Protecting Health Data Privacy in the Return to Work
As employees return to their workplaces and consumers begin scheduling appointments with dentists, doctors and salons, new protocols are in place. Temperatures will be taken. There will be questions about health, travel and socialization. Especially in the workplace, this information will be closely monitored. For the majority of workers and consumers, this is the price to pay to restart the economy and resume some regular life activities.
However, this new normal means new steps in protecting health data privacy of employees and customers, said Dan Clarke, President of IntraEdge, a large technology talent, services and training organization.
“As businesses consider re-opening, privacy has to come first,” he said in an email interview. “Whether a business is using a contactless thermometer, temperature check kiosk or an application to manage the return to operations during COVID-19, having access to these results or sharing these results in a public location could be a violation of HIPAA and other privacy laws. Merely saying someone’s temperature out loud and allowing them entry into the building during the pandemic does not exempt a business from HIPAA and privacy laws set in place to protect employees and consumers.”
If an Employee Has COVID-19
First, if someone within the organization or a customer has tested positive for COVID-19, there is natural curiosity surrounding who it is and who should be quarantined. But how much health information should be revealed without infringing on data privacy?
According to law firm Arnold & Porter, employees need to understand that the employer must disclose the information of a positive test to others within the workforce, but there are caveats.
“In California, the employee’s written authorization for certain disclosures may be required,” according to information on the firm’s website. “Even absent such a requirement, keeping the employee informed is prudent and will reduce the likelihood of subsequent complaints.”
Employers cannot reveal any positive test results to customers or contractors beyond saying someone—unnamed—in the organization has tested positive or has been exposed to the virus.
What PHI Can Be Shared?
Normally, asking an employee or customer for personal health information (PHI) would be a violation of any variety of privacy laws. But COVID-19 has brought about unusual circumstances. According to a COVID-19 and the Workplace FAQ from law firm Littler Mendelson, employees can be asked about positive results, whether they have COVID-19 symptoms or have certain health issues that put them at higher risk.
As for those temperature checks, the website stated, “Temperature checks should be reliable, effective, performed consistently, and respect employees’ privacy. For example, all employees entering facilities should be checked only by trained personnel and the results should be treated as confidential.”
Privacy Surrounding Contact Tracing
Many employers are considering contact tracing apps to track the spread of the virus. “App-based contact tracing is appealing and readily capable of this function, but privacy concerns and other legal risks make this a questionable, if desirable, strategy,” said Clarke. “In a pandemic, where the symptoms have quickly shifted and some carriers have been known to be asymptomatic, contact tracking applications are a helpful tool, but in the workplace, employee privacy should always come first.”
Google and Apple claim that their apps take privacy seriously, with most sensitive data stored on the phone instead of the cloud. However, because they aren’t health entities, HIPAA laws don’t apply to contact tracing. “The lack of privacy regulations mean that users will have to depend on the goodwill of technology companies to avoid misusing data or violating their privacy,” Carmel Shachar wrote in a Health Affairs article. Congress has discussed a COVID-19 Consumer Data Protection Act, but as of now, nothing has been done to provide real privacy in contact tracing.
Putting a Priority on Privacy
Because this is the new normal and there has been a greater emphasis on data privacy in recent years, organizations have to consider how to best protect their employees’ PHI and to ensure the technologies being used are creating another level of risk.
For example, employers should not create new privacy or compliance issues by storing unwanted data or broadcasting information that is protected. Also, said Clarke, make sure the device used to measure and record medical data is actually accurate. “As a best practice, properly vet a solution. Look for hardened elements, prioritizing user data with a solution that does not store information on the device, and most importantly, allow the end user the ability to access their data and control what data elements can be access by another party or deleted altogether.”
The pandemic has changed a lot surrounding the privacy of health information, but privacy still matters. Data privacy policies don’t need to be rewritten, but organizations should take care to ensure that even minor things such as temperature checks are kept confidential and not able to be used against the employee or the organization should a data breach occur.
