As the coronavirus or “COVID-19” permeates across the world, many industries and business sectors are grappling with privacy and security challenges in an effort to maintain operations. While this time may seem chaotic, it is important to pause and evaluate the current situation. Businesses need to proceed with caution when collecting and sharing personal information related to COVID-19 in order to strike a balance between personal privacy and ensuring the health and safety of its workforce. This update explains the privacy considerations that employers and healthcare providers should be aware of as they receive and share COVID-19 information.
If an employer (non-covered entity under HIPAA) learns that an employee tested positive for COVID-19, can the employer inform other employees for health and safety reasons?
Yes, if an employee is confirmed to have COVID-19, employers should inform fellow employees of their possible exposure to COVID-19 in the workplace but maintain confidentiality as required by the Americans with Disabilities Act (ADA). The employer should only share the minimal amount of personal information necessary to enable individuals to assess their own personal health and potential exposure.
For California employers and healthcare providers, how does the California Consumer Privacy Act (CCPA) affect privacy considerations related to COVID-19?
The CCPA excludes from its scope health information and health care providers covered under the California Confidentiality of Medical Information Act and HIPAA.
For employers, the CCPA exempts personal information collected in the employment context, but the obligation to inform employees of the categories of personal information to be collected still applies. It is important for employers to keep in mind that the employment exemption will expire January 1, 2021, if it is not amended by the California legislature. Once the exemption expires, all of the CCPA requirements will apply to personal information collected in the employment context, including the 12-month look-back period. Employers that share any COVID-19 information could potentially be subject to the look-back period once it expires.
Are there any special considerations for businesses that need to be mindful of the General Data Protection Regulation (GDPR) requirements during COVID-19?
On March 16, 2020, the Chair of the European Data Protection Board (EDPB), Andrea Jelinek, published a statement on the processing of personal data during the COVID-19 outbreak. According to the EDPB, the GDPR does not hinder measures taken in the fight against COVID-19; however, data controllers should still ensure the protection of the personal data it collects from data subjects. The GDPR does provide the legal grounds that enable employers and public health authorities to process personal data in the context of epidemics without the need to obtain the consent of the individual to whom that data belongs. The legal bases that would be permissible during this outbreak would be processing personal data that is necessary:
- For reasons of public interest in the area of public health.
- To protect the vital interests of the data subject or of another natural person.
- For compliance with a legal obligation.
With regards to processing of electronic communication data, the EDPB notes that national laws implementing the ePrivacy Directive provide that location data can only be used by the relevant service provider when the data are made anonymous, or with the consent of the affected individuals.
Many European Economic Area Data Supervisory Authorities have published their own guidance related to the processing of personal information during the COVID-19 outbreak and businesses should consult that guidance as it may relate to their operations.
Does the Health Insurance Portability and Accountability Act (HIPAA) prevent your business from disclosing whether an employee tested positive for COVID-19?
In most circumstances, the answer would be no. HIPAA applies to covered entities, which is defined to mean healthcare providers, healthcare clearinghouses and health plans. Most employers, unless they are a hospital or healthcare provider, would not be considered covered entities under HIPAA and wouldn’t be prohibited from sharing information due to HIPAA. However, employers that sponsor health plans may receive protected health information (PHI) about employees through their plans, which is covered by HIPAA as protected health information. In that situation, the employer would be required to comply with HIPAA.
Does HIPAA prohibit covered entities from disclosing COVID-19 cases to governmental authorities and the public?
In February 2020, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), which is the federal government agency that enforces HIPAA, published a bulletin outlining the ways that covered entities and their business associates may share patient health information during an infectious disease outbreak and public health emergency. It is permissible to make disclosures of PHI about individuals suspected of having contracted the coronavirus to public health authorities that are authorized by law to receive such information for the purpose of preventing or controlling the spread of disease. “Public health authorities” include agencies or authorities of the United States government, a state, a territory, a political subdivision of a state or territory, or Indian tribe that is responsible for public health matters as part of its official mandate, as well as a person or entity acting under a grant of authority from, or under a contract with, a public health agency.
In addition, healthcare providers may share protected PHI with anyone “as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public,” consistent with applicable law. Healthcare providers may disclose a patient’s health information to anyone who is in a position to prevent or lesson the serious and imminent threat, including family, friends, caregivers, and law enforcement without a patient’s permission. HIPAA expressly defers to the professional judgment of health professionals in making determinations about the nature and severity of the threat to health and safety.
Some healthcare providers may receive media inquiries related COVID-19 cases. However, HIPAA does not permit healthcare providers to disclose PHI to the media without the individual’s authorization. As a result, healthcare providers need to proceed with caution if they choose to discuss COVID-19 cases with the media.