Next to privacy, the most probed topic around Safe Entry is HIPAA and employee data best practices. It makes sense, particularly given the new uses for biometrics and passive health screening due to COVID concerns.
InReality jumped into these waters early by enabling temperature screening, so this is terrain we’re comfortable covering. Here’s a quick rundown of the basics we’ve gleaned to help you better navigate the topic with your customers.
Is it legal to take employee temperatures, ask them questions about their health and force them to take a COVID-19 test?
Under normal circumstances, the Americans with Disabilities Act says no. However, the Equal Employment Opportunity Commission (EEOC) paved the way to take these actions during the pandemic. The Commission states that employers can indeed require these types of screening methods before allowing workers in because of the risks the pandemic poses to every employee’s health and safety.
Does it trigger protection under the Health Insurance Portability and Accountability Act (HIPAA)?
HIPAA is a set of standards built to protect against the unauthorized disclosure of sensitive and individually identifiable Protected Health Information (PHI). HIPAA only applies to what they consider a ‘covered entity’, most often companies such as healthcare providers, healthcare clearinghouses and associates of these groups that need access to employee health insurance data.
Most employers are considered “non-covered” entities. Even if an employer provides healthcare coverage to its staff, it is the responsibility of the insurance company to ensure data security and HIPAA compliance. The only time an employer needs to worry about it is in relation to requesting access to medical records for workers’ compensation claims, etc.
Doing an employee temperature scan or asking COVID-related health questions does not infringe on HIPAA unless the employer receives the information in connection with the company that manages their group health plan—as in, they send the employee results to the insurance group. But how the info is used and disclosed could trigger other privacy sensitivities. If an employee feels that a question or scan created an infringement to their person in the manner in which it was handled, that perception could prompt a legal grey quagmire.
Let’s put this into context. There’s a line of employees coming into the building and one person’s temperature is 102 degrees. They take a temp scan and the result is publicly displayed to all the people around them. Word gets out that so-and-so has COVID and everyone in line that morning is now at risk.
Our person with the hot scan could have just jogged across a 100-degree parking lot and just needed a minute to cool down…but now the office gossip mill is running amuck. See the issue? They could claim that their privacy was infringed upon and take it to court, and there’s no precedence for protection. This is why we created the mobile app. Discretion will often be required, even if the legal guidelines don’t make it crystal clear.
What are the most important screening questions to ask?
It’s important to be able to specify the questions that the company’s HR and Legal teams feel are necessary while also ensuring that they can change them as needed. Regardless of the final list, if there’s a Q&A Screening involved, the bare minimum is to confirm—with a specified compliance trail—that each person:
- Does not have COVID-19
- Hasn’t been exposed to COVID-19 in the 14-day period prior to return to the office
- Does not have anyone in their home who has, or has been exposed to, COVID-19 in the prior 14-day period.
What steps should my customers take to secure the employee health information that may be collected?
We lean on Davis & Gilbert to answer this question and share a deeper dive on the topic via the link at the end of this piece. The short answer is that a company’s information security practices need to be revisited. They are collecting new information and they need to share what it is and how they are gathering it.
For example, if temperatures are recorded at the reception desk by a company employee, there needs to be a system and process to ensure such information is properly recorded, access is strictly limited only to those with a need to know and the information is stored in a secure system.
What about people in California? Any special considerations under the new California Consumer Privacy Act (CCPA)?
Most certainly. Companies subject to the CCPA have to disclose the categories of personal information to be collected and the purpose that it’s being collected or used for before the point of collection. The best method to do so is within a detailed written protocol summarizing back-to-work procedures. Make sure it is presented, understood clearly and accepted in writing by each employee, expressly permitting the employer to temperature check and asking relevant COVID-19 related health questions.
While the guidance shared here is accurate to the best of our knowledge today, it’s essential to work with seasoned legal resources and keep a close watch on federal, state and local updates that may affect things for you and your customers. For more detailed information from Davis & Gilbert, our legal resource for all things Safe Space, see their FAQ on Planning for Safe Employee Re-Entry here: https://www.dglaw.com/images_user/newsalerts/LaborEmp_Planning_for_Safe_Employee_Re-Entry.pdf
InReality’s Learning Center is committed to sharing important guidance to help the industry navigate the complexities of the ever-evolving Safe Space landscape. The information shared is informed by experience working with many constituents and stakeholders. If you have a topic you would like addressed, please submit it to Laura Davis-Taylor at email@example.com for consideration.