In the absence of compulsory vaccination, some employers have decided to ensure herd immunity among their employees by requiring a vaccination to work. In December, the federal Equal Employment Opportunity Commission issued guidance that employers are able to require employee vaccination, so long as reasonable accommodations are provided if possible where the Americans with Disabilities Act applies.
Read moreDoes Privacy Still Exist Amid Coronavirus?
Amid the news of cities and states reopening, there also have been reports of closures. Some restaurants that had welcomed in-person dining have closed because an employee had tested positive for COVID-19. Bars and pubs, the ultimate watering holes for socializing and catching up with friends, have similarly shut their doors to the public once again. Despite the rising number of positive cases, none of these businesses is required to report any instances of employees who test positive for the disease. For instance, here in Texas, Governor Greg Abbott and the Strike Force to Open Texas have established a list of guidelines and minimum health protocols to which small businesses, such as restaurants, must adhere if they choose to reopen. No public reporting requirements are included in these checklists. Nevertheless, many restaurants throughout Texas and the rest of the country have opted to do so in an effort at transparency and general good business practice, seeking to assure the public that they value their loyalty and business but not at the sake of the health of their employees or their customers.
While restaurants and similarly situated businesses are not required to report COVID cases to the public, employers are still obligated to inform affected employees of their possible exposure to the virus. However, the employer must keep the identity of the infected employee confidential, as called for by the Americans With Disabilities Act (ADA). Although many people associate the ADA with prohibiting discrimination against individuals with disabilities in the workplace, the ADA also has privacy provisions that require employers covered by the ADA to keep all information about an employee’s illness confidential. In the case of COVID-19, employers are permitted to screen employees entering the workplace and may inquire about any symptoms identified by the CDC or public health officials associated with the disease. Such questions are deemed appropriate because of the severe health threat that the disease poses. Any information ascertained from the screening, though, must be kept confidential and stored in a file that is separate from the employee’s personnel file. Despite this confidentiality, employers are able to disclose the name of an infected employee to a public health agency.
Another law that protects individuals from public disclosure of health-related information is the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Under HIPAA, certain covered entities, typically healthcare providers and health plan insurers, cannot disclose protected health information without authorization from the individual. Nevertheless, there are situations when such information can be disclosed without prior consent for national priority purposes, including public health activities. According to a bulletin issued in March, the Secretary of the Department of Health and Human Services issued a limited waiver of certain sanctions and penalties associated with noncompliance with HIPAA’s Privacy Rule. However, even with the waiver, covered entities, such as hospitals, are able to share patient information with a public health authority and persons at risk. Disclosure of such information to the media or persons not associated with the patient’s care requires written authorization. One of the more recent high-profile cases alleging a potential HIPAA violation involved the disclosure of a positive COVID-19 test result for Dallas Cowboys star running back Ezekiel Elliott. Elliott took to Twitter, questioning whether such disclosure was a violation of HIPAA’s Privacy Rule. Maybe, maybe not. Remember that only healthcare professionals and other specified covered entities are held to the rules set out in HIPAA. In Elliot’s case, the media’s disclosure of the test results was not itself a violation of HIPAA, but the initial disclosure very well might have been.
Yes, even amid a global pandemic, privacy laws are still in place to protect individuals from the public disclosure of any health-related information. These laws present a challenge for businesses because employers are required to balance the protection of an infected employee’s privacy rights with the health and welfare of the possibly affected employees. Employers who still have questions can consult the CDC’s website, where it is has prepared some guidance for businesses and employers.