May 29, 2020
Your company is preparing for a return to the workplace, but you still have a lot of questions. How do you test and screen employees for COVID-19 without running afoul of The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Occupational Safety and Health Administration (OSHA) regulations, the Americans With Disabilities Act, the Equal Employment Opportunity Commission, privacy and data protection standards?
I recently interviewed three legal experts for the Prevention Podcast, and here's a summary of their legal opinions regarding these questions.
QUESTION: Employers are curious to know if they can take temperatures, and if they can and should store this type of information. Where does the legal community generally fall on these questions today?
EHRLICH: Employers are permitted to take employees' temperatures, and they're permitted to prohibit employees who have a fever of 100.4 degrees Fahrenheit or higher from entering the workplace. And fortunately, we've had guidance on that from the EEOC and the CDC early on during the pandemic. The big question we've been getting lately is, can I test my employee for COVID before I allow them to enter the workplace? And fortunately, just recently on April 23rd, the EEOC updated its guidance, explaining that employers can screen employees for COVID-19. And so the legal question here comes out because under the ADA, any mandatory medical test is required to be job-related and consistent with the business necessity. But here, when you apply these circumstances to the COVID-19 pandemic situation, the EEOC is saying, look, employers can undertake this type of testing because the virus poses a direct threat to the health of my employees.
So yes, employers may administer the COVID-19 testing, but what I'm telling my clients, at least with regard to my area right now, and much of the country, because rapid results COVID-19 testing is not so widely available for most locations, I really think that the best course of action right now is a fever test. And then if and when the COVID testing becomes more readily available, they can utilize it.
MURRAY: What I've been telling employers is to make a decision that makes sense for their workplace document, why they made that decision, how they made that decision, and update those decisions frequently so that if somebody comes and says, "Why did you or why didn't you test back in May or June of 2020," you've got a short memo to the file that says, "I checked the CDC website, I checked my state and local issues, I talked to this test provider, I examined my workplace and decided to do this, or not to do this
and why, and to update it." So I think testing is a component of an overall workplace safety program, but we all have to make sure that we don't fall into the trap that it's a be-all and end-all in a workplace safety program.
QUESTION: What about the idea of self-attesting that you're symptom-free? That seems like a pretty low bar to me. Pretty easy lift under the current guidelines, correct?
EHRLICH: Oh, absolutely. There's no impediment whatsoever with requiring employees to self-test and to stay home and to advise that they're not permitted to come to the office if they have any type of fever. Now, that being said, the CDC has advised that, particularly with the coronavirus, individuals can have the virus and not experience any symptoms for a certain period of time before they have any fever. So it's not always a foolproof method for preventing exposure in the workplace, which is why other steps should be taken as well.
QUESTION: A lot of non-healthcare companies are anxious about running afoul of HIPAA. Now my understanding, and I'm not a lawyer, is that healthcare communications between employers and employees are not governed by the HIPAA privacy rule, which would not apply if, for example, an employee tells their employer they've contracted COVID-19, or are self-isolating, because they are displaying some symptoms of COVID-19. So Brooke Ehrlich, where am I going wrong here with in terms of HIPAA?
EHRLICH: Well, actually, you're not far off, Dan. So just for background, HIPAA establishes the primary federal legal regime concerning health information privacy, as we know. But it doesn't apply in all situations, and it's often overused, or assumed to apply in all situations with regard to medical records. At its core, the HIPAA privacy rule basically restricts the use and disclosure of individually identifiable health information, and health plans, covered healthcare providers and other healthcare providers are
considered covered entities and are required to comply with HIPAA, and this is what you mentioned. Now, business associates of these covered entities, which either create or receive HIPAA protected information in the course of performing their functions, are also subject to many of HIPPA's requirements. So this is how we get HIPAA potentially extending to the employment setting.
It does apply to employer-sponsored group health care plan. So this means that, say you have an employee in a legal department, for example, and they inform their supervisor that they had a positive COVID-19 test. HIPAA doesn't generally apply to that communication. However, if the employer learns about the positive tests from someone in HR who has responsibility related to the group health insurance plan, and they discovered the information while performing those responsibilities, HIPAA will
apply, and should restrict the use and disclosure of the information regarding the positive COVID-19 test results that I'm talking about here. So to the extent that HIPAA applies, the employer is prohibited from disclosing individually identifiable health information directly to other employees without a HIPAA compliant authorization.
HUBBARD: HIPPA's a very specific federal law concerning the protection, privacy, and security of protected health information in the context of the health care setting. And while it may, in some instances, touch upon employers, for example, if they're a third party, if they administer their plan, generally speaking, HIPAA does not apply to employment records, even if the employer itself is a covered entity. So again, I think that that general confusion that you speak of regarding, when does HIPAA apply, that's because HIPAA's not well understood, and it's kind of become the generic term for medical privacy. So when somebody suggests that this information needs to be shared, the response is "No, no, no, you can't have that. It's HIPAA."
Although in this context for employment records, there is no HIPPA liability, employers need to be aware of their privacy obligations when they're collecting an employee's, health related information. So for example, under HIPAA as an individual, I can tell anybody about my protected health information, I'm allowed to do that. So that is a permitted disclosure, even as HIPAA applied. But again, looking to other laws that apply to employers, one that comes to mind is the Americans with Disabilities Act, the federal law that applies to employers with 15 or more employees, and it requires an employer obtaining information related to an employee's disability in a confidential medical record.
QUESTION: How are you explaining COVID-19 related OSHA requirements today?
HUBBARD: I think that the injury and illness record keeping guidance that you referenced is a great example of the evolving nature of COVID-19, and how agent guidance is rapidly changing to try and keep up. So the current enforcement guidance, which you were referencing, were issued just last month. And if we think back to about mid-April, which now seems like a lifetime ago, most of the country was under stay-at-home orders, and healthcare workers, first responders and workers in correctional institutions
were identified as at high risk for exposure. And so that's kind of the context at which that that guidance was issued. And then for everyone else, all the other employers who are subject to the record keeping requirements under OSHA where they have to maintain an OSHA 300 log only need to undertake that work-related assessment if there was objective evidence that the case may be work related.
So fast forward just a couple of days ago, OSHA has issued a new enforcement guidance that will take effect on May 26. And under this new guidance, all employers are subject to the record keeping requirements to assess whether the employee's case is work-related. So just to back up a step before delving into a little bit more detail, it's important to keep in mind that not all employers are required to maintain OSHA 300 logs. So many employers who have 10 or fewer employees, or are in an industry that OSHA has identified as a low risk industry, don't have an obligation to maintain those laws as a matter of course. If OSHA or the Bureau of Labor Statistics asks the employer in writing to maintain those logs, they would then have that obligation. But otherwise, those employers are exempt from this requirement.
QUESTION: do you expect to see employees who might be working for an employer who's not, in their opinion, taking the necessary steps to protect them, to start raising the duty of care issue?
HUBBARD: Absolutely. And so again, I think that if you take a look at OSHA's enforcement page, they have seen an uptick in OSHA complaints, complaining that the workplace is not safe, and that they're concerned their employer's not doing enough to protect them. So I think that aside from looking at just the general duty clause, an employer also has to understand and be aware of its other obligations under existing OSHA standards that may apply. And in addition to the injury and illness record keeping standard we talked about, the PPE standard, the HAZCON standard and the sanitation standard also may apply.
And so an employer wants to make sure that its program is OSHA-compliant, that it has looked at and identified the hazards, that it has set up policies and procedures in place, and it has explained those to employees so that they understand the steps the employer is taking to help keep the workplace safe.
QUESTION: From a privacy and security aspect, how should companies think about alerting the rest of the workforce that perhaps a coworker has either been diagnosed, or is self-isolating due to the symptoms?
EHRLICH: I think with regard to the first issue, which is what steps should companies be taking with regard to contact tracing, once they find out that they have an employee who has a positive COVID diagnosis, what should they do? And I do think that employers should have an obligation to notify other employees in the workforce regarding that diagnosis. But it kind of has to be dependent upon the employer and what is reasonable for their circumstances. If you have a very large organization with multiple satellite operations and multiple satellite offices, and you have an employee in one of those offices that is diagnosed, there may not be a need for you to notify the entirety of the organization.
I think that employers can do this by simply saying, through a communication, that there has been an employee that has been diagnosed, that other than those specific individuals who have been spoken to individually, which I think I've mentioned earlier, those people who are within the six feet diameter within a period of 10 minutes or more, those people need to be notified that they had an exposure.
MURRAY: And in terms of telling folks the contact tracing you mentioned, Dan, the real contact tracing that the CDC and public local and state public health officials are doing is not something most employers should be involved in. It requires people with training, supervision and access to social and medical support for patients in contact. So that's not what most employers are doing. What they're doing is exactly what Brooke said, touch base with the person who reports that they've tested positive, see if that person has had close contact with other employees, and work from there. But don't take on the role of public health officials, but be in a position where you can credibly say to your employees, "Now that somebody has tested positive, we're going to do the following steps, in addition to all the steps that we have been doing, and we were ready for this."