Reopening Businesses Must Consider Employee and Consumer PrivacyJune 3, 2020
While we’re far from returning to the “normal” that predated the COVID-19 pandemic, states have begun to relax lockdown requirements and some previously “nonessential” businesses are returning to operations. Along with these openings, governmental entities, trade organizations, and others are wisely recommending protocols to reduce the risk of a spike in COVID-19 cases. Such protocols include customer and employee wellness screenings, contact tracing, and questionnaires about compliance with public health orders.
Although these protocols are designed to ensure the health and well-being of employees, customers, and others physically visiting the businesses, businesses collecting data from employees and customers must consider the privacy implications of doing so. This includes compliance with myriad state and federal laws and regulations.
Employee Privacy Considerations
As a result of the COVID-19 pandemic, employers are permitted to make various medical inquiries that were previously impermissible. To assess whether an employee can safely enter the workplace, employers may take the employee’s temperature, ask if they are experiencing COVID-19 symptoms, require the employee to undergo a COVID-19 test, or require the employee to provide medical certification of fitness to return to work. However, consistent with the Health Information Portability and Accountability Act (HIPAA) and the Americans with Disabilities Act (ADA), employers must maintain this information as a confidential medical record separate from the employee’s personnel file, with precautions taken to protect the information.
Although guidance from the U.S. Equal Employment Opportunity Commission (EEOC) expressly permits employers to require COVID-19 testing, the EEOC cautions that the tests must be “accurate and reliable” and such testing must be “job related and consistent with business necessity.” Employers should avoid requiring antibody testing, which could be deemed an unlawful medical history inquiry rather than an assessment of an employee’s present fitness to enter the workplace.
Some employers have begun mandating employees’ use of contact tracing applications. Other employers are administering employee surveys to gauge compliance with public health orders and to assess the risk that an employee has been exposed to COVID-19. Employers must also maintain any information collected through such applications or surveys as a confidential medical record in accordance with the guidelines above. Moreover, employers should narrowly tailor such inquiries for the purpose of assessing risk, and avoid infringing on third parties’ privacy rights (by, for example, asking about family members’ medical conditions or activities).
Finally, employers that are covered by California’s Consumer Privacy Act (CCPA) should review and, if necessary, update their employee privacy policies to ensure that all COVID-19-related inquiries and data uses are disclosed…