The situation surrounding COVID-19 is, to the say the least, fluid and scary. The ultimate outcome of the disruption to the business community is also unclear. There are nonetheless a couple of topics we can talk about right now with some degree of certainty on which businesses may want to focus as we all struggle to deal with the very human toll of this pandemic. One is employee privacy and is addressed in this edition. The cybersecurity topics worthy of immediate attention will be covered in a subsequent blog post.
We start here with the confidentiality obligation of employers regarding information about the health of their employees. If someone on your staff becomes infected, as a general proposition, as the employer, you may not share that information with other employees. The Centers for Disease Control published an Interim Guidance for Businesses and Employers, and stated: “If an employee is confirmed to have COVID-19, employers should inform fellow employees of their possible exposure to COVID-19 in the workplace but maintain confidentiality as required by the Americans with Disabilities Act.” Since COVID-19 has spread to many different countries, the privacy laws in those countries also need to be considered. For example, the European privacy law – the GDPR – addresses privacy around health data, plus local public health authorities in those countries will have their own protocols to follow.
What Should Employers Do?
One obvious question – is an employer required to report any sick employees to government authorities? Each jurisdiction has its own regulations, but as a general rule, for right now at least, the answer in the U.S. remains no, due to the confidentiality obligation mentioned by the CDC. Most likely, as more individuals are tested and the true nature of the outbreak becomes better understood, it is possible that physicians and medical facilities may be required to make such reports or respond to inquiries from public health officials, but that does not change the current obligation of employers to maintain confidentiality about employee health.
What employers are permitted to do is:
- Circulate a general communication there is a suspected/confirmed case and urge employees to self-quarantine, stay away from the office, be careful about symptoms and obtain care as needed from their medical provider.
- Explain how the company is taking the needed steps to manage the situation. Many companies make reference to the government agencies whose recommendations they are following. At the same time, companies are discouraged from providing links to those agency publications due to the situation being ripe for cyber scammers, a topic we discuss in the cybersecurity post which follows. Nonetheless, companies can and should refer employees to the recommendations of the relevant public health agencies.
- Finally, companies want to designate contact points within the company to whom questions or concerns should be directed. This is often someone in HR, but really more needs to be someone the company is comfortable will keep a level head throughout the situation.
We should be realistic and acknowledge that if someone becomes sick, and those around them are notified, fellow employees may figure out who is the sick person. However, that does not mean the employer should confirm their identity. Rather, the conversation should be directed to what the individual employee should do to take care of themselves and their family.