The outbreak of the novel coronavirus (COVID-19) presents challenging medical privacy issues for employers. Employers must observe their employees’ continued legal right to privacy—including under the Americans with Disabilities Act (ADA), HIPAA, and/or relevant state and local laws—while maintaining a safe and healthy workplace. Below are some privacy guidelines for employers to consider with respect to the coronavirus outbreak.

Medical Privacy Obligations Under the ADA

The ADA and similar state and local laws prohibit discrimination against individuals with disabilities or perceived disabilities, and provide employees with guaranteed rights to medical privacy. Although COVID-19 is thought to be a temporary illness rather than a disability, it likely implicates anti-discrimination laws due to the possibility for resulting discrimination. Thus, employers should continue to abide by the ADA’s privacy obligations.

The ADA restricts employers from inquiring about employees’ medical history and specific medical conditions. The law also regulates when employers may request medical examinations of their employees.

However, the coronavirus outbreak understandably raises new questions for employers. For example, how much information can an employer seek from an employee who shows signs of illness or calls in sick? Can employers tell their workforce if they learn that an individual has been infected? Can employers require individuals who were in potential contact with an infected employee to stay home or be tested for the illness?

Fortunately, the Equal Employment Opportunity Commission (EEOC) maintains specialized guidelines for an influenza pandemic, which provides direction on how employers can avoid violating the ADA while taking precautions to keep their workforce healthy. In relevant part, employers are permitted to:

• Ask employees if they are experiencing influenza-like symptoms, which is described as fever or chills and a cough or sore throat;
• Send employees home if they are exhibiting “influenza-like symptoms;
• Ask employees about exposure to pandemic influenza if they are returning from travel to an area specified as at-risk by the CDC.
  
  However, employers must still keep information confidential and private, ensuring they:
• Maintain any medical information obtained from their employees as a confidential medical record, separate from their standard personnel file;
• Limit inquires to actual symptoms of illness or risk of exposure;
• Do not ask their employees if they have a medical condition that would make them more susceptible to the virus.

Moreover, if an employee is confirmed to have contracted COVID-19, the CDC also specifically instructs that companies inform fellow employees of their potential exposure to the virus. However, they must still remain mindful of the individual’s medical privacy and maintain confidentiality.

HIPAA Privacy

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule requires covered entities to protect individuals’ medical records and other personal health information. Generally, covered entities only include health plans and healthcare providers. However, this may also implicate employers if they learn of medical information, conditions, or diagnoses regarding their employees through a covered health plan. Thus, in an abundance of caution, employers should treat all employee medical information, such as the identity of infected individuals, as confidential with the protections afforded by HIPAA.

Nonetheless, the U.S. Department of Health and Human Services has advised that covered entities may sometimes disclose confidential medical information to a public health authority that is working in its capacity to ensure public health and safety. In such cases, the disclosure should be limited, tailored to accomplish the purpose of the request. This may permit covered entities and employers to inform the CDC of otherwise private medical information regarding employees when the disclosure is necessary.

Navigating employee privacy in the face of a global pandemic is challenging. The guidelines above permit employers to ask narrowly tailored questions, and encourage their workers to seek medical attention or go home if they are exhibiting signs of illness. However, employers must be careful to handle all medical information in a manner that is consistent with the ADA, HIPAA, and relevant local and state laws, including limiting the focus of inquiries and preserving confidential medical information to the extent possible.