Privacy of Employees’ Individual Medical Data During the COVID-19 Crisis

Authors: William V. Whelan and Deborah A. Yates

Updated: 5/19/2020

As California begins to allow more businesses to reopen, governments are requiring employers to monitor their workforce for COVID-19 symptoms. San Diego County, for example, requires employers to take all employees’ temperatures daily. Employers accustomed to laws limiting medical examinations face the unusual situation of mandated, albeit limited, “medical examinations” of employees.

A complicated legal landscape of federal laws (for instance, the Health Insurance Portability and Accountability Act, or HIPAA, the Americans with Disabilities Act, or ADA, and the Occupational Safety and Health Act, or OSHA) and state laws (California Confidentiality of Medical Information Act (CMIA) and California Consumer Privacy Act (CCPA) might apply depending on an employer’s industry or size, the data collected, and the purpose for the collection.  In addition, all Californians have a constitutional right of privacy. That right extends to an individual’s medical information. California employers must ensure employees’ medical information is kept confidential and protected from unauthorized use and disclosure.[1] Under the ADA, employees’ medical information must be stored separately from personnel files and access must be limited.

When an Employee Tests Positive or Reports Exposure

An employee’s COVID-19 “status” is individual medical information subject to privacy laws. Employers must keep this information confidential and protected from unauthorized use or disclosure.  

Employers should establish a confidential point of contact for employees to report that they have tested positive for COVID-19 or been exposed to someone who has. This point of contact should be trained in privacy rights issues and utilize a process to ensure confidentiality of individual information. Employers’ processes should include a clear protocol for sharing necessary information with other affected persons (see below) and with public health officials.

Employers should keep the identity of individual testing or exposure results confidential.[2] However, employers must also notify co-workers that they may have been exposed. To balance these competing concerns, the California Department of Fair Employment and Housing recommends a conversation or email in this form: “[Employer] has learned that an employee at [office location] tested positive for the COVID-19 virus. The employee received positive results of this test on [date]. This email is to notify you that you have potentially been exposed to COVID-19 and you should contact your local public health department for guidance and any possible actions to take based on individual circumstances.”[3] Employers should also consider asking employees either before or after they have tested positive for authorization to share any positive test results with others as necessary to reduce the risk to others. Employers should prepare their contact tracing protocols balancing an individual’s right to privacy with the need to protect others.

Obviously, other employees may deduce which employee tested positive based on information relayed and who is thereafter absent from work. This differs from an employer disclosing individual results. Remember that due to privacy laws, employers cannot confirm the medical status of any particular employee.

If an employee is absent from work, the employer may ask for an explanation. If the employee discloses a medical reason for an absence, that information constitutes a confidential medical record and must be kept confidential and protected from unauthorized disclosure.

When an Employee Reports or Displays Symptoms at Work

Under the ADA, mandatory medical tests on employees must be “job related and consistent with business necessity.” [4] The EEOC issued guidance confirming that COVID-19 poses a direct threat to others, and therefore tests related to COVID-19 are a business necessity. The EEOC allows employers to conduct mandatory tests for the COVID-19 virus before entering the workplace. However, tests are not sufficiently widely available to make this practical for most employers.

Employers are thus left with inquiring as to symptoms of the virus, such as elevated temperature, coughing, excessive tiredness, or other COVID-19 symptoms. Employers must ensure symptom evaluations are for the limited purpose of protecting from the introduction of the virus. Employers legally may ask employees if they have experienced symptoms or been exposed to the virus before allowing them to enter the workspace.  Employees answering in the affirmative can and should be sent home. Employers can also send employees home if they experience symptoms at work. (The applicability of sick pay is beyond the scope of this article.)

Employers must treat information regarding an individual’s symptoms, including any written forms filled out by employees about symptoms or exposure, as confidential medical records as described above.

Employers covered by the California Consumer Privacy Act (CCPA) must also consider its effect. In California, medical information is considered presumptively sensitive under the CCPA.[5] The CCPA requires notice to consumers/employees at the time of data collection. Thus, employers covered by the CCPA should provide notice as to the personal information to be collected and the purposes therefore at or before the time of collection. Notice can be electronically sent (e.g. by email), provided orally, provided in hard copy, or through signage. If a California employer intends to disclose any individualized information, employees should also be given the opportunity to “opt-in” to the disclosures under the CCPA. Employers covered by the CCPA should also consider updating their public-facing privacy policy to account for information newly collected due to the coronavirus crisis.

Temperature Checks

Employers are currently allowed – and even sometimes required – to take the temperatures of employees before allowing them to enter the workplace. An employee’s temperature is a confidential medical record and must be maintained as confidential.  Employers’ processes must accommodate the confidential nature of the results. In addition, any CCPA-covered employer requiring a temperature check to protect against COVID-19 should include that in the CCPA notice described above.

This article assumes that employees’ temperatures are tested with basic thermometers that do not capture other information. If an employer utilizes technology that also captures other information (e.g., a face scan, heart rate, etc.), other privacy implications may apply. 

Conclusion

The COVID-19 crisis presents challenges to employers balancing their duties to attempt to protect their workforce from the virus and their duties to maintain confidentiality of certain individualized medical information. These issues are legally complex. This article draws attention to certain issues but is not intended as legal advice. We encourage you to contact us or your regular employment law counsel for advice specific to your situation.


[1] Cal. Civil Code § 56.20.

[2] https://www.dfeh.ca.gov/wp-content/uploads/sites/32/2020/03/DFEH-Employment-Information-on-COVID-19-FAQ_ENG.pdf.

[3] See https://www.dfeh.ca.gov/wp-content/uploads/sites/32/2020/03/DFEH-Employment-Information-on-COVID-19-FAQ_ENG.pdf.

[4] 42 U.S.C. § 12112(d)(4)(A).

[5] See 999.323(b)(3)(a); Cal. Civil Code § 1798.81.5.