Law360 (June 4, 2020, 4:48 PM EDT) --
Public health authorities have emphasized the importance of social distancing and contact tracing as necessary tools to avoid a second wave of COVID-19 infection. Mobile tracking technology promises to assist in these twin efforts. Use of mobile apps, in combination with other important infection control measures, may enhance COVID-19 prevention and remediation but also comes with risks worth evaluating.
Tracing and Distancing Through Tracking Technologies
Tracking technologies have the ability to assist in enforcement of social distancing and to perform contact tracing. Various vendors offer off-the-shelf solutions, while some companies choose to invest in creating customized mobile applications. Tracking technologies work either actively or passively by pinpointing an individual's location using radio frequency sensors or GPS locations using a tag or an app on a mobile phone.
Passive tracking technologies store this information for downloading later. Active tracking apps, on the other hand, may have the capability of enforcing social distancing by immediately alerting employees if they are in too close physical proximity. Active and passive tracking apps may allow for contact tracing by pairing data identifying who the user has contacted with knowledge of who has symptoms or has tested positive for COVID-19. In such cases, the employer notifies the employees who came into contact with an infected person and ask them to quarantine, report whether they experience symptoms or test positive, and/or be tested.
Employers using mobile tracking apps may build a data set from which to make better-informed decisions based on empirical evidence of employees' movements and contact with others. Adoption of mobile tracking technologies may also assist in defending administrative charges or civil lawsuits by providing evidence of an infected individual's interactions in the workplace, or by demonstrating the employer's good faith efforts to safeguard the workplace. Employees may also appreciate the technical assist in maintaining social distancing and/or contact tracing.
Screening Applications and Questionnaires
Many states are mandating, or recommending, that employers screen employees daily entering the workplace for COVID-19 symptoms or a past exposure history. In response, some companies have developed screening apps to speed the process. These apps also allow employees to self-screen prior to starting their morning commute, so determinations whether to stay home are made before employees board public transportation or arrive at the office.
Screening apps, as well some tracking apps, include self-reporting functionalities that permit employees to inform their employers if they have tested positive for COVID-19. Indeed, many of these technologies are created with an open application programming interface, commonly referred to as API, system that allows them to interface with digital medical record technologies, so that a patient's test results can be synced with the app. Often, the apps also de-identify the information and upload it to public health officials. Thus, data collected for employment purposes has the additional benefit of providing crucial information to health officials to combat further COVID-19 spread.
Temperature checks have become commonplace in many workplaces, particularly because U.S. Equal Employment Opportunity Commission guidance permits such testing, and many states and localities now mandate that employers and/or certain industries check temperatures of those entering the premises. Often, employers use traditional thermometers or the newly introduced thermal cameras. But depending on the regulatory guidance, temperature checks can be conducted using a wearables or digital thermometers connected to a mobile app, which can automatically report results to an employer.
Labor and Employment Considerations
Adoption of mobile technologies may be appealing in light of their potential benefits and the fact that many new apps are being marketed free of charge. Nonetheless, these apps are not "plug and play," and employers must think thoughtfully about implementation to minimize legal risks. At minimum, employers should be mindful of the following considerations:
Wage and Hour Compliance
Employers should notify employees if the tracking apps provide a secondary check on time sheets. Moreover, if a tracking app notifies an employer that a nonexempt employee was working off the clock, the employer must be sure to pay that employee for the time worked.
Companies should also consider whether requiring employees to complete prework questionnaires through a mobile app constitutes compensable time. Especially in California, where security checks have recently been found compensable time under the state wage laws, mandatory use of these technologies may lead to wage and hour exposure.
To provide adequate notice, employers should implement policies governing the use of mobile apps, and, where applicable, consider updating their handbooks to provide notice to employees of any necessary changes.
Requiring employees to use personal mobile devices for COVID-19 mobile technologies could be a reimbursable expense under certain state wage and hour laws. Employers in those jurisdictions should identify how they will comply (e.g., stipend, reimbursement, partial reimbursement, etc.).
Employers should also evaluate whether the mobile app is accessible for employees with a mental or physical impartment, or otherwise complies with the then-current Web Content Accessibility Guidelines. To the extent a technology is not accessible, employers should be prepared to address reasonable accommodations.
Employers with represented workforce must determine whether they must bargain over implementation of mobile apps or wearable technology or whether existing contract language permits unilateral action. Moreover, employers must be mindful not to monitor in a manner that constitutes unlawful surveillance under the National Labor Relations Act.
Workplace Safety Compliance and Record-Keeping
The Occupational Safety and Health Administration requires employers to make work-related COVID-19 record-keeping and reporting analyses for all employers. Under OSHA's record-keeping requirements, COVID-19 is a recordable illness, and employers are responsible for recording cases of COVID-19, if they are confirmed (as defined by Centers for Disease Control and Prevention), work-related, and involve one or more of the general recording criteria set forth in the OSHA regulations.
In determining whether an infection is work-related, OSHA considers the: (1) reasonableness of the employer's work-relatedness investigation; and (2) evidence reasonably available to the employer at the time the work-relatedness decision was made, as well as information the employer may learn later.
COVID-19 illnesses are likely work-related when several cases develop among workers who work closely together and there is no alternative explanation; if the illness is contracted shortly after lengthy, close exposure to a particular coworker or customer who has a confirmed case of COVID-19 and there is no alternative explanation; and if his job duties include having frequent, close exposure to the general public in an area with ongoing community transmission and there is no alternative explanation.
Tracking apps that allow for contact tracing could provide additional data to employers in making a workplace-relatedness determination. Employers using tracking apps, for example, may be able to readily determine whether an employee has had lengthy, close exposure to an individual with a confirmed case of COVID-19. This data could be instrumental in determining whether to record an incident of COVID-19, and may need to be turned over to OSHA investigators upon request. Likewise, this preservation requirement might apply to daily screening questionnaires, or thermal images of employees entering and exiting the premises.
Health Privacy and Security Considerations
Employers that adopt tracking technologies or apps that integrate information about an employee's medical or health status must also consider employment and public health implications, especially in light of the recently released Interoperability Rule, which encourages the seamless access and exchange of electronic health information.
In general, employers do not become covered entities under Health Insurance Portability and Accountability Act merely by implementing a mobile app that utilizes employee health information. But if the employer uses a third-party app to gather and assess medical information for purposes of testing through an employer-sponsored group health plan, employee assistance program, or onsite medical clinic that is shared with the employer, the employer should consider any applicable obligations under HIPAA, including business associate agreements and HIPAA privacy notices.
Health apps that fall outside HIPAA requirements likely would be covered under the Federal Trade Commission Act's Unfair and Deceptive Acts or Practices and the FTC's Health Breach Notification Rules and any state consumer protection laws, including data safeguards and breach reporting and notification requirements. Employers must continue to monitor legislation in this space, as New York recently proposed a law regarding contact tracing, and Congress has introduced similar measures.
Currently, employers have no federal obligation to report cases of COVID-19 in the workplace to the CDC or other federal or state agencies. Typically, being a "mandatory reporter" is a designation made by states, and employers are not required to report infectious disease to public health authorities. However, given the serious and significant medical and economic implications of this COVID-19 pandemic, as part of state reopening plans, employers may be tasked with collecting and reporting suspected and/or actual cases of COVID-19 to public health authorities.
Whether an employer opts to buy or build a tracking technology or app, employees may have concerns as to how their personal health information may be used or disclosed. Of course, tracking apps are not new to the workplace. Many companies lawfully use geofencing tracking technology for delivery drivers and outside sales people, and time-clock technology that "punches in" upon the employee's arrival to the job site. As in other contexts, employers should treat the data that they may collect confidentially and only use it for required or stated purposes.
Good communication is essential. By issuing clear and transparent notices, employers can ensure that their employees know what information is being collected, why or under what authority they are collecting that information, who it will be shared with (including any reporting that might be required to public health authorities), and how long it will retained. Companies using third-party apps should understand whether and how the app providers may use employee data, and clearly define the parties' data rights and obligations in the master services agreement to ensure that no secondary or unnecessary uses or disclosures are unwittingly made.
Relatedly, and while not strictly a health privacy consideration, employers also should consider whether an app will track employees' movements and, if so, whether it will do so when employees are on the business premises and only during working time, or will extend surveillance to off-duty movement and locations. Employers using tracking technology must be aware of off-duty conduct statutes in jurisdictions in which they operate and how any off-duty monitoring might conflict with such laws. Similarly, state laws, such as the California Consumer Privacy Act, may require employers to disclose to employees the information being collected.
Given that many of these apps collect personal medical information in addition to real-time employee location, employers must audit the data security of their system as well as the system of any vendor to protect against hacking. Employers also should review applicable service agreements to ensure compliance with data privacy and security issues, breach notification procedures, indemnification, and limitation of liability. Additionally, best practices dictate that employers should educate their employees on how to protect their own sensitive information accessible and/or shared through these apps.
Companies should also consider the practical and operational challenges with using these products.
For example, the accuracy of the data may be negatively affected by many different variables, including the accuracy, quality, and integrity of the information about whether a person is infected, is symptomatic, has been exposed, or come into close contact with someone else who is infected. Having a cement building with bad Wi-Fi or GPS signals may produce location data that is not as clear as in an office environment.
In addition, use of these apps on employee's mobile devices assumes the employee will carry the device at all times. The tracking data will be incomplete or inaccurate if an employee leaves the device in an office while walking around the workplace.
Further, these apps may not make sense for workplaces requiring employees to be within close proximity to others, such as a point of sale check-out area, patient care setting, or barbershop.
While there is a host of legal and regulatory concerns in use of many technologies in return-to work scenarios, there are potentially huge gains for both employers and society in their use. Companies should evaluate their options carefully.
Employers should closely vet the vendors and their products, particularly because so many products are being rushed to market to combat COVID-19, without being fully tested for accuracy and reliability. But when used in combination with other safety measures — such as proper cleaning and disinfecting procedures, office realignment, and personal protective equipment — properly vetted technologies may help bring people back to work quicker and more effectively than more traditional measures.
Adam S. Forman and Nathaniel M. Glasser are members, Karen Mandelbaum is senior counsel, and Robert J. O'Hara is a member, at Epstein Becker Green.
Epstein Becker associates Matthew Savage Aibel and Elizabeth Scarola also contributed to the article.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
 E.g., Colorado: https://drive.google.com/file/d/19mjy5vyuLpPcrXz58nK1gWGWUFL4Op_D/view?usp=sharing; New York: https://www.governor.ny.gov/sites/governor.ny.gov/files/atoms/files/NYS_BusinessReopeningSafetyPlanTemplate.pdf; Georgia: https://gov.georgia.gov/document/2020-executive-order/05282002/download.
 UnitedHealth Group and Microsoft, for example, have partnered to offer a free screening app for employers called ProtectWell.
 Delaware: https://coronavirus.delaware.gov/wp-content/uploads/sites/177/2020/04/High-Risk-Business-List_04.2.20.pdf; Idaho: https://rebound.idaho.gov/wp-content/uploads/2020/05/stage2-protocols-restaurants.pdf; Kentucky: https://govsite-assets.s3.amazonaws.com/34CVrepQ8KClctVAQEDH_5-11-2020%20CHFS%20Order%20Minimum%20Requirements%20for%20All%20Entities.pdf.
 29 CFR §§ 1904.5 & 1904.7.
 85 Fed. Reg. 25510.
 15 U.S.C. §41 et seq.
 Test, Trust, and Certify Act, 2020 NY Assembly Bill A10462; COVID-19 Consumer Data Protection Act of 2020, S. 3663, 116th Cong. § 2 (2020).
 The states that offer some of the broadest protections are California, Cal. Lab. Code §§ 96(k), 98.6, and Colorado, Colo. Rev. Stat. § 24-34-402.5.
 Cal. Civ. Code §1798.100.
For a reprint of this article, please contact firstname.lastname@example.org.