April 6, 2020 - The ongoing battle against COVID-19 has raised privacy concerns in the United States and throughout the world.  Governments are collecting health information and tracking individual movements using cellphone data.  Researchers are processing and analyzing protected health information.  Companies are trying to monitor the health of their personnel to ensure that workplaces are safe.

This client alert focuses on companies’ efforts to ensure health and safety.  Most of these efforts will fall within existing exceptions to privacy laws for epidemics and public health emergencies.  Regulators have also been flexible, and some have suspended enforcement activities or waived penalties during this time of crisis.  Yet privacy laws and regulations continue to apply, and companies must continue to comply with them.  To assist companies in doing so, this alert addresses some frequently asked questions.

The HIPAA Privacy Rule

What is HIPAA?
HIPAA is the acronym for the Health Insurance Portability and Accountability Act, a U.S. law that protects the health information of individuals.  HIPAA has various sections, including a section that protects privacy known as the HIPAA Privacy Rule.

Does HIPAA apply to our company?
If it does, you probably already know it.  The HIPAA Privacy Rule does not apply to every business or employer.  It applies only to “covered entities” and “business associates.”  “Covered entities” include health care providers, health plans and health care clearinghouses, while “business associates” are typically those who perform functions and provide services to covered entities.  45 C.F.R. § 160.103. 

Does HIPAA apply to our company if we offer a group health plan to our employees?
No, in that circumstance the HIPAA Privacy Rule would apply to the health plan, but not to your company.  There are, however, exceptions, which might apply if, for example, your company self-insures or offers an on-site employee health clinic.

If HIPAA applies, can we share an employee’s health information with public health authorities?
Yes, covered entities may disclose protected health information to “a public health authority authorized by law to collect or receive such information for the purpose of preventing or controlling disease.”  45 C.F.R. § 512(b)(1)(i).  Indeed, some states make such disclosures mandatory.  Moreover, if directed by a public health authority, covered entities may also disclose protected information to a foreign government agency.  Id.

Business associates may only use or disclose protected health information as set forth in their business associate contract or as required by law.  Generally, this means that the business associate may not use or disclose protected health information in a way that the covered entity cannot.  See 45 C.F.R. § 164.504(e).

Do we need permission from the employee to disclose their health information to a public health authority?
No, covered entities can make this type of disclosure without the individual’s authorization.  See generally 45 C.F.R. § 164.512.

Are there other types of permitted disclosures under HIPAA?
Yes, among other permitted disclosures, covered entities may disclose protected health information, if necessary, to treat the affected individual or someone else.  See 45 C.F.R. § 164.506.  Covered entities may also disclose protected health information to “a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition,” provided that the covered entity or public health authority is authorized by law to do so “in the conduct of a public health intervention or investigation.”  45 C.F.R. § 164.512(b)(1)(iv).

Does HIPAA permit a covered entity to share an individual’s health information with their family or friends?
A covered entity may disclose to a family member, relative, close personal friend, or other person identified by the individual, the protected health information directly relevant to that person's involvement with the individual's health care or payment. See 45 C.F.R. § 164.510(b).  When possible, the covered entity should get verbal permission from the employee to make such a disclosure or be reasonably able to infer that the employee would not object.  Id.

Under HIPAA, are there limits to what we can disclose?
Yes, for most disclosures, a covered entity must make reasonable efforts to disclose only the “minimum necessary” to accomplish the purpose of the disclosure.  45 C.F.R. § 164.502(b).

Where can we go for more information about HIPAA and COVID-19?
In February, the Department of Health and Human Services (“HHS”) provided guidance about the HIPAA Privacy Rule as it relates to COVID-19. Office of Civil Rights, HHS, Bulletin, HIPAA Privacy and Novel Coronavirus, available at https://www.hhs.gov/sites/defa....  HHS has since issued other COVID-19 guidance and there is more to come.  Among other things, the new CARES Act directs HHS to “issue guidance on the sharing of patients’ protected health information,” including compliance with certain HIPAA regulations.  CARES Act § 4223.

Are there other privacy laws that might apply to HIPAA disclosures?
Yes, there may be state and local laws, regulations, or ordinances that affect HIPAA disclosures.

California Consumer Privacy Act (“CCPA”)

Has the CCPA taken effect yet?
The CCPA became effective on January 1, 2020, with penalties for violation to become effective on July 1, 2020.  Although the penalties for violation are not yet in effect, plaintiffs’ lawyers have already filed at least nine putative class action cases alleging violations of the CCPA against companies such as Zoom.

Does the CCPA permit disclosure of employee health information?
The CCPA does not generally prevent a business from disclosing personal health information.  However, it provides California residents with the right to request, among other things, that covered businesses disclose “the categories of third parties with whom the business shares personal information.”  Cal. Civ. Code § 1798.110(a)(4).  This does not apply to, among others, covered entities under HIPAA.

Workplace Protections

Has the EEOC issued any guidance on employees’ rights in the workplace?
The U.S. Equal Employment Opportunity Commission (“EEOC”) enforces workplace anti-discrimination laws, including the Americans with Disabilities Act (ADA).  While the ADA is not a privacy law, per se, it sets forth certain rules about medical examinations and inquiries.  The EEOC had previously provided guidance on influenza epidemics, which it has now updated to account for the COVID-19 pandemic. EEOC, Pandemic Preparedness in the Workplace and the Americans with Disabilities Act, https://www.eeoc.gov/facts/pan....  

Can we inquire about employees’ health, symptoms, or travel as a condition to letting them return to work?
Yes, during a pandemic, an ADA-covered employer may ask employees who report feeling ill at work or call in sick if they are experiencing symptoms of the pandemic virus.  For employees returning from travel (whether business or personal), an ADA-covered employer does not need to wait until the employee exhibits symptoms of the pandemic virus to ask questions regarding potential exposure to the pandemic during the travel.

Can we take the temperature of employees?
Taking someone’s temperature is a medical examination, but because the COVID-19 pandemic is widespread, the EEOC permits an employer to measure employees’ body temperature.

Can we require employees to stay home if they have symptoms of COVID-19?  
The ADA does not prevent an employer from telling symptomatic employees to leave the workplace or stay home.

Can we disclose the name of an employee who tests positive for COVID-19 to fellow employees for precautionary purposes?
No.  If an employee has a confirmed case of COVID-19, the CDC recommends that an employer inform fellow employees of their possible exposure to COVID-19 in the workplace, but maintain confidentiality under the ADA.  This means that the employer should not identify the affected employee by name.

Can we require employees to wash their hands regularly?
According to the EEOC, mandating infection control practices, such as regular hand washing, or coughing and sneezing etiquette, does not implicate the ADA.

Can we require employees to wear masks or gloves to reduce the possibility of COVID-19 infection?
According to the EEOC, an employer may require employees to wear personal protective equipment during a pandemic.  However, the employer has to make reasonable accommodations for disabled employees who cannot comply (e.g., those who may be allergic to latex gloves).

Once there is a COVID-19 vaccine, can we require employees to get it?
An ADA-covered employer may encourage employees to get the vaccine, but cannot necessarily require them to take it.  Among other things, the ADA and Title VII of the Civil Rights Act of 1964 provide certain exemptions to mandatory vaccines.

Are there state or local rules that we also need to consider?
In addition to the ADA, an employer should also review and comply with state and local rules governing privacy in the workplace.  Some states have statutes that provide confidentiality protections for employee medical information, such as California’s Confidentiality of Medical Information Act.

The EU’s General Data Protection Regulation (“GDPR”)

Does the GDPR permit the processing of employee health information?
The GDPR protects “data concerning health,” including COVID-19 status, as a special category of personal data under Article 9.  However, the GDPR permits the processing of such data when, among other things, it is necessary for (a) “the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services”; or (b) “reasons of public interest in the area of public health, such as protecting against serious cross border threats to health.”  GDPR Art. 9(2)(h) & (i).  In these circumstances, it is not necessary to obtain the consent of the individual.  Id.

Has there been any guidance from the EDPB?
On March 19, 2020, the European Data Protection Board (“EDPB”) issued a statement in which it declared that, “[d]ata protection rules (such as the GDPR) do not hinder measures taken in the fight against the coronavirus pandemic.”  However, the EDPB also “underline[d] that even in these exceptional times, the data controller and processor must ensure the protection of the personal data of the data subjects.”  European Data Protection Board, Statement on the Processing of Personal Data in the Context of the COVID-19 Outbreak (Mar.19, 2020).

Did the EDPB address workplace protections?
The EDPB recognized that processing health data may be necessary to ensure health and safety at the work place.  However, it cautioned that such processing should be for specific and explicit purposes, affected individuals should receive transparent information, and adequate security measures and confidentiality policies should ensure that the information is not disclosed to unauthorized parties.  The EDPB stated that employers may disclose that an employee is infected with COVID-19 to “colleagues and externals” but should not communicate more information than is necessary.  Finally, the EDPB noted that most workplace protections will be a question of member state law.  European Data Protection Board, Statement on the Processing of Personal Data in the Context of the COVID-19 Outbreak (Mar. 19, 2020).

Has there been any guidance from EU Member States?
Various EU member states have issued their own guidance on data protection during the COVID-19 pandemic.  To give just two examples: 

The UK’s data protection authority, the Information Commissioner’s Office or ICO, advises that it is “unlikely your organisation will have to share information with authorities about specific individuals, but if it is necessary then data protection law won’t stop you from doing so.”  The ICO also suggests that companies “keep staff informed about cases in your organisation.  Remember, you probably don’t need to name individuals and you shouldn’t provide more information than necessary.  You have an obligation to ensure the health and safety of your employees, as well as a duty of care.  Data protection doesn’t prevent you doing this.”  ICO, Data Protection and Coronavirus: What You Need to Know, https://ico.org.uk/for-organis.../.

The French data protection agency, the Commission Nationale de l’Informatique et des Libertés or CNIL, also permits disclosures to health authorities, but is more protective of employee rights in the workplace.  The CNIL recognizes that employees have a responsibility to inform an employer about COVID-19 symptoms, but it prohibits the employer from searching for possible symptoms in a generalized and systematic way or through individual inquiries and requests.  The CNIL notes that this means that employers cannot take daily temperature readings of employees or visitors or make use of questionnaires and surveys.  CNIL, Coronavirus (COVID-19): Les Rappels de la CNIL sur la Collecte de Données Personnelles (Mar. 6, 2020). 

Click here to go to our COVID-19 Resource Center for more advisories, articles and other content related to the coronavirus pandemic.