The Next Normal: A Littler Insight on Returning to Work – Privacy and Data Security Implications of Employee Screening

By April 30, 2020, the stay-at-home orders imposed in at least 15 U.S. states will have expired. Although the governors of some of these states are likely to extend the prohibition on employees of “non-essential” businesses returning to work until May, employers with multistate operations will soon be able to reopen a number of their facilities. In fact, this is already the case for some employers in Alaska, Colorado, Georgia, Oklahoma, and South Carolina.

The return of employees to the workplace ushers in the next frontier in employers’ responses to the novel coronavirus (COVID-19) pandemic, raising a wide range of novel challenges. One of the most fundamental challenges relates to workplace privacy and data security, namely, developing lawful processes to screen employees for possible COVID-19 infection before they re-enter the workplace. After addressing the privacy and data security implications of the three most recently introduced screening methods—COVID-19 testing, antibodies testing, and social distancing apps, we will explain critical new developments related to the now “traditional” screening methods of temperature-taking and employee questionnaires. The article will conclude by explaining key requirements regarding the secure storage of employee health information collected in the screening process and the tight restrictions on disclosing it, both internally and to third parties.

  1. COVID-19 Diagnostic Tests

On April 23, 2020, the Equal Employment Opportunity Commission (EEOC) updated its existing COVID-19 guidance to make clear that employers “may choose to administer COVID-19 testing to employees before they enter the workplace to determine whether they have [COVID-19].” Under normal circumstances, testing an employee to determine the presence of a virus would be permissible only if the employer could satisfy the “direct threat” analysis under the Americans with Disabilities Act (ADA). Specifically, the employer must have a reasonable belief, based upon objective evidence, that the specific employee to be tested poses a direct threat to the rest of the workforce as a result of the virus. In guidance issued on March 21, 2020, the EEOC explained that the assessments made by the Centers for Disease Control and Prevention (CDC) and public health authorities regarding the severity of COVID-19 provide employers with objective evidence that any employee could constitute a direct threat to the workplace; consequently, temperature scans of all employees are justified. The EEOC’s April 23, 2020 guidance took its prior analysis one step further by clarifying that COVID-19 testing of all employees is permissible during the pandemic’s duration.

Conducting the tests

While the EEOC’s guidance opens the door to widespread COVID-19 testing of employees seeking to re-enter the workplace, employers still confront a range of practical and legal compliance issues. To begin with, most employers will face challenges obtaining test kits as businesses compete for a limited supply. Even when test kits are available, the EEOC’s guidance emphasizes that tests must be “accurate and reliable”; however, tests approved by the U.S. Food and Drug Administration as meeting this standard are scarce. Further, employers that have the capability to conduct COVID-19 testing in-house will be required to address stringent workplace safety requirements before launching their program. Employers that turn to a third-party service provider that is a covered entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) could not obtain test results unless employees execute a HIPAA-compliant authorization. Employers would also need to address possible wage-hour considerations for the time spent in testing as well as benefits coverage issues related to testing and treatment. These issues and others highlight the need for employers to convene a multidisciplinary team to address COVID-19 testing as a screening mechanism in a comprehensive way.

Duration of the testing program

Employers that choose to require COVID-19 tests should not lose sight of the fact that widespread testing of all employees may not be defensible under the ADA once the CDC and/or public health authorities determine that the threat posed by COVID-19 has diminished. This is because the existence of the virus, standing alone, will no longer constitute objective evidence that any employee could pose a “direct threat” to the workplace, putting the onus on employers to point to objective reasons to believe that a given individual should be tested because they may have COVID-19, and pose a direct threat to the workforce.  

  1. Tests For COVID-19 Antibodies

Many employers seeking creative ways to reduce the risk of COVID-19 infection in their workplace have raised the possibility of testing returning workers for antibodies in the hope that a positive test result would suggest some level of immunity from COVID-19 infection. In guidance published on April 24, 2020, however, the World Health Organization explained that “[t]here is currently no evidence that people who have recovered from COVID-19 and have antibodies are protected from a second infection.” Thus, the value of such results may be limited.

Even if reliable antibody tests eventually do become available, employers still would confront significant legal obstacles in implementing them. The EEOC’s April 23, 2020 guidance on COVID-19 testing did not address testing employees for the presence of antibodies which may demonstrate an employee’s potential immunity to COVID-19. Moreover, employers likely would face challenges proving that antibodies testing to identify potentially immune employees is “job-related and consistent with business necessity” and, therefore, a permissible medical examination under the ADA. The test may be viewed as not job-related because healthy employees who are fit for duty but do not have the antibodies would fail the test. The test also may be viewed as not consistent with business necessity because the test does not exclude employees with a medical condition that would pose a direct threat to health or safety. Instead, the test would only identify employees with a possible immunity who might not pose a direct threat to the workplace.

  1. Workplace Monitoring Apps

A number of companies are developing employer-focused applications that help track those employees who have reported COVID-19 symptoms and facilitate contact tracing within the workforce. At least one company is offering a proximity tracking solution that helps employers maintain social distancing in the workplace by sending employees alerts when they come into close contact with co-workers. While these apps may offer employers an additional way to guard against the spread of COVID-19 within the workplace, employers should understand the risks of these technologies before introducing them to the workforce.

Privacy considerations

Before implementing these types of solutions, employers should ensure that they provide the appropriate notice, and where necessary obtain consent, from their employees. For example, the California Consumer Privacy Act (CCPA) requires employers to provide employees with a “notice at collection” before collecting their personal information, such as location information. In addition, some state statutes require consent for geo-tracking, and recent case law suggests some risk of a common law claim based on continuous location tracking over an extended period of time without prior notice and consent. Even where not legally required to do so, employers should consider providing employees with a notice for the sake of preserving positive employee relations.  

Employers should also assess the scope of information collected by these apps as they could trigger compliance obligations, including additional notice requirements to family members whose personal information is stored within the app, by the employer in connection with contact tracing. Finally, employers should ensure that the service agreement with the app provider includes provisions that adequately protect their employees’ information. Several states require employers that transfer certain categories of personal information to vendors to “flow down” specific data security requirements within their service agreement with the vendor.

Employee buy-in

To the extent employees are required to download the app onto a mobile device, employers should consider the importance of employee buy-in. The idea of employer tracking raises concern for employees, especially when the employee is required to download software onto a personal device. Providing employees with a notice explaining, among other things, the data collected by the employer, the purpose of the collection, the universe of company employees and any third parties who will have access to the data, and the retention period for the data collected, could pacify employee concerns. Also, employers that maintain a bring-your-own-device program (BYOD) should consider whether they have the ability to require employees to download an app onto their personal devices.

  1. Temperature Scans

As noted above, the EEOC has made clear that temperature checks of employees are permissible. The CDC’s guidelines suggest that for Critical Infrastructure workers, employers should conduct daily temperature checks to pre-screen employees for a high temperature (defined as a temperature of 100.4℉ or higher) before the employees are allowed to enter the workplace. The CDC likely will extend this recommendation to all workers returning to the workplace. Likewise, although currently only a handful of states require temperature checks of employees, most states do not require it or simply recommend it. However, more states likely will either require or recommend temperature scans as stay-at-home orders expire in the coming weeks.

Performing the temperature checks

Employers should establish a protocol for the temperature check process and apply it consistently to all employees. To avoid scrambling to address problems while employees are waiting in line to be checked, employers should consider legal and logistical issues before screening any employees. Some general considerations are:

  • If temperature checks will be administered internally by management or other employees, then appropriate training and personal protective equipment (PPE) should be provided;
  • All employees should be notified of the temperature checks and what to expect during the temperature check process, including meeting any state-specific notification requirements;
  • Employers should check the temperature of all individuals entering the workplace to protect against the threat of COVID-19 infection and to support their argument that the temperature screening process is intended for this purpose;
  • All temperature checks should be conducted in a manner that protects the privacy of the individuals;
  • There should be a process for denying entry to individuals with a high temperature and for dealing with refusals; and
  • Where individuals are excluded based on the temperature or symptom check, documentation relating to the results and any related medical information should be maintained as confidential medical information in compliance with the ADA.

Employers are not required to use a third-party medical professional or a licensed healthcare provider to conduct temperature checks. In fact, where local law does not mandate that employers themselves perform a temperature check, employers could recommend or choose to require employees to conduct temperature checks on themselves, before coming into work each day, to ensure their temperature does not indicate a fever.1 Employers that do choose to use a third party to conduct the temperature checks should consider potential medical confidentiality and disclosure issues in the jurisdiction where the employer does business, as well as potential HIPAA compliance obligations.

Thermal scanners

A number of companies are promoting advanced temperature scanning technology, including full-body video thermal scanners and thermal scanners with facial recognition capability. Although this technology may seem easier and safer to implement, it raises other privacy concerns, such as inadvertent collection of employee biometric data or over-collection of data in possible violation of the ADA. For example, in jurisdictions that regulate the collection of biometric data, such as Illinois, employers must obtain employees’ written consent before implementing temperature scanning technology that collects biometric data, such as facial geometry, and must disseminate a policy that explains, at a minimum, the retention schedule for the biometric data collected by the temperature scanner. Employers should consider these legal risks before determining whether to utilize more advanced temperature scanning technology.  

  1. Daily Screening Questionnaires

Directly questioning employees about their potential infection with COVID-19 is another key element in an employer’s defense against contagion as employees re-enter the workplace. The employees’ answers can complement the information from temperature screening. Although the employees’ information about exposure and symptoms may not definitively establish whether an employee has contracted COVID-19 as accurately as a COVID-19 test, the employer typically can obtain the employee’s answers more quickly than the test results. Questions also elicit broader information about the likelihood that an employee is ill than does temperature screening.  

Employers should be aware that there are boundaries to this screening method. At least one state has issued guidance explaining that employers cannot ask employees questions designed to determine whether they have any health conditions that would make them susceptible to COVID-19-related complications. Also, over 25 jurisdictions have issued guidance making clear that employers cannot require returning employees to provide a note from a healthcare provider as a condition of returning to work. Employers should therefore avoid requiring employees to produce any medical documents in conjunction with a screening questionnaire.

Substance of the questions

Like the other forms of screening, any questions to employees bearing on the likelihood of COVID-19 infection must tie directly to the threat posed by COVID-19. Accordingly, employers should ask only about risk factors that show a strong correlation with COVID-19 infection based on the objective evidence. Otherwise, the employer increases the risk that the questions will be viewed as an impermissible disability-related inquiry under the ADA.

According to the guidance from the EEOC, employers can ask whether the employee has symptoms associated with COVID-19 infection, such as fever, cough, shortness of breath, or sudden loss of smell and taste. Employers may be tempted also to ask whether the employee’s family members in the same home have these symptoms or have been diagnosed with COVID-19. Although this information might be useful in assessing the risk that an employee has COVID-19, employers should avoid asking health questions about family members. The Genetic Information Non-Discrimination Act generally prohibits questions about the health of employees’ family members. Instead, employers should consider asking whether the employee has had close contact (within six feet for any notable period of time) with anyone who has been diagnosed with COVID-19.

Employers also should question employees about whether they have been directed to self-isolate by a public health authority or by a healthcare provider due to potential exposure to COVID-19. Last but not least, employees should be asked whether they have tested positive for COVID-19 or been diagnosed with COVID-19 by a medical professional.

Administering screening questionnaires

To catch potential cases of infection, employers should both ask employees to complete questionnaires regularly and establish an affirmative obligation among employees to inform the employer if the answer to any of the COVID-19-related questions is “yes.” In particular, employers should issue a policy requiring employees to inform the employer promptly if they test positive for, or are diagnosed with, COVID-19 and to stay home. This gives the employer the opportunity to take steps quickly to prevent the infection from spreading in the workplace.

In relying on these policies, employers will have to depend on employees’ honesty in coming forward to divulge potential infection. Employers should make clear that employees have an ethical obligation to notify the employer and avoid infecting others. Also, to encourage disclosure, employers should consider paid incubation and sick leave, even where not required by law.

When implementing questionnaires, human resources departments must not forget other employment-related laws. Companies should compensate hourly workers for their time spent completing the questionnaires. In states that require employers to reimburse employee business expenses, the company may need to pay employees for the use of personal devices to respond to online questions.

Secure Storage and Limitations on Disclosure of Information Obtained From COVID-19 Screening Measures

Secure storage

Crucially, employers must treat documentation relating to the results of all the screening methods discussed in this article as a confidential medical record. The ADA requires employers to maintain the confidentiality of the results of health-related questions and medical exams aimed at determining whether a returning employee constitutes a “direct threat” to the workplace as the result of COVID-19 infection. The ADA also requires that employers maintain these records in a file separate from the personnel file. Only those employees within the company who need the health-related information to combat the threat of COVID-19 in the workplace should have access to the screening results. If the employer uses online systems, for example online questionnaires, it must ensure that the health data is stored and transmitted securely and that the online application incorporates privacy features.

At all points of collecting, storing, transmitting, using, and disclosing the screening results, the employer must carefully safeguard this information. Several states specifically require companies to provide reasonable data security for health data. Many more define individually identifiable health data as sensitive personal information that may trigger data breach notification obligations if accessed or acquired without authorization. Employers should consult with counsel regarding regulators’ guidance on what constitutes “reasonable” data security to reduce the risk of a data breach.

Limitations on disclosure

The ADA generally prohibits employers from sharing the results of a medical examination or a health-related inquiry except in narrow circumstances. The EEOC has addressed one common question related to disclosure by taking the position in its guidance that employers can release the names of employees diagnosed with COVID-19 to health authorities. Internally, only those who need the employee’s diagnosis to prevent the direct threat of COVID-19 to others in the workplace should receive that information. For example, the person in charge of tracing the infected worker’s contacts will need their name. By contrast, the employee’s supervisor could be told only that the infected employee is on leave and not the reason for the leave.

The ADA’s rule prohibiting disclosure in these circumstances presents a conundrum for employers that want to notify people about their potential exposure to COVID-19 but cannot do so without revealing the infected employee’s identity. As an example, a company may want to notify a customer that the technician who visited the customer’s home has tested positive for COVID-19 so that the customer can take precautions. If only one technician visited the customer, informing the customer that a technician may have exposed the customer to COVID-19 necessarily also discloses the identity of the infected technician. In its guidance, the EEOC has recognized that sometimes people will guess the identity of the infected individual. The EEOC advises that, even if the guesses are correct, the company should not confirm the person’s name.

One option to handle situations like that of the technician might seem to be obtaining consent from the infected employees to share their names. The ADA, however, does not list the employee’s consent as one of the narrow exceptions to its rule prohibiting disclosure of the results of employee health inquiries. Nevertheless, after weighing the ADA risk against the risk to others who potentially could take steps to protect themselves with more information, the employer may be willing to rely on the employee’s authorization to disclose the employee’s identity. In that case, the employer should consult with counsel on steps to mitigate the risk of relying on the employee’s consent to the disclosure.

Conclusion

Employers should carefully consider implementing some form of COVID-19 screening program before allowing employees to return to work. When choosing among the wide range of available screening techniques, employers must consider a wide range of legal risks, with privacy and data security risks being chief among them. With careful planning, those risks can be reduced to a manageable level, fostering the first steps towards an eventual return to the “old normal” in the workplace.


See Footnotes

​1 In some jurisdictions, requiring hourly employees to conduct temperature checks on themselves may result in compensable time.

Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.