Law360 is providing free access to its coronavirus coverage to make sure all members of the legal community have accurate information in this time of uncertainty and change. Use the form below to sign up for any of our weekly newsletters. Signing up for any of our section newsletters will opt you in to the weekly Coronavirus briefing.
Sign up for our California newsletter
You must correct or enter the following before you can sign up:
Law360 (June 15, 2020, 1:57 PM EDT) --
While collecting this type of information certainly has its benefits — and is even sometimes recommended by state and local governments — the employment and privacy law considerations that are triggered should not be ignored. Here we provide answers to the top questions submitted by businesses relating to information collection practices in the era of COVID-19.
1. Does the law require businesses to collect symptom-related information before allowing employees back into their buildings?
Collection of information regarding symptoms and testing is not, currently, mandatory for most businesses. That said, testing or temperature screening can be a good tool to help mitigate risk of spreading the coronavirus.
Indeed, interim guidance from the Centers for Disease Control and Prevention for businesses suggests that employers "consider conducting daily in-person or virtual health checks (e.g., symptom and/or temperature screening) of employees before they enter the facility, in accordance with state and local public health authorities and, if available, your occupational health services."
And some state and local authorities have suggested or even recommended that employers conduct temperature screens or testing. Employers should consider what they hope to achieve out of symptom collection and testing and determine the information gathering purpose suitable or necessary for the particular working conditions, workforce and workplace at issue.
Not all screening methods and procedures are appropriate for every environment, so it is wise to think through the pros and cons before diving in so that you can make a deliberate choice.
2. What types of information can businesses collect as part of their reopening procedures?
The Americans with Disabilities Act places many limitations on employers' ability to collect or use medical information of employees or applicants.
However, the U.S. Equal Employment Opportunity Commission has recently clarified that during a pandemic, ADA-covered employers may ask employees if they are experiencing symptoms of the pandemic virus, may measure employees' body temperature, and may choose to administer COVID-19 testing to employees before they enter the workplace to determine if they have the virus.
The EEOC has emphasized that employers should make sure not to engage in unlawful disparate treatment based on protected characteristics in decisions related to screening and testing. There are, a few additional considerations employers should keep in mind as they implement testing or monitoring programs:
The EEOC recommends that employers ask employees whether they are experiencing or have recently experienced common COVID-19 symptoms identified by the CDC (cough; shortness of breath or difficulty breathing; fever; chills; muscle pain; sore throat; new loss of taste or smell).
The EEOC has suggested that employers rely on the CDC and other public health authorities to help them understand whether asking about additional symptoms may be necessary — and therefore permissible. For example, according to the EEOC additional medically confirmed symptoms may include gastrointestinal problems, such as nausea, diarrhea and vomiting.
Taking Employee Temperatures
As noted, while generally this would be a medical examination prohibited by the ADA, the EEOC has issued guidance stating that employers may measure the temperatures of their employees given the current pandemic. The CDC recommends screening employees for fevers of more than 100.4 degrees Fahrenheit, but some states may recommend different thresholds.
Testing vendors/guests who visit the worksite might also be a good idea. Be aware that not all infected individuals will exhibit symptoms, so while temperature screening may identify some individuals who present a risk, it will not identify every individual who could possibly be infected with COVID-19.
Testing for Active Infection
The EEOC has indicated that employers may test employees entering the workplace for active COVID-19 infection because an individual with the virus will pose a direct threat to the health of others. Employers should ensure that the test chosen is accurate and reliable and consider the possibility of instances of false positives and false negatives to evaluate the frequency needed for test administration.
The above considerations also need to be weighed against privacy implications. Generally, and unless you fall into a regulated industry, privacy laws in the U.S. do not regulate the types of information organizations can collect.
Rather, privacy laws are guided by the Fair Information Practice Principles, which consist of certain core principles such as notice, choice, access and security. These principles should, at a minimum, inform employer's data collection practices. Relevant here, the following should be considered:
Employers should strive to provide written notice about their data collection practices and procedures to employees before conducting any screening. At a minimum, such notice should inform the employees what personal information will be collected, how it will be used and shared, and how long the information will be retained.
Certain laws, such as the California Consumer Privacy Act mandate written notice prior to the collection of personal information and also specify the manner in which the notice should be provided. Notably, the California Consumer Privacy Act's notice obligation extends to information collected from employees.
Choice and Consent
Another core privacy principle is individual choice and consent. With certain employees being forced back to work, businesses should consider whether consent to collect personal information is being freely provided, or if consent is obtained because the individual simply has no choice. It is worth noting that some privacy laws have informed consent provisions, like the Illinois Biometric Information Privacy Act, which requires both notice and written consent before collecting an employee's biometric information.
3. What methods should employers use to collect information?
Even though the EEOC has allowed temperature taking and testing in the COVID-19 context, employers still need to comply with federal and state requirements mandating protection of individual employee medical data. In particular, all test results should be maintained as confidential medical information under the ADA — maintained on a strict need-to-know basis and kept separate from employees' personnel files.
The EEOC has also recently reminded employers that in the case of employees who request an alternative method of screening due to a medical condition, or as a religious accommodation, an employer should proceed as it would in responding to any other request for accommodation under the ADA, or Title VII in the case of a religious accommodation.
Also, do not forget to plan for logistics — daily screens will add time to the workday. Keep in mind that employees may claim that their time waiting in line or being screened for a fever or to take a virus test before their shift is compensable and be mindful that the worksite must allow for sufficient space for any queues to allow for appropriate social distancing, even in adverse weather.
Engaging a third-party vendor to perform testing is recommended, if possible, but the CDC has also provided guidance for employers who intend to train their employees to perform testing, including in the use of appropriate distancing and personal protective equipment to keep both the tester and employees being tested safe. If possible, employers conducting temperature checks should use contactless equipment, such as forehead or body scanners.
Furthermore, given the sensitive nature of the health information at issue, an employer should attempt to protect the employee's privacy when screening for symptoms. To this end, screening should occur in a setting that is private, which may be possible by setting up physical partitions to block the line of sight, where appropriate.
Many organizations are also considering deploying contact tracing apps to monitor their workforce. In order for these types of apps to work, users must download the app to their smartphones and grants access to their location data and Bluetooth.
As users travels about, the application tracks the users' location and stores the information. When a user comes within six feet of another person's device, the Bluetooth technology notes the proximity and the specific interaction is recorded.
If a user is diagnosed with COVID-19 the data collected by the user's smartphone is uploaded to a central location where it is processed. Notification is automatically sent to the smartphones of individuals who crossed paths with or came within six feet of the infected user.
While using contact tracing apps to monitor employees may assist in combating the spread of COVID-19 among the workforce, the privacy concerns, including those relating to providing adequate notice, choice and consent, should not be ignored.
From a best practices perspective, employers should consider rolling out this technology using a voluntary, consent-based approach, that aims for adoption through education programs that explain the utility of using contact tracing applications and the individual privacy protections and policies to which the employer will adhere.
For organizations that are considering systems that combine facial recognition software with contactless temperature screening, remember that certain privacy laws, such as the Illinois Biometric Information Privacy Act, may be triggered.
Lastly, all information collected should be stored using reasonable security procedures or destroyed, if possible. Remember, certain laws may require you to retain data for a certain period of time.
While what constitutes "reasonable security" during a pandemic is still being defined, businesses should assess what safeguards are needed taking into account administrative, physical and technical controls such as preparing a written information security program, requiring all electronic data to be encrypted, ensuring that employees adhere to a clean-desk policy, and protecting electronic data through the use of access monitoring tools and multifactor authentication.
4. Can you share a positive diagnosis with other employees that may have interacted with the person who tested positive?
Employers are not permitted to disclose the identity of an employee who has tested positive for COVID-19 with other employees that may have interacted with such person. Under the ADA, any information regarding the medical condition or medical history of an employee that an employer gains while inquiring into that employee's disability may constitute confidential medical information that can only be disclosed to certain individuals in limited and specified circumstances.
Although employers may not reveal the identity of an employee who has tested positive for COVID-19, they should consult with their state or local department of public health for guidance, and can and should promptly notify other employees that someone with whom they were in contact tested positive for COVID-19 and encourage those employees to get themselves tested immediately.
Given the sensitive nature of the data, organizations should consider informing employees about this type of disclosure in their privacy notices, despite the fact that such information has arguably been anonymized (i.e., it may no longer constitute personal information or personally identifiable information).
5. Are employers required to record positive reports of COVID-19 with OSHA?
According to the Occupational Safety and Health Administration's revised enforcement guidance on recording COVID-19 cases, which was published on May 19, COVID-19 is a recordable illness, and employers are responsible for recording cases, if:
- The case is a confirmed case of COVID-19, as defined by the CDC;
- The case is work-related as defined by Title 29 of the Code of Federal Regulations, Section 1904.5; and
- The case involves one or more of the general recording criteria set forth in Title 29 of the Code of Federal Regulations, Section 1904.7.
Determining whether a case is work-related is a fact-specific evaluation that must be done on a case-by-case basis. If the source of an exposure is not obvious, OSHA recommends employers "evaluate the employee's work duties and environment to decide whether or not one or more events or exposures in the work environment" caused the worker to contract COVID-19.
From the privacy perspective, any disclosure to a third party — even state or local health departments — should be anticipated and clearly stated in the notice materials. Indeed, a business's failure to identify the third parties with whom information is shared may increase an employer's legal exposure if it is later learned that information has been shared with an undisclosed third party, even if such sharing is required by law.
As a result, employers should strive to be fully transparent with respect to their data collection and sharing practices, especially with policies relating to health screening given the sensitive nature of the information. Policies and notices should also be frequently reviewed and revised to account for changes, as necessary.
6. What can you do with the information collected?
As explained above, all employee health information should be maintained as confidential medical information under the ADA and kept separate from employees' personnel files. In addition to recording cases of COVID-19 with OSHA when applicable, employers can and should use positive reports to shape their virus prevention and mitigation plans.
Such plans may include modifying which workplace facilities remain open, decreasing the number of employees working in a given area, and taking swift action to provide testing to employees who have been exposed to a co-worker who has tested positive for COVID-19. Employers should also contact their local department of health for further recommendations and guidance as to contact tracing, testing and quarantine in response to an employee's confirmed positive test.
From the privacy perspective, information collected should only be used for the purposes specified in the employers' privacy notices. As a result, it is critical for legal, compliance and human resources to work together to determine how information will be used and, in turn, spelled out in the privacy notices.
This is especially important for entities regulated by the California Consumer Privacy Act given the proposed regulations, which state that a business may not use a consumer's personal information for any purpose other than those disclosed in the notice at collection.
If the business intends to use a consumer's personal information for a purpose that was not previously disclosed to the consumer in the notice at collection, the business is required to directly notify the consumer of the new use and obtain explicit consent from the consumer to use it for the new purpose.
7. How long should businesses retain information collected?
It is possible that OSHA would claim that taking employees' body temperatures is "biological monitoring" within the purview of Title 29 of the Code of Federal Regulations, Section 1910.1020, subject to the record-keeping requirement of retention for the duration of the employee's employment, plus 30 years. Employers should discuss with counsel the pros and cons of attempting compliance with this requirement in their particular situation.
It's worth noting, as well, that most privacy laws modeled on Fair Information Practice Principles draw attention to data retention practices in the context of data security.
Indeed, from the information security perspective, destroying data once it is no longer needed (or required to be retained) is considered a best practice. Thus, information collected that does not fall within the purview of OSHA or other data retention requirements should be safely destroyed once there is no longer a need to retain such information.
Daniel Waltz, Christopher Gelpi and Emily Schifter are associates at Troutman Sanders LLP.
Troutman Sanders associate Sadia Mirza, and partners Richard Gerakitis and Ron Raether, contributed to this article.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
For a reprint of this article, please contact email@example.com.