Privacy Compliance - Yes, even in a pandemic

Jo Ellen Whitney
Dentons
Contact
LinkedIn
Facebook
X
Send
Embed

Davis Brown Law Firm

During a pandemic data privacy concerns may appear to take a back seat. However, while the Office of Civil Rights has expanded electronic platforms which may be used for HIPAA-related purposes and the EEOC now lets you take temperatures, the fundamental rules for both patient and employee privacy need to be followed to avoid liability issues once the world turns its attention back to compliance matters.

Taking Temperatures

On March 19, 2020, the EEOC updated its prior pandemic guidelines to take into account COVID-19 guidance from the CDC. Primary changes relate to the ability of an employer to take the temperatures of both existing employees and those post-offer and pre-hire. While temperature checks continue to be considered a physical exam as defined by the ADA/ADAAA, based on CDC recommendations, the EEOC now considers this practice to be an acceptable business and safety need.

Taking employee temperatures (and that of visitors when allowed again), should involve providing notice, and ensuring compliance with HIPAA and other privacy regulations. Posting form notices that temperatures will be taken provides the data that can be useful to later show that you were compliant with all CDC recommendations and processes.

Storing Data

The EEOC also notes that such information must be kept secure in order to be ADA/ADAAA compliant. This clears the way for employers who deem temperature checks necessary as long as they observe some basic confidentiality requirements such as limiting access to the data and storing it securely. 

When it comes to taking the temperature of visitors in a health care setting, you will want to keep records of the visitor names as well as the resident/patient name. This is HIPPA-protected information, so facilities are advised to ensure their data storage is HIPPA compliant.

There is also a question of how long to store the data. Right now, we do not have clear guidance or statute on this question, but it is worth noting that in many instances, a minimum time frame for keeping data such as employment applications is one year. Another recent post addresses the issues of taking employee temperatures.

Biometrics

Additional issues have also arisen as to whether or not temperature information would be biometrics. Iowa does not have a specific statute regarding how biometric data would be kept, accessed, or destroyed, however, surrounding states do. Perhaps one of the most complex is the Illinois Biometric Privacy Act. Based on the definition in the Act, it seems unlikely that taking the temperature of an employee or anyone else would be considered biometrics as covered by this statute, however, such documentation should still be afforded appropriate security and privacy. Under the ADA, it may be considered employee health or exam information and when eventually destroyed, should be done in a secure manner.

Underlying Conditions

In an effort to protect their workforce, some employers have recently begun questioning employees about underlying conditions such as pregnancy and heart or lung disease. The EEOC continues to state that inquiries of this type are not appropriate as they violate the ADA/ADAAA as well as the Pregnancy Act.

You may tell employees to come to HR with questions or concerns, you may ask about travel, fevers, coughs, and if anyone they encountered is symptomatic. Although OSHA guidance suggests you assess underlying conditions in your workforce, pursuant to the EEOC you MAY NOT question employees about their underlying conditions unless that employee raises that issue with you.

It’s Still on You to Comply

Although healthcare providers have many concerns to address right now, from protecting the safety of their residents and patients to ensuring their providers stay healthy and an adequate workforce is available, compliance should still be on your mind. We have no reason to believe that there will be any relaxation of compliance regulations and every reason to believe that providers who do not maintain health-related information in a secure manner will face issues following the pandemic.

If you have facilities in multiple locations that are logging temperatures, make sure that the person performing the screenings understands their role in protecting privacy and there is a secure location available to them to store the logs.

 

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dentons | Attorney Advertising

Written by:

Dentons
Dentons
Contact
more
less

Dentons on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide