- COVID privacy is a top concern as employees return to the workplace
- Privacy teams should review all national, local, and industry privacy laws to mitigate risks
- Personal data is extremely sensitive and organizations need to be proactive
Read more below.
Early in the COVID-19 epidemic, privacy teams were scrambling to adjust to new risks.
Healthcare providers worried about keeping PHI private during telehealth consultations.
Educational institutions worked to maintain student privacy during remote learning, and
businesses of all kinds worried about protecting PPI as the workplace extended into employees’
homes. Regulatory agencies offered some forbearance, privacy teams worked hard to adjust
processes and mitigate risks, and we all muddled through.
Now, vaccine distribution has provided relief for frontline workers and organizations are able to
relax social distancing measures. Unfortunately, it appears that COVID-related privacy questions
will be with us for a while, especially where the workforce is concerned. Privacy teams will need
all their expertise to help their organizations navigate the maze of overlapping regulations,
jurisdictions, and business issues surrounding employee COVID data.
COVID Data is Tied to Operations
COVID numbers may be dropping domestically, but the disease is still causing death and
disability around the world, and dangerous new variants keep cropping up. Businesses from
retail to hospitality and manufacturing, healthcare to emergency services, are concerned about
infecting customers and/or exposing their workers to potentially deadly infection.
Some employers are requiring proof of vaccination or a negative COVID test as a condition of
work attendance. In the US., they may need to retain that information to show compliance with
Occupational Health and Safety Administration (OSHA) requirements or protect against
complaints of an unsafe workplace. Businesses may also need to do contact tracing to notify co-
workers of an employee who has tested positive for COVID, and some may need to report cases
to local health agencies.
If the business provided salary continuance to an employee affected by COVID, they may also
need proof of COVID cases in order to claim tax credits under the emergency provisions of the
Families First Coronavirus Response Act (FFCRA).
Privacy Regulations Meet Workplace Regulations
Organizations may collect employee COVID data, but they also need to tread carefully in
handling it because multiple regulations can apply. According to the National Law Review, U.S.
employers are allowed to ask employees about possible COVID symptoms, take their
temperature, and ask those with COVID symptoms to demonstrate fitness to return to work.
However, the Americans with Disabilities Act (ADA) requires medical information about an
employee to be stored separately from the employee’s personnel file to prevent discrimination,
so any COVID-19 related information on an employee must be stored with those protected
employee medical files. In healthcare organizations, especially, HR and supervisors should know
when accessing employee health information requires a release of information authorization
from that person.
National and local privacy laws need to be taken into account, and HIPAA laws can come into
play if the employer is also a healthcare provider. (Check out this article for a mind-bending
discussion of scenarios that can involve multiple competing regulations.)
Staging a Privacy Intervention
Just as pandemic lockdowns left organizations scrambling, the return to the workplace is
happening fast. Privacy teams need to proactively help their organizations learn to manage
employee COVID data.
The first step could be a review of national, local, and industry privacy laws that may apply,
possibly with the aid of legal counsel, to determine requirements. Then privacy can work with
HR, line managers, and IT to mitigate risks and maintain compliance.
For example, both supervisors and HR should know not to disclose names of infected employees
to other employees, unless absolutely necessary for contact tracing, but names may be disclosed
to public health agencies.
Managers should know how to navigate sticky issues: whether they can make on-site work
contingent on COVID vaccination, or how to inform coworkers of possible exposure without
giving names of employees who’ve been infected. They should also know that employees have
the right not to have their names reported to OSHA, and how and when to request a release of
information authorization from employees.
HR, supervisors, and IT should know that COVID information is to be handled like other
information protected by the ADA. Privacy and IT could also update data maps and look at data
retention policies for COVID-related information. If the organization has business partners or
third-party associates that handle or store employee data or may provide COVID-related services
such as testing, those partner agreements should also be reviewed to ensure they maintain
Preparing for COVID-Related Privacy Incidents
Employee COVID data may also generate a bump in privacy-related incidents. These are likely
to be small scale incidents as managers, supervisors, and HR personnel are learning how to
handle these new types of employee information. Nonetheless, privacy teams need to account for
these exposures in the incident response process:
- Review incident response processes to ensure that they reflect regulatory requirements
around COVID data. (An intelligent breach response platform can help you determine
which regulations are relevant.)
- Make sure HR, managers, and staff know how to spot and report an exposure of
employee COVID data.
- Run a table-top exercise or two with the incident response team to help identify risks and
anticipate assessment questions surrounding a breach of this data.
For most organizations, the volume and effort in handling employee COVID data will be small.
But, given the societal impacts and cultural turmoil around COVID, this personal data is
extremely sensitive. It will be worth a little up-front work by the privacy team to get it right.