Frequently Asked Questions on Workplace Privacy and COVID-19

As COVID-19 continues to spread throughout the United States, employers that currently have employees reporting into their facility each day are being forced to consider stringent measures to protect the health and safety of their workforce. Medical information questionnaires, temperature screenings, self-reporting obligations, and even medical examinations are some of the measures being considered by employers as ways to prevent COVID-19 from entering into the workplace. However, even during this critical time employers cannot ignore the privacy risks associated with collecting medical information under state and federal law. The following article provides answers to frequently asked questions about an employer’s privacy obligations during this time.

1.  In light of the COVID-19 pandemic, what health-related information can employers ask employees to provide?

Employers can ask employees to provide the following information:

  • A positive result for, or other diagnosis with, COVID-19;
  • Symptoms of infection with COVID-19, e.g., fever of or over 100.4°F, cough, shortness of breath, sore throat;
  • “Close contact” (as defined by the Centers for Disease Control) with any person who has tested positive for, or has otherwise been diagnosed with, COVID-19 infection within the preceding 14 days;
  • Whether the employee has been asked to self-quarantine by a health official within the preceding 14 days;
  • Whether the employee has traveled to, or stopped over in, a country for which the CDC has issued a Level 3 travel health notice; and
  • Depending on geographic location, whether the employee is considered “high risk” for COVID-19 infection, meaning over age 60, pregnant, or suffering from diabetes, lung disease, heart disease, asthma, HIV, or similar conditions.

2.  Can employers take employees’ temperature before permitting them to enter the employer’s facilities?

Yes. However, employers should implement a temperature check protocol to ensure that temperature checks are designed to reduce the threat that an employee with COVID-19 poses to the workplace.  In particular, temperature checks should be reliable, effective, performed consistently, and respect employees’ privacy.  For example, all employees entering facilities should be checked only by trained personnel and the results should be treated as confidential.

3.  Can employers require employees to check their own temperatures?

Yes. Any policy on “self-checking” should be designed to address the threat to the workplace in a consistent manner.  For example, only employees who interact with co-workers, customers or the general public on behalf of the employer may need to check their own temperature.  Employers also can require employees to stay home from work if their temperature equals or exceeds 100.4°F and to report this symptom of COVID-19 to the employer. 

4.  Can employers require employees to be tested for COVID-19?

Employers may be able to require employees to be tested if they have symptoms of COVID-19 and, nonetheless, assert that they are fit for work. 

5.  Can health care employers with access to COVID-19 test kits require employees to be tested?

Guidance issued by the Equal Employment Opportunity Commission on March 21, 2020, suggests that employers may be able to require testing of all employees, regardless as to whether the employee shows symptoms of COVID-19, based on the fact that COVID-19 poses a “direct threat” to the workforce. This is an aggressive approach, and should not be undertaken without first consulting with counsel. 

6.  Does the Health Insurance Portability and Accountability Act (HIPAA) apply to the health information collected by employers?

Generally, no. HIPAA imposes obligations to safeguard protected health information (PHI) only on covered entities, which are defined to include health plans, health care clearinghouses, and health care providers. An employer acting in its capacity as an employer is not subject to HIPAA. Other laws, such as the Americans with Disabilities Act (ADA) or state confidentiality laws, may apply.

7.  Can an employer disclose the identity of an employee who has tested positive for, or otherwise been diagnosed with, COVID-19 to co-workers who were in close contact with the infected employee during the relevant 14-day period?

No. The ADA prohibits such a disclosure. However, the employer can provide co-workers with information that would help them evaluate the risk of infection.

8.  Can an employer disclose COVID-19 related health information to customers or vendors?

No. The ADA does not permit employers to disclose an employee’s medical information to an employer’s customers or vendors. Employers can generally inform customers or vendors that an “employee has tested positive for COVID-19” or that an employee “has been exposed to COVID-19,” but the employee(s) should not be identified.

9.  Can employers ask employees to consent to the disclosure to others of their identity and positive test for COVID-19 infection?

The ADA’s confidentiality provision does not have an express exception for disclosures with the employee’s consent. Although there may be risk in relying on an employee’s consent, that risk could be mitigated by taking steps, such as (a) obtaining the employee’s written consent, (b) informing the employee that consent is purely voluntary and may be revoked at any time, and (c) limiting the disclosure that is the subject of the consent to specifically identified employees who were in close contact with the infected employee during the relevant 14-day period.

10.  Can employers perform temperature checks on, or provide questionnaires inquiring about, the medical health of their customers?

Yes. However, any inquiry should be narrowly tailored to reduce the threat of COVID-19 infection, and employers should ensure that medical information received from customers is stored in accordance with any applicable state information security law.

11.  Do different rules apply to an employer’s workforce in the European Union (EU)?

Yes. Under the European Union’s General Data Protection Regulation, employee medical information is considered “sensitive personal data” and is subject to heightened protection.In response to the COVID-19 pandemic, most data protection authorities in most EU Member States have issued guidance explaining the circumstances in which employers can obtain medical information from employees and how this information must be treated.

Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.