During and even after this pandemic, it’s important for employers and businesses to know how to deal with employee privacy issues while still protecting other employees. It’s a balancing act between respecting employee privacy rights and the pressure to keep other employees safe.

Once the word spreads that someone is either symptomatic or confirmed to have COVID-19, rumors will begin to circulate. When employees come to you for verification, tell them only what is allowed: medical information of a confirmed or suspected case, without any additional information, including the infected employee’s name.

Government Guidance

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) recently issued a bulletin in the wake of the coronavirus outbreak. It reminds companies that the HIPAA Privacy Rule applies only to “covered entities” (health plans, health care clearinghouses and those health care providers that conduct covered health care transactions electronically) and their “business associates” (entities that perform certain functions, activities or services on behalf of covered entities).

While emphasizing that “the protections of the Privacy Rule are not set aside during an emergency,” OCR reiterated that the Privacy Rule does permit covered entities to disclose protected health information without individual authorization to a public health authority, to a foreign government agency and to persons at risk, all under certain conditions.

The Equal Employment Opportunity Commission (EEOC) offers some guidance on workplace privacy issues during a pandemic in a preparedness resource that addresses the scope and applicability of the Americans with Disabilities Act. This states that during a pandemic, employers may ask employees if they are experiencing flu-like symptoms, but employers “must maintain all information about employee illness as a confidential medical record in compliance with the ADA.”

What to Do If an Employee Tests Positive

If you have an employee who tests positive for COVID-19, you should notify their coworkers. Do not reveal the employee’s name or other information that might identify them. Limit notifications to coworkers and possibly to customers who have a legitimate reason for concern for their own health.

Inform employees and those in close contact with the COVID-19 positive employee that there is a positive case among the employees and advise them to be vigilant in monitoring their own health. If asked who the coworker is, don’t confirm or deny anything except to say there is a positive case. Remind them that medical information is private and you must respect their colleague’s rights.

If an employee has unconfirmed symptoms, or notifies you that they are experiencing coronavirus signs, your response should be the same as if they tested positive. There may be a wait for confirmation, so it's important to be vigilant.

Balancing Employee Privacy and Safety for the Long-Term

Lastly, you should amend your employee handbooks to include internal policies for the effects of a virus pandemic in the workplace. This should include a policy on collection of data and any laws or regulations that may apply.

If you have any questions about these issues, you should contact your attorney for additional guidance.