Skip to content

Privacy vs. COVID-19 infection data: employers must strike balance

Julie DiMauro  Regulatory Intelligence and E-learning Expert

Julie DiMauro  Regulatory Intelligence and E-learning Expert

Privacy and security concerns are affecting many financial services firms forced by the COVID-19 pandemic to adopt work-from-home arrangements.

And as they consider the day when their non-essential employees can return to the office, firms are likewise faced with privacy considerations as they try to determine who can safely be present and how they can track COVID-19-related contagion in their workspaces.

Some rules being relaxed, others not

The US Department of Health and Human Services (HHS) has a penalty waiver, with time and geographic limitations, for hospitals that fail to comply with certain Health Insurance Portability & Accountability Act (HIPAA) requirements, including the requirement to obtain a patient’s permission to speak with family members involved in the patient’s care, the requirement to distribute a notice of privacy practices, and the patient’s right to request privacy restrictions.

Indeed, some leverage was needed for healthcare workers to launch telehealth platforms, which HHS said was acceptable during the pandemic, particularly regarding their disclosure of personal health information, if related to the coronavirus and done for public health purposes.

Data privacy rules in major states have moved ahead, with some modifications. New York’s Stop Hacks & Improve Electronic Data Security Act (SHIELD Act) went ahead with an enforcement date of March 21. It requires companies that own or license any data pertaining to New York residents to implement “reasonable” data security administrative, technical and physical safeguards. Similarly, California’s Consumer Privacy Act (CCPA) will not be delayed in enforcement — that date is still July 1 — despite calls from some businesses and trade groups asking for delays.

The New York Department of Financial Services (NYDFS) said it has extended the deadline for submitting a certification of compliance with its cybersecurity requirements (NYCRR 500) from April 15, 2020 to June 1, 2020. But with this extension came a directive that regulated entities must still report cybersecurity events within 72 hours and monitor the risks associated with offering remote access and employees using company-issued devices, plus configure video- and audio-conferencing technology to prevent unauthorized access.

Regulators themselves depend on their systems and the data they hold being secure. The Small Business Administration experienced glitches with a coronavirus loan relief fund platform that publicly leaked the personal identifiable information of business owners across the county.

Officials want to control spread of COVID-19

State and local authorities are expressing a desire to track the spread of the coronavirus, and technology firms are providing assistance. For example, Google is providing information to authorities on where large crowds are gathering, through its ” Community Mobility Reports“; and the Centers for Disease Control (CDC) is tracking which community spaces are drawing crowds.

Google and Apple also announced a joint effort to create a voluntary, anonymous contract tracing network enabled by their respective Android and iOS systems that would monitor the infection spread by keeping track of people infected and those with whom they come into contact — with the infected party’s permission. People could download mobile apps that would notify them if they had come into close proximity with infected people who are also using the network.

While tech firms have described the ways in which they plan to protect the data they collect, such protocols are purely voluntary, and technology experts have pointed out ways that the data collected could be vulnerable to misuse.

Employers tracking employees

One question on the minds of employers is what their companies can do when their non-essential employees are cleared to go back to the workplace.

For instance, if an employer is not a HIPAA-covered entity — not a health plan or healthcare provider — then HIPAA’s rules on protected health information do not apply, but the employer must still consider federal and state laws on uses and disclosure of health information.

The Americans with Disabilities Act (ADA) and state-specific versions of the law generally prohibit employers from disclosing confidential medical information regarding an employee, which includes the employee’s identity. The Equal Employment Opportunity Commission (EEOC) announced in a guidance that employers will be allowed to test employees for COVID-19 before they enter a work site, without running afoul of the ADA. But the EEOC stated that employers must maintain all information about employee illness as a confidential medical record in compliance with the ADA.

The EEOC further noted that any medical test that businesses require workers to take must be “job related and consistent with business necessity” under the ADA. The framework allows businesses to legally screen workers for COVID-19 since those who are carriers will “pose a direct threat to the health of others.” However, employers should notify employees that they do not have to reveal information about underlying disabilities, the EEOC noted.

Since Title VII prohibits discrimination based on race, color, national origin, and other protected classifications, employers must be mindful to not make determinations of risk based on race, disability, or country of origin and administer testing on a consistent basis and to avoid discriminatory use of the results.

However, companies must make clear the purpose for which they are collecting data in their communications with those being tested and tailor the collection to that purpose. Disclosures to regulators need to detail what the business has done in terms of the safeguards it has built around the tracking of individuals. The use restrictions and deletion oversight should apply also to any third parties that come into possession with this data.

More answers