As a nation, we are still in the midst of a world-changing event. And as we collectively move forward and re-open the country, many of us, if not all of us, will do so with vastly changed perspectives, values, priorities and focuses.
In many ways, it will be a brave new world. But while our perspectives and priorities may be post-COVID-19, the legal and privacy laws that will govern our actions are still tied to a pre-COVID-19 world. One of the earliest and deepest pitfalls awaiting companies upon return is the matter of workplace privacy and data security.
From screening employees for a possible COVID-19 infection before they re-enter the workplace, to maintaining communications throughout the re-opening process and incentivizing collective “good workplace hygiene practices,” every step of engagement could present a legal trap without the right tools and preparation.
Preparing to Return
The first challenge arises before an employee even walks through the door with the question of whether an antibody test, social-distancing training, or other training such as cleaning policies, is a pre-requisite to return to work.
Conducting outreach to employees and requesting them to obtain a test or complete pre-defined training regarding new policies can raise a whole host of questions such as:
“Do COVID-19 test results constitute Protected Health Information and if so, how do I collect them remotely in a Health Insurance Portability and Accountability Act (HIPAA) compliant way?’
“Do certain communications regarding return to work requirements or the policies I am communicating run afoul of laws like Title II of the Genetic Information Nondiscrimination Act of 2008 (GINA) and the Americans with Disabilities Act (ADA)?”
With respect to the first question, antibody tests may provide a degree of comfort in permitting workers to return to work, but only for an employer that can motivate its employees to obtain the test and enable them to provide results in a manner that doesn’t violate GINA, ADA or HIPAA.
Regarding the ADA, the United States Equal Employment Opportunity Commission (EEOC) issued guidance on COVID-19 testing on April 23. However, the guidance did not address whether antibody testing of employees to identify potentially immune employees would be “job-related and consistent with business necessity,” as required to constitute a permissible medical examination under the ADA. For example, healthy employees who have never been exposed to COVID-19 would be fit for duty but would not possess antibodies. Accordingly, antibody testing alone risks creating a scenario in which only those employees that actually have been infected with COVID-19 and have recovered would qualify to return to work because they have a possible immunity and might not pose a direct threat to the workplace.
Also, the results of an antibody test may constitute Protected Health Information (PHI) when tied to the individual employee if collected by a Covered Entity under HIPAA. The Office for Civil Rights (OCR) has repeatedly reaffirmed that there is no general COVID-19 exception to the HIPAA privacy rules which generally prohibit health care providers from disclosing PHI about a patient (including their COVID-19 status) to the patient's employer without the patient's authorization or an applicable HIPAA exception. As such, employee consent must be obtained before the test results can be shared with the employer.
Finally, preparing for return to work raises the question of training employees on any policies and practices they need to know before being physically present. Depending on the complexity of the workplace, these polices may be as simple as social distancing and sanitizing practices or may involve complex customer interaction playbooks and rules of engagement that employees need to familiarize themselves with in advance.
The common theme for all of these activities is communicating with employees in a HIPAA-secure manner, incentivizing certain activities such as completing an antibody test for employees that have experienced a known infection, answering health-screening questions for employees with no record of infection and completing training. Platforms such as CaféWell can use multi-modal communications channels, including email, IVR and text campaigns along with rewards programs tied to completing certain activities (what we call Action Cards) so that an employee is trained and prepared to return to work.
Walking in the Door
Upon return to work, the most commonly used screening methods to help maintain wellness and manage risk raise a whole host of legal, privacy and data security implications that can only be managed through efficient use of the right technologies.
As a general rule, testing an employee to determine the presence of a virus would be permissible only if the employer could satisfy the “direct threat” analysis under the ADA. However, in its April 2020 guidance, the EEOC clearly stated that employers “may choose to administer COVID-19 testing to employees before they enter the workplace to determine whether they have [COVID-19]” and clarified that COVID-19 testing of all employees is permissible during the pandemic’s duration. However, while testing is permitted, employers must still limit access to employee medical information to the following circumstances:
- Supervisors and managers may be informed regarding necessary restrictions on the work or duties of an employee and necessary accommodations
- First aid and safety personnel may be informed (when appropriate) if the employee's physical or medical condition might require emergency treatment
- Government officials investigating compliance with the Family and Medical Leave Act (FMLA), or other pertinent law, shall be provided relevant information upon request
Widespread COVID-19 testing and monitoring of employees will require stringent data security analyses before launching any program.
While employers are not required to use a third-party medical professional or a licensed health care provider to conduct temperature checks (and in fact, should consider not using a third party to conduct temperature checks only), if an employer elects to do so, this triggers HIPAA compliance obligations. Where employers elect to conduct antibody testing, they will likely need to engage a Covered Entity to perform the tests, which will also require HIPAA-compliant authorization and consents from employees.
The use of any employer-focused applications to track employees may trigger unexpected requirements such as providing the appropriate notice, and where necessary, obtaining consent. This would be under laws such as the California Consumer Privacy Act (CCPA), which requires employers to provide employees with a “notice at collection” before collecting their personal information, such as location information. An example of an application like this would be GoSpotCheck. It tracks any COVID-19 symptoms reported by providers and facilitates contact tracing or near-field location tracking solutions that help employers maintain social distancing by sending “alarms” when employees come into close proximity with co-workers. Several states also require consent for geo-tracking. Also, if an employer is tracking employee locations, even where legally prohibited, providing employees with notice preserves positive employee/employer relations.
Another concern is employee mental health, and many employers may elect to offer mindfulness or other mental health-related applications or platforms.
Finally, an employer might be subject to specific regulatory requirements, such as HIPAA, because it is using a Covered Entity as a testing provider. This could also be the case if it is providing tracking information to a Covered Entity, such as its health plan, or using a wellness consumer activation platform such as Welltok to communicate with employees and push them to complete wellness-related tasks. This ensures that all agreements with and processes used by such entities include all “flow down” data security requirements and complies with all applicable data security requirements. For security, employers should look to Health Information Trust Alliance (HITRUST) certified providers.
While data security and technology are major concerns, the single most-important factor is employee buy-in. Tracking apps, screening processes, wellness programs, best practice adherence — none of these matter or work if the employee doesn’t download the necessary apps, complete the necessary actions and provide the required consents. That’s why the cornerstone of any return-to-work and safe-at-work plan should be an employee engagement and activation solution that enables employees to provide required information, provides employees with the direction and guidance on what steps they must complete and incentivizes and rewards such actions.
The data and documentation collected will be of the most sensitive nature. The ADA requires employers to maintain the confidentiality of the results of health-related questions and medical exams aimed at determining whether a returning employee constitutes a “direct threat” to the workplace as the result of COVID-19 infection. The ADA also requires that employers maintain these records in a file separate from the personnel file. Only those employees within the company who need the health-related information to combat the threat of COVID-19 in the workplace should have access to the screening results. In addition, the information collected will constitute PHI, subject to the security and safeguards requirements of HIPAA. Accordingly, the employee engagement technology must be both ADA and HIPAA compliant and ideally should be HITRUST-certified.
Employers should carefully consider implementing some form of COVID-19 “Return to Work” program that includes a screening program, employee training and employee engagement to obtain consents before allowing employees to return to work. Upon returning to work, a wellness screening and monitoring program should include both HIPAA-compliant data collection functions along with employee engagement and activation programs that educate employees on steps to take and incentivize such behavior. This can facilitate other required activities such as downloading tracking apps, consenting to necessary disclosures and generally following best practices.
When choosing among the wide range of available techniques, employers must consider the legal risks along with privacy and data security matters being chief among them. Partnering with a HIPAA-compliant employee wellness activation and engagement platform can reduce risks to a manageable level and help move a business along the path back to the “old normal” in the workplace.