The balance between employee health and privacy rights is difficult to strike, especially at a time when organizations are making critical decisions based on health-related information.
Collecting and sharing information is necessary but must be done with employees' privacy in mind. Many businesses are curious to know what they can ask employees without violating any privacy laws, says Christine Lyon, privacy partner at Morrison-Forrester LLP. What health-related inquiries are acceptable? Can employers require a doctor's note or medical exams?
"The interesting aspect of this is there aren't straight-line answers," Lyon explains. "Even legal analysis changes as the facts evolve." As an example, Lyon points to the increasingly common question of whether businesses can take temperatures at work. This typically is considered a medical exam and is prohibited under the Americans with Disabilities Act (ADA), the Equal Employment Opportunity Commission (EEOC) states in guidance related to pandemics.
However, as COVID-19 continues to spread across the United States, the Center for Disease Control (CDC) has begun to recommend employers take temperatures. Daily "health checks," which include screening for temperature and respiratory symptoms, have been encouraged in CDC guidance for Santa Clara County, California, and Seattle-King, Pierce, and Snohomish counties, Washington.
"It's challenging for employers because there's no clear-cut answer," Lyon says. The CDC may recommend taking temperatures but doesn't suggest what to do if someone has a fever. It's one of many areas in which businesses should proceed with caution. If an office visitor has a high temperature, the company likely would not turn that person away. Instead, she says, it would likely call the person the visitor had planned to meet and say they'll schedule a phone call.
"Keep as much confidentiality as possible," she says. "What is the information that we really need to know?" This concept, she says, also applies to storing health-related information. Many employers are collecting minimal health data, including the temperatures they record. If you're keeping temperature data, it's considered a medical record and confidentiality rules will apply.
Privacy rules and regulations differ by company, industry, and state. As a result, it's difficult to provide detailed guidance on what employers should do. Modern privacy and data protection laws, like the European Union's General Data Protection Regulation and the California Consumer Privacy Act, don't prevent businesses from recording certain information, says Bart Willemsen, research vice president at Gartner. For example, employers must record data necessary to determine if salaries are being paid, or information related to the workspace physician providing treatment to an employee. However, health-related data must be treated differently.
The Do's and Don'ts of Health-Related Questions
"Health information is information of a sensitive nature, a special category of data," Willemsen continues. "Every person has the right to not share such information — but they can share metadata." Employers can collect data related to insurance payment (for example, if something happens in the workplace). They can also record employees' adjusted work environments, if they start to work remotely. But employers are not doctors, he emphasizes, and they should not assume the position of collecting detailed health data unless under specific circumstances.
So, what can employers ask their employees to ensure a safe workplace without violating privacy rules? Lyon says it's "generally fine" to ask if they have been experiencing cold or flulike symptoms, especially if there is a pandemic. The CDC states employees who fall ill with flulike symptoms during a pandemic should leave the workplace. Companies can ask about the expected duration of absence if an employee calls out sick; however, they can't ask why.
"Though it's important to know how long an employee may be absent, it is not for the employer to inquire in detail after why that absence is a fact," Willemsen adds. People do not have to share the details of their illness unless it has direct influence on their job function (for example, if they are a healthcare worker). It's fine if they want to volunteer that information, but even if they do, employers should refrain from recording and processing the data they share.
Employers should be careful with pointed questions about specific illnesses and diagnoses. Questions like "Have you been tested for coronavirus?" and "Do you have any medical conditions that make you susceptible?" are crossing the line into ADA territory, says Lyon. "An employer has to show a justification for asking those sorts of questions," she continues. If an employee returns from travel, the company may ask if they are returning from a country with a known outbreak, even if the travel was personal and the employee does not have symptoms.
Doctor's notes can also be tricky. The CDC suggests companies do not require a note to validate illness or return to work because in times like these, "healthcare provider offices and medical facilities may be extremely busy and not able to provide such documentation in a timely way."
If a company wants to verify someone is fit to return to the office, they may ask for a note saying as much because it doesn't disclose a specific condition, Lyon explains. However, if a company wants a note stating an employee has tested negative for a particular condition, such as coronavirus, that ventures into dangerous territory.
Companies are encouraged to record only health-related information that is factual, and the minimum amount of information necessary. This data should only be shared with employees on a "need-to-know" basis and used as anonymously as possible, Willemsen says. It should be stored securely and only for as long as it is necessary. If it must be disclosed, it should only be shared with external parties as mandated by law — for example, with local health agencies.
Lyon suggests businesses establish a centralized place where employees can view information about what is and isn't appropriate. "Make sure these questions are going to the right people so managers aren't on their own for what they can and can't ask," she explains. Creating a list of frequently asked questions for managers and employees can be helpful in times like these.
- 4 Ways Thinking 'Childishly' Can Empower Security Professionals
- What Cybersecurity Pros Really Think About Artificial Intelligence
- Working from Home? These Tips Can Help You Adapt
- State of Cybersecurity Incident Response
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Beyond Burnout: What Is Cybersecurity Doing to Us?"