How health information privacy laws apply when the workplace reopens
From asking about potential symptoms to vaccination status, the share of employers collecting health information from their staff has increased. The trend is raising concerns from some lawyers on the management side amid the reopening of physical workspaces.
A March survey by Littler Mendelson of 1,275 employer representatives found that 74% of respondents were currently following or planning to follow vaccination status of workers. Even among respondents who did not have a vaccination policy in place, 54% said their organizations track the status of vaccination.
But given the mix of local, state and federal health information privacy requirements, it’s important for employers to note that they “may not have done the most thorough job” of collecting and store that information, according to Littler shareholder Devjani Mishra.
In his analysis of the survey results, Littler said most respondents used spreadsheets or other in-house software, which he noted could raise data privacy concerns.
Sources who spoke to HR Dive discussed the laws that apply to medical information collected as part of the reopening process and best practices employers can adopt to complete these collections without violating federal, state and local laws.
What laws apply?
The Health Insurance Portability and Accountability Act, or HIPAA, protects an individual’s health and medical records, but the law in general does not apply to employment records, according to the US Department of Health and Human Services. Health plans, insurers and related parties may disclose protected information to employers who sponsor and maintain a group health plan, but only in special circumstances.
Instead, questions about how an employee feels or if they’re vaccinated are more likely to involve the Americans with Disabilities Act and various state and local laws, Mishra said.
For example, the US Equal Employment Opportunity Commission’s technical assistance document states that the ADA requires employers to store all medical information — including articles related to COVID-19such as the results of an employee’s temperature measurement or a self-identified diagnosis of COVID-19 — in the employee’s medical record, separate from the employee’s personnel record.
This information must also be kept confidential under the ADA, according to the EEOC, but managers who are made aware of an employee’s symptoms and diagnosis can generally report those details to the appropriate officials. Still, employers “should make every effort to limit the number of people who get to know the employee’s name,” the agency said.
Do vaccine questions matter?
Immunization status is also protected by the ADA. Employers can impose vaccination requirements and record employees’ status under the law for security purposes, but they should always make sure the information is confidential, Mishra said.
Also, employers may not want to ask why an employee isn’t vaccinated if that information isn’t required because “you kind of come across information that you don’t need,” Mishra said. “If you do [require it]you should exclude this from other decisions involving the employee. »
Vaccine data collection also illustrates compliance issues inherent in national and local information privacy laws. For example, California consumer privacy law requires employers who collect personal information for employment purposes to provide notice of collection to the workers concerned describing the categories of information collected and the purposes for which the information will be used. California employers will see additional requirements under this law from 2023.
Vaccination status could fall under California law’s broad definition of personal information and may need to be included in required collection notices, according to Joseph Lazzarotti, Jackson Lewis principal and co-lead of the privacy practice group, corporate data and cybersecurity. As with data privacy laws in other jurisdictions, California requires companies to put in place reasonable security procedures and practices to protect personal information.
If employers use third-party providers or apps to track immunization status, this may create additional considerations. Lazzarotti said employers using such services will want to understand the kinds of safeguards the providers have, such as two-factor authentication and encryption, to protect employee data. If employees download an app to their devices to submit their information, Lazzarotti added that employers might want to understand what the app’s privacy statement looks like.
Due diligence is key when contracting with vendors, said Mishra, who noted that employers should ask how vendors store the data they collect and whether vendors sell that data. “The employer will take responsibility for setting up a situation [in which] intentionally or not, the data goes where it shouldn’t,” she continued.
Employers may also need to plan for what will happen to vaccine data beyond the collection period, as this data would likely still be stored on provider systems. “When we no longer need to track it, how can we get it back or ask the provider to delete it?” said Lazzarotti.
The impact of the long COVID-19
Officials from the EEOC and elsewhere recently commented on the lengthy COVID-19 and the challenges the condition can present to workers. Long COVID-19 also challenges employers because it encompasses a wide range of symptoms that can inhibit employees’ major life activities and therefore merit accommodation under the ADA.
Additionally, the long COVID-19 can exacerbate existing health problems which did not reach the level of a disability in the past.
But applying health information privacy principles isn’t really that much different from managing short or in-between periods with COVID-19, Mishra said. Central to these discussions between employees and disability management practitioners would be the same interactive process that guides how employers manage other underlying conditions that affect a worker’s ability to perform a job. .
“Don’t let COVID response work distract you from the best practices and knowledge you already have,” Mishra said. Employers, she added, should always perform a factual assessment of the employee’s work and analyze whether the employee has a physical problem that requires some kind of change at work.
Lazzarotti responded similarly; “I think we have to go back to basics.” Employers who have staff who handle the interactive process should train those people on how to comply with the ADA and avoid sharing confidential information with supervisors or employees, he said.
The reopening can be an opportunity for employers to get an overview of their privacy and data security efforts, Lazzarotti continued. Employers keep a variety of employee data even though they don’t need every piece of that data, but they don’t always follow proper security procedures, such as encryption, he said. This can create unnecessary risks in itself.
“I think employers are raising these questions because of COVID, but sometimes you don’t care about day-to-day privacy,” Lazzarotti said. “It’s a good opportunity to look at company practices and understand what kind of data you’re getting.”