Question: What are some of the privacy implications for employers who ask an employee about his or her health conditions concerning COVID-19 and the retention of that information?

Answer:  As employers evaluate what measures to implement to address COVID-19 in the workplace, such as health questionnaires and on-site temperature measurements, employers must remember that the information they collect, and how they collect it, must be carefully controlled because that information is protected employee medical information.  Employers must continue to follow existing state and federal laws regarding confidentiality and employee privacy, especially as these pertain to medical information.

The Department of Fair Employment and Housing (“DFEH”) recently issued guidance on employment issues related to COVID-19. The guidance clarifies that employers may ask employees if they are experiencing COVID-19 symptoms and send employees home from work if they display COVID-19 symptoms. Moreover, employers may measure employees’ body temperature for the limited purpose of evaluating the risk that an employee’s presence poses in the workplace.  An employer may also ask why an individual did not report to work if the employer suspects an employee illness. These measures must be uniformly applied in a non-discriminatory manner, and the data collected must be maintained in a confidential medical file in a secure location like any other employee medical information. Access to the information should be limited to designated individuals.

The DFEH guidance also states that to comply with privacy laws, employers should not identify by name any employee who tests positive for, or is suspected to have, COVID-19.  Employers may notify affected employees of potential exposure to COVID-19, but without revealing the personal health information or identity of an employee who may be the source of the exposure.  The DFEH suggested notification is available at https://www.dfeh.ca.gov/wp-content/uploads/sites/32/2020/03/DFEH-Employment-Information-on-COVID-19-FAQ_ENG.pdf

If an employer is addressing COVID-19 employee disability, accommodation, or leave issues under the Americans With Disabilities Act, Fair Employment and Housing Act, or the Family and Medical Leave Act, the employer should treat the COVID-19-related information the same way it treats other medical information it receives.

The Health Insurance Portability and Accountability Act (“HIPAA”) also safeguards employee health information by providing national standards for the protection of such information.  HIPAA applies to entities such as health plans, health care clearinghouses, and health care providers.  If a business or its business associates are governed by HIPAA, then HIPAA’s privacy rules apply to disclosures made by employees and other workers of such businesses.  HIPAA privacy requirements do not necessarily apply to employers who have medical information of employees pertaining to COVID-19, unless that business is otherwise subject to HIPAA.

The California Consumer Privacy Act (CCPA) requires covered businesses to provide a notice to California consumers explaining what personal information they collect and how that information is used, including health-related information.  Businesses that either 1) Have annual gross revenues over $25 million, 2) Buy, receive, sell, or share for commercial purposes the personal information of more than 50,000 consumers, households, or devices; or 3) Derive 50 percent or more of its annual revenues from selling consumers’ personal information are subject to the CCPA.  The CCPA notice requirement applies to information gathered about job applicants and employees.  Covered employers should review and update their CCPA notice to address the collection and use of information related to COVID-19.

The bottom line is that in trying to meet the challenge of ensuring employee protection from COVID-19, employers must also ensure the protection of employee medical information under multiple laws.