Q: The CDC has recommended that we take the temperature of residents and visitors to our long-term care facility. We are fine to do that but what do we do with that information? What about biometrics?

A: You’re right to think about data storage. 

You need to make a determination as to whether you will keep a log of visitor temperatures or simply take the temperature and if it is within an acceptable limit allow the visitation to proceed. This determination has many aspects including notice, compliance, and HIPAA. In general, most facilities or employers are providing poster form notices to people that their temperature will need to be taken. Data can be useful to later show that you were compliant with all CDC recommendations and processes. However, it will add some time to the process and if you choose to log the data, consistency will be particularly important.

You will need to determine how the data will be stored. HIPAA also comes in, given that in a health care setting the name of the visitor and who they are going to visit, which is part of the data you would want to keep, would be considered to be HIPPA protected information. Without clear guidance or statute on how long such data should be kept, that decision will also need to be made. But it is worth noting that in many instances, a minimum time frame for keeping data such as employee applications is one year. Another recent post addresses the issues of taking employee temperatures.

Additional issues have also arisen as to whether or not temperature information would be biometrics. Iowa does not have a specific statute regarding how biometric data would be kept, accessed, or destroyed. However, surrounding states do have biometric statutes. Perhaps one of the most complex is the Illinois Biometric Privacy Act. It primarily covers issues relating to biometric data which can used in conjunction with potential identity theft including “access [to] finances or other sensitive information.” Illinois, which regulates the collection, use, and destruction of biometric identifiers typically limits what it considers in this category as “a retina or iris scan, fingerprint, voiceprint or scan of hand or face geometry,” specifically stating that biometric identifiers do not include signatures, human biological samples used for valid scientific testing or screening, and similar items. Based on this definition it seems unlikely that taking the temperature of an employee or anyone else would be considered biometrics as covered by this statute. However, such documentation should still be afforded appropriate security and privacy. Under the ADA, it may be considered a employee health or exam information and when eventually destroyed, should be done in a secure manner.