In the past week, businesses in every industry faced the growing concerns that the coronavirus pandemic has brought to our communities. As the situation around the globe continues to develop and multi-faceted issues arise, companies should be considering their employees’ and customers’ privacy and be prepared to adequately and appropriately respond to privacy concerns, requests for information, and understand the basic expectations of how and when personal information can be used without consent.
While the current environment demands flexibility and responsiveness, and not all-personal information or your industry may be subject to such regulations, the following information provides some guidelines on how the law expects businesses to balance privacy and public health concerns. We conclude with some best practices that apply to the use of personal information in all conditions.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA governs the sharing of protected health information (PHI). During an emergency, covered entities (healthcare providers, payers, or clearinghouses), their business associates, and their employees must ensure that they understand their HIPAA compliance responsibilities and take reasonable measures to prevent the unauthorized use and disclosures of patient information by using administrative, physical and technical safeguards.
In response to the COVID-19 outbreak, the Office of Civil Rights at the United States Department of Health and Human Services recently provided guidance to those HIPAA covered entities as to the circumstances when PHI can be shared, the parameters in which it can be shared, and with whom it can be shared. When a disclosure to outside parties is required, a covered entity must make reasonable efforts to disclose the “minimum necessary” to accomplish the purpose. The Department has also made available the HIPAA Decision Making Tool to assist covered entities, individuals and agencies in ensuring HIPAA compliance.
Without a patient providing consent to the disclosure, a covered entity may share PHI:
- For treatment of that patient or another patient, which includes coordination of health care and related services by health care providers, consultations between providers and the referral of patients for treatment;
- With a public health authority (such as the Center for Disease Control (CDC) or a state or local health department) for the purpose of preventing or controlling disease, injury or disability;
- With persons at risk of contracting or spreading the disease as necessary to prevent the spread of the disease or to carry out public health interventions or investigations, as authorized by other law; and
- With a patient’s family, friends or other individuals involved in that patient’s care.
Further, covered entities may share PHI with anyone necessary to prevent serious and imminent threat to a person or the public so long as it is consistent with applicable law and in accordance with the provider’s standard of ethical conduct. In determining the severity and nature of the threat, HIPAA expressly defers to the provider’s professional judgment.
Generally, disclosures to the media or the public of information regarding an identifiable patient, their course of treatment or illness cannot be done without the patient’s written consent. Otherwise, the covered entity may acknowledge, upon request by name, that a certain individual is a patient at the health care facility and provide their general condition (critical or stable, treated, released or deceased), so long as the patient has not objected to or restricted the release of that information.
Equal Employment Opportunity Commission (EEOC) and Americans with Disabilities Act (ADA)
The ADA protects employees from disability discrimination and provides safeguards for employees’ medical information and privacy. The EEOC has provided guidance as to how the protections of the ADA applies in light of a pandemic. Under the Act, an employer is limited in asking disability-related questions and requiring physical examinations during employment unless the inquiries are job-related and are consistent with a business necessity, meaning that the employer believes the employee is not able to perform an essential job function or that the employee poses a direct threat.
In determining whether an employee poses a direct threat during the COVID-19 outbreak, employers must base their evaluations on objective, not subjective, perceptions or irrational fears. Furthermore, employers should rely on the most recent guidance of the CDC and state and local public health agencies for the most up to date public health recommendations and advice in evaluating whether the situation rises to a direct threat. IMPORTANT: Part of this reasonable reliance includes using reputable and trusted resources and sites for such information. Employers should ensure they are seeking qualified counsel on such matters and be wary of bogus or unsubstantiated information online and being shared through social media.
The ADA allows employers to send employees home if that employee is ill with symptoms of COVID-19, ask employees whether they are experiencing COVID-19 symptoms, and encourage employees to work remotely in an effort to control the spread of the virus. If an employer discovers an employee or their relations has tested positive for COVID-19, the employer may inform their staff that another worker has become infected, but may not provide that individual’s name or information that would otherwise identify them. Further, any medical information that is collected about employees must be kept confidential and stored separate from their personnel file.
General Data Protection Regulation (GDPR)
The GDPR prohibits the collection of health data except when “processing is necessary for reasons of public interest in the area of public health.” Many European Union Countries and the United Kingdom have provided guidance for sharing health care information under the GDPR in light of the COVID-19 outbreak.
Similarly as their U.S. counterparts under HIPAA or the ADA, employers may share with personnel that an individual has been infected with COVID-19 at the organization, but may not share that person’s name or identify them. Businesses may inquire with their employees and visitors about whether they are experiencing COVID-19 symptoms or have recently traveled to a particular country, but the amount of information requested and collected should be proportionate and guided by the appropriate authorities in light of protecting the health of the individuals in the organization. If requested by a government health authority, this information may also be shared with that agency without receiving prior consent from the individual.
Best Practices
Again, regardless of industry or particular regulations, there remain tried and true best practices when it comes to using personal information. As businesses, individuals and agencies continue to navigate how to respond during this pandemic; each entity needs to continue to follow best practices in protecting their employees’ and customers’ privacy, while also understanding what and how information can be disclosed.
Notice. Whenever possible, provide individuals notice of the personal information you require or are processing and the purposes for such processing.
Consent. When possible, get verifiable acknowledgement of your notice and the individual’s consent to the use of their information.
Minimum Necessary Principle. In all uses of personal information, regardless of emergency or not, always collect, process, store and share the minimum amount of personal information necessary to fulfill the purpose for which it was collected in the first place.
Limited Use Principle. Relatedly, limit the uses of all personal information to the purposes for which it was collected and demand your employees, service providers and any third parties to do the same.
Security. You cannot promise privacy without ensuring security is in place to protect the confidentiality, accessibility and integrity of the data. Businesses should always employ administrative, physical and technical safeguards to keep confidential information secure and to prevent unauthorized use and disclosure. Employees should be trained and held accountable for any information security policies to which they are subject. Awareness updates should be provided to keep employees aware of emerging threats, including those that come with working remotely. Lastly, when the use of personal information is no longer required, secure methods of data return or destruction should be followed and documented.
While concern for the health and safety of our employees, colleagues, customers and others is important and should be paramount, businesses can also show a respect for those individuals by properly handling their personal information in all times, not just times of crisis. Adopting best practices and complying with applicable regulatory frameworks as part of a company-wide privacy and security program can help any company manage such risks, while showing respect and appreciation for privacy.
If you have questions or concerns related to these or any other issues impacting your business, please contact a member of Taft’s Privacy & Data Security Practice Group.