As companies across the country are preparing to reopen their brick-and-mortar office and retail locations, corporate executives are weighing the pros and cons of a broad range of COVID-19 risk mitigation measures.
Screening for symptoms and routine temperature monitoring have been formally recommended by government medical officials affiliated with the White House, Center for Disease Control and Prevention (CDC), and the Equal Employment Opportunity Commission (EEOC). Certain state jurisdictions have gone so far as to mandate that businesses regularly check their entire staffs’ temperatures—such as in Colorado, where specified essential and non-essential entities are required by law to conduct daily temperature and symptom monitoring.
There are a variety of ways in which temperature and symptom screening policies can be implemented in the corporate setting. Employers may require that their staff check their temperatures at their own residence, assign one or more of their employees to perform in-office screenings, or implement a computerized, no-contact system for gathering health data including infrared scanners, facial recognition in conjunction with thermal scanning mechanisms, and wearable technology such as watches and comparable sensory devices that can be synched with mobile apps.
These technologies offer a modicum of convenience and efficiency regarding tracking staff members’ health status and can be a useful tool in controlling the spread of the coronavirus as business operations get back on track. However, corporate leaders should keep in mind that aggregating personal data has the potential for raising privacy obligations on their organizations’ behalf given the sensitive nature of the information.
The degree to which your organization reduces the total amount of sensitive health data it aggregates and stores internally will proportionately cut back on the associated risk of data breach and privacy statute compliance issues. This principle holds true both on a domestic and global scale. Below is a sampling of the legal obligations your company may incur depending on the location of the employees at issue and the specific health screening policy you choose to follow:
Health Information Portability and Accountability Act (HIPAA)
HIPAA does not impose further obligations on corporations conducting COVID-19 health screenings as the scope of employers’ HIPAA obligations typically only extend to covered health plans
Americans With Disabilities Act (ADA)
The ADA expressly prevents employers from conducting inquiries related to an individual’s disabilities or mandating medical exams of employees. Although, the EEOC recently announced that employers are allowed to conduct temperature and symptom screenings, as long as they are directly tied to COVID-19 mitigation efforts. Additionally, the ADA has stringent rules for protecting the identity of any worker who tests positive for the coronavirus.
Both the FTC Act and the CCPA for organizations operating primarily in California mandate that corporations’ privacy disclosure documents have a certain degree of transparency regarding the type of personal info that is being aggregated, and how it will subsequently be utilized and shared with external entities. The CCPA can also provide employees with the power to request that they be granted access to their data or that it be deleted from the corporate database.
All state jurisdictions in the United States have put into effect stringent data breach notification laws that, based on the specific circumstances surrounding the incident, may require a corporation to provide formal notification to customers, third-party affiliates, and governmental authorities in the event of a data breach. The reporting guidelines are premised on the sensitivity of the associated data, and personally identifiable medical data tops the sensitivity scale.
Furthermore, if temperature screening is implemented via the use of camera or facial recognition devices, companies must ensure the appropriate disclosures have been completed and consent is obtained in advance of the mitigation polices being put into place. Although body temperature readings by themselves are not classified as biometric data, face scans and fingerprints do meet that threshold. Accordingly, there are multiple state-specific laws governing the usage of biometrics—most notably the California Consumer Privacy Act (CCPA) and the Illinois Biometric Privacy Act (BIPA). Both have hefty fines for non-compliance and require certain private corporate entities that collect, store or disclose health biometric data to follow strict guidelines regarding consent and usage parameters.
For corporations that utilize external third-party services to conduct health screenings—to include mobile technology applications developed by third parties—it is essential to conduct a thorough review of any existing agreements in order to ensure adequate privacy and security protective measures are implemented. Additionally, a health data retain in-house should have updated hacking prevention measures in place to safeguard the sensitive information.