COVID-19 has and will continue to have significant impacts on businesses. While the financial impact is predicted to be substantial and a myriad of employment issues are implicated, privacy and cybersecurity are also important pieces of any pandemic response discussion. These concerns govern how businesses deal with employee, visitor, and customer data, including limitations and considerations around the collection and disclosure of health data relating to the virus.
Many organizations have questions about what data they may collect from employees, visitors, and customers relating to actual or potential exposure to the virus; how to store and protect that data; and to whom the data may and should be disclosed. As an initial matter, data protection laws do not simply go away in a public health crisis. Therefore, organizations need to remain cognizant of the privacy and security obligations to which personal information they have collected is subject. That said, some regulators may relax data privacy obligations and enforcement in the interest of public health. For example, the HHS Office for Civil Rights (OCR) recently announced that it would exercise enforcement discretion and not impose penalties for noncompliance with Health Insurance Portability and Accountability Act (HIPAA) regulatory requirements related to the “good faith” provision of telehealth using non-public facing audio or video communication products during the COVID-19 public health emergency.
One of the most pressing privacy issues for businesses related to COVID-19 pertains to the collection and potential disclosure to government agencies of screening, testing, and diagnostic information. While the U.S. does not yet have a comprehensive federal data protection regime, federal sectoral-specific and emerging state laws, as well as industry best practices, provide guidance on these issues. As a general matter, it is not advisable for organizations to collect more personal information – particularly sensitive information – than is needed for valid business purposes or as otherwise required by law. In the case of a public health crisis like this one, business priorities often shift to incorporate considerations around public health, and the collection of personal information should be balanced against those objectives. In certain circumstances, it may become necessary for a business to collect personal information it had not previously collected in order to protect its employees and customers. For example, when organizations screen visitors who enter their premises, it may be unnecessary to retain and use that information beyond the visitor screening process. Collecting and retaining more information than is needed will open an organization to unnecessary liability or to competing obligations to comply with government or other third party requests for information. Organizations should develop clear procedures around what information is collected from employees, visitors, and others, and how that information is protected.
In terms of disclosure, privacy laws in the U.S. generally limit the sharing of personal information – particularly health information – but certain exceptions may apply. Federal and state data privacy laws typically provide exceptions for the disclosure of personal information necessary to comply with other laws or valid requests from government entities. However, those exceptions also may require the government entity request to satisfy specific conditions. For example, the California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020 and protects the personal information of California residents, permits disclosure to comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities. Cal. Civ. Code 1787.145(a)(2). The Illinois Biometric Information Privacy Act (BIPA) – which has made news over the past few years for high-profile class action litigation over alleged violations of the law – contains a similar exception. See 740 ILCS 14/15(d) (“No private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person's or a customer's biometric identifier or biometric information unless. . . (3) the disclosure or redisclosure is required by State or federal law or municipal ordinance; or (4) the disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.”)
HIPAA also provides for disclosure in similar circumstances, and specifically permits disclosure for public health purposes. As reiterated in a February bulletin issued by OCR entitled “HIPAA Privacy and Novel Coronavirus,” the HIPAA Privacy Rule protects the privacy of patients’ “protected health information” (PHI) but is balanced to ensure that appropriate uses and disclosures of PHI may be made when necessary to treat a patient, to protect public health, and for other essential purposes. For example, the Privacy Rule permits covered entities (health plans, health care clearinghouses, and health care providers that conduct certain covered transactions, like submission of claims) to disclose PHI, without authorization, to public health authorities that are legally authorized to receive such reports for the purpose of preventing or controlling disease, injury, or disability, such as state and local health departments, the Food and Drug Administration (FDA), the Centers for Disease Control and Prevention (CDC), and the Occupational Safety and Health Administration (OSHA). See 45 CFR § 164.512(b)(1)(i). In the February bulletin, OCR added that “a covered entity may disclose to the CDC protected health information on an ongoing basis as needed to report all prior and prospective cases of patients exposed to or suspected or confirmed to have Novel Coronavirus (2019-nCoV).”
Thus, in general, state laws (and, to the extent applicable, federal law and guidance) in this space obligate or permit health care providers to report positive diagnoses of communicable diseases to appropriate public health agencies. However, they typically place no such express permission or obligation on private entities outside the health care sector. And while businesses may want to provide as much information as possible to government agencies to ostensibly contribute to the public health, such disclosures may not be necessary, and are not without risk.
In addition, generally accepted tenets of data privacy law dictate that barring consent from the individual, any disclosure of personal information should be reasonably limited to the minimum amount of information necessary, and disclosed only to those that have a need to know the information. PHI is no exception to these standards (“Generally, covered entities are required reasonably to limit the protected health information disclosed for public health purposes to the minimum amount necessary to accomplish the public health purpose. However, covered entities are not required to make a minimum necessary determination for public health disclosures that are made pursuant to an individual’s authorization, or for disclosures that are required by other law.”) See Disclosures for Public Health Activities; 45 CFR 164.502(b).
The CDC has also issued guidance regarding employers’ response to the coronavirus, directing businesses to coordinate with public health authorities.
Finally, before making any disclosures, companies should also refer to their privacy policies, many of which may have been recently revised based on the effective date of the CCPA. Many employee and public-facing/consumer privacy policies contain exceptions for complying with federal and state law. Understanding an organization’s public-facing disclosures before disseminating any personal information – especially sensitive information like PHI – is a fundamental part of any risk analysis
Assisting the public effort to stem the spread of COVID-19 is admirable and important, but must be thoughtfully done. While disclosures to public health authorities may be appropriate, disclosures to other government officials or other potentially affected employees raise significant privacy concerns. Businesses must be prepared for difficult decisions and must understand the risk involved in any disclosure of private information as this pandemic evolves.
Please see our other resources on COVID-19:
For further information, please see our Coronavirus (COVID-19) Resource Center or reach out to the Reed Smith Coronavirus Data Privacy Team. We continue to track global developments related to data protection and COVID-19.
Client Alert 2020-118