Neither the French nor the UK’s Data Protection Authorities (the “CNIL” and the “ICO”) have specifically addressed the concern of an employer communicating to its employees about an employee diagnosed (or suspected of having) coronavirus. However, as such information would be personal health data, there are restrictions as to when and how such personal data should be processed under the General Data Protection Regulation (Regulation (EU) 2016/679).
Under both French and UK laws, a disclosure of a person’s health information (i.e. they have coronavirus) where it is necessary to identify other employees who may have come into contact with the person carrying the virus, could be possible. This is however subject to the condition that this disclosure is reasonable and proportionate in terms of which information is disclosed and to whom, otherwise it could be considered as a privacy violation. We would also recommend that if an employer has decided to make known an employee’s COVID-19 diagnosis, that they, as a matter of courtesy make the individual aware of such disclosure in advance (assuming consent is not being relied upon as the legal basis to process such personal data) which will also assist in maintaining good employee relations and allaying any concerns.
More broadly, in relation to the processing of any health data, the employer should ensure that it has the appropriate documents and procedures in place to demonstrate compliance with the GDPR. For example, the employer should ensure it has informed individuals about how their personal health data will be processed and the legal basis on which the employer relies upon to process such personal health data (under both articles 6 and 9). In addition, for any new use of the personal data, the business may also need to carry out a legitimate interest assessment and/or a data protection impact assessment.
If someone in the workplace may be infected or is diagnosed with coronavirus, should an employer report this information to government health officials?
The answer to this question continues to develop, and thus requires particular care from employers. As health officials encourage potentially affected individuals to get tested and seek medical care if symptoms occur and businesses to take certain steps to respond to the virus, one might assume that employers have a legal obligation to report potential cases to government officials. However, with limited exceptions this is not necessarily the case.
Employers may, in the case of an infection/exposure in the workplace, consult state/local health departments for further guidance. Such health departments may offer helpful information about prevention of further exposures and other resources, and companies acting on direct advice from a government health agency may lessen the risks associated with their communications and next steps.
However, given the mishmash of state/local and federal guidance on this issue, it remains a best practice for employers to maintain the confidentiality of employees who may be or have been diagnosed with the coronavirus. The bottom line is that state or local laws likely require physicians to report patients diagnosed with the coronavirus to health authorities (see e.g., New York State’s Communicable Disease Reporting guidance), and it remains a prudent practice to maintain the confidentiality of an employee’s medical information (in both suspected and diagnosed cases) to avoid privacy violations and instead rely on health care providers, who are required by law to report coronavirus infections to health authorities. Different considerations would come into play if a company employs a physician or physician group to examine employees. In such cases, it would be prudent for the company to speak with counsel before making any disclosures of medical information.
From a federal standpoint, employers should note the language quoted above from the CDC’s Interim Guidance, which states, to prevent stigma and discrimination in the workplace, use only the guidance described below to determine risk of COVID-19. Do not make determinations of risk based on race or country of origin, and be sure to maintain confidentiality of people with confirmed COVID-19. There is much more to learn about the transmissibility, severity, and other features of COVID-19 and investigations are ongoing. If an employee is confirmed to have COVID-19, employers should inform fellow employees of their possible exposure to COVID-19 in the workplace but maintain confidentiality as required by the Americans with Disabilities Act (ADA).
In the UK, Public Health England (“PHE”) have provided guidance for employers and businesses (see, PHE Guidance). People in the UK are being told to contact NHS 111 if they are displaying coronavirus symptoms, and from there PHE will get involved. The current guidance indicates that PHE Local Health Protection Team will contact the employer to discuss any confirmed COVID-19 exposure and conduct a risk assessment on the work place in order to set out the steps that that business needs to take in light of the confirmed case. With the expectation that cases increase in the UK, this advice may change but in the interim, employers should encourage employees to contact NHS 111 in case of coronavirus symptoms.
The French Ministry of Labor does not provide any clear information on COVID-19 and whether it is necessary to contact the government health officials. However, the French Data Protection Authority states that in the event of a report that someone in the workplace may be infected or is diagnosed with coronavirus, it is upon request of the government health official that “the employer, who may record the date and identity of the person suspected of having been exposed as well as the organizational measures taken (containment, telework, contact with the occupational physician, etc.), may communicate any information relating to the nature of the exposure which are necessary for any health or medical care of the exposed person.”
In France, we advise employers to maintain the confidentiality of an employee’s medical information when reaching out to health authorities. Practically speaking, an employer might encourage any potentially affected employee to see a physician and follow-up to see if such care has been sought.
Coronavirus-Related Communications from Healthcare Entities
Are Health Insurance Portability and Accountability Act (HIPAA) obligations suspended during a public health emergency?
No. HIPAA compliance remains a requirement during a public health emergency. Yet, healthcare providers should note that the law allows multiple exceptions regarding “minimum disclosures” about a patient’s infected status, such as for public health and prevention purposes and disclosures to governmental health agencies (including foreign health authorities at the direction of a U.S. agency).
The HIPAA Privacy Rule applies to disclosures made by employees, volunteers, and other members of a covered entity’s or business associate’s workforce. As enunciated by the HHS, the HIPAA Privacy Rule protects the privacy of patients’ health information (protected health information) but is balanced to ensure that appropriate uses and disclosures of the information still may be made when necessary for public health considerations.
As discussed, below, HIPAA does contain flexibility for public health considerations.
What Are the Various Obligations regarding Disclosures of Health Information?
In response to the outbreak, in February 2020 the U.S. Department of Health and Human Services, Office of Civil Rights (HHS) issued a Bulletin about medical privacy, “BULLETIN: HIPAA Privacy and Novel Coronavirus.” The HHS Bulletin outlines three scenarios of lawful disclosure in the absence of patient authorization: (1) To a public health authority, such as the CDC or a state or local health department; (2) At the direction of a public health authority, to a foreign government agency that is acting in collaboration with the public health authority; and (3) To persons at risk of contracting or spreading a disease if other state or local laws authorize the covered entity to notify such persons as necessary to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations.
The Bulletin also discussed other various disclosures:
Disclosures to Family, Friends, and Others Involved in an Individual’s Care: Under the Bulletin, a covered entity may share protected health information (PHI) with a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care. A covered entity also may share information about a patient as necessary to identify, locate, and notify family members, or others responsible for the patient’s care, of the patient’s location, general condition.
Disclosures during a Public Health Emergency: The Bulletin states that healthcare providers may share patient information, without the patient’s permission, with anyone as necessary “to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law…and the provider’s standards of ethical conduct.” Thus, according to the Guidance, providers may disclose a patient’s health information to anyone who is in a position to prevent or lesson the serious and imminent threat, including family, friends, caregivers, and law enforcement without a patient’s permission.
Disclosures to Media: The Bulletin advises that, other than the limited circumstances described previously (e.g., disclosures to prevent an imminent health threat), disclosing health information and treatment concerning an identifiable patient may not be done without the patient’s written authorization. Where a patient has not objected, a covered provider may, upon request, “disclose information about a particular patient by name, may release limited facility directory information to acknowledge an individual is a patient at the facility, and may provide basic information about the patient’s condition in general terms.”
Are There Any Final Privacy Reminders for Healthcare Providers When Disclosing Medical Information about An Affected Individual?
Healthcare providers should note these important considerations when lawfully disclosing medical information about an affected individual:
Minimum Necessary: As the HHS notes in its Bulletin, for most disclosures, a covered entity must make “reasonable efforts to limit the information disclosed to that which is the ‘minimum necessary’ to accomplish the purpose. It is important to note that the HHS has stated that covered entities may rely on representations from a government health agencies that the requested information is the minimum necessary for the purpose, if that that reliance is reasonable (e.g., PHI requested by the CDC in its public health efforts).
Maintain Access Procedures: As per usual privacy protocols, covered entities should continue to enforce access policies to limit access to PHI to authorized personnel.
Safeguard Patient Information: Even in a health emergency, covered entities must continue to implement reasonable safeguards to protect PHI against impermissible disclosures and continue physical and technical measures to protect health data. A notice to all employees or further training reminding them of HIPAA obligations may be prudent, particularly in serious public health situations where employees may be tempted to snoop or access records they should not be viewing.