COVID-19 has and will continue to have significant impacts on businesses. While the financial impact is predicted to be substantial and a myriad of employment issues are implicated, privacy and cybersecurity are also important pieces of any pandemic response discussion. These concerns govern how businesses deal with employee, visitor, and customer data, including limitations and considerations around the collection and disclosure of health data relating to the virus.
Many organizations have questions about what data they may collect from employees, visitors, and customers relating to actual or potential exposure to the virus; how to store and protect that data; and to whom the data may and should be disclosed. As an initial matter, data protection laws do not simply go away in a public health crisis. Therefore, organizations need to remain cognizant of the privacy and security obligations to which personal information they have collected is subject. That said, some regulators may relax data privacy obligations and enforcement in the interest of public health. For example, the HHS Office for Civil Rights (OCR) recently announced that it would exercise enforcement discretion and not impose penalties for noncompliance with Health Insurance Portability and Accountability Act (HIPAA) regulatory requirements related to the “good faith” provision of telehealth using non-public facing audio or video communication products during the COVID-19 public health emergency.