Hunton & Williams Labor & Employment partner Susan Wiltsie reports:
Fears of a worldwide Ebola pandemic appear to have abated, but the tension between workplace safety and employee privacy, thrown into relief by this health emergency, remains an issue relevant to all employers. Any potential health threat created by contagious illness requires employers to plan and put into effect a reasonable response, including policies governing the terms and conditions under which employees may be required to stay away from the workplace, and in which their health care information may be relevant to workplace decisions.
The likelihood of contracting Ebola from employees who may have been exposed to the disease is low, and fears of association with such individuals usually are scientifically unfounded. The decision regarding whether potentially exposed individuals should be barred from the workplace is particularly difficult. Employers do not want to appear hysterical; yet they need to be prudent about protecting co-workers, customers, visitors and vendors. Also, a very real risk exists that an infected employee on a manufacturing floor or otherwise in the chain of commerce could create a panicked boycott of the goods/services of their employer. As one way to address these issues, some employers have adopted policies that those employees who travel to the impacted areas in West Africa will not be able to return to work until 21 days after their last possible exposure. Such policies make particular sense for employers in the health care field. In cases where the employee has not made a choice – for example, when an employee is identified by public health officials as someone who may have been exposed, employers may decide to have any mandated leave time be paid. Telecommuting, if feasible, also is a good option. In unionized workplaces, these issues normally will be mandatory subjects of bargaining; employers who unilaterally implement such procedures may be engaging in unfair labor practices in violation of the National Labor Relations Act.
No approach to these issues will be free from legal risk. Attempts to limit access to the workplace also expose employers to claims of discrimination under the Americans with Disabilities Act (“ADA”) or (for entities receiving federally funded assistance) the Rehabilitation Act of 1973 (“Rehab Act”). In addition to protecting qualified applicants and employees with disabilities from employment discrimination, these statutes prohibit discrimination based on an employee’s relationship or association with an individual who has a disability. See 42 U.S.C. § 12112(b)(4). Although temporary viral illnesses do not normally meet the definition of “disability” under the ADA, some Ebola-related conditions and long-term side effects may rise to that level, particularly in light of the more expansive definition of the term “disability” under the Americans with Disabilities Act Amendments Act of 2008.
Significantly, there is no requirement under the ADA or the Rehab Act that the employee’s association with a person potentially exposed to Ebola be a family relationship. The key question is whether the employer is motivated by an individual’s relationship or association with any person who has a disability. The Equal Employment Opportunity Commission’s publication entitled “Questions and Answers About the Association Provision of the Americans with Disabilities Act” provides helpful guidance on this issue, implicitly acknowledging a zone of privacy around an individual’s personal associational choices.
Perhaps the thorniest privacy issue facing employers with regard to contagious illnesses is the extent to which they may disclose information about an employee’s medical condition. Media attention to the particulars of each diagnosed case of Ebola outside of West Africa presents employers (particularly health care providers) with the Hobson’s choice of being transparent enough to reassure the public and opaque enough to protect employee privacy.
The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), enforced by the Office for Civil Rights of the Department of Health and Human Services, protects the confidentiality of protected health information by generally prohibiting its disclosure in the absence of explicit authorization from a patient. However, HIPAA applies only to health plans, health care clearinghouses, and most health care providers. It does not apply to employers – for instance, if an employer provides a self-insured health plan for employees, the plan, but not the employer, is subject to HIPAA. Moreover, HIPAA specifically exempts disclosures of health information made for purposes of worker’s compensation-related matters.
Thus, the significant amount of employee health information to which employers obtain access by virtue of standard workplace policies and procedures – medical appointment verification forms from physicians, verification of conditions qualifying for family and medical leave, explanations for routine absences, drug testing results, the results of medical examinations that are rationally related to job duties – is not subject to certain HIPAA requirements. Analogous state laws may provide greater protection. California’s Confidentiality of Medical Information Act, for instance, requires employers to protect the privacy and security of any medical information they receive. (Cal. Civ. Code §§ 56.20-56.245.) At bottom, however, most employers are more likely to face liability for disclosure of medical information under common law invasion of privacy theories (e.g., unreasonable intrusion upon seclusion) than under HIPAA or analogous state statutes.
Employee concerns about co-workers with contagious illnesses may be channeled into productive and appropriate efforts to prevent contagion. These may include education and training of employees, medical services such as vaccination and post-exposure medicine, modifying the work environment to provide additional protection, such as installing physical barriers (clear plastic sneeze guards), conducting business through drive-through service windows, improving ventilation, installing additional hand sanitizer dispensers and, where appropriate, providing protective personal equipment such as respirators and surgical masks.
While Ebola does not meet the definition of “pandemic,” OSHA’s general guidance on protecting workers during a pandemic prescribes evaluation of contagion risks based on specific job activities that may expose people to infection. Emergency responders and workers in critical infrastructure and key resource sectors (including employees in the fields of health care, laboratory work, mortuary/death care, emergency transport and airline services) face greater risks of infection than employees who do not regularly interact with the general public. OSHA regulations prescribe safety standards for such individuals, including OSHA’s Bloodborne Pathogens standard (29 CFR 1910.1030), Respiratory Protection standard (29 CFR 1910.134), and Personal Protective Equipment standard (29 CFR 1910.132).
Thoughtful and deliberate planning at the senior levels of an organization, ongoing monitoring of the most recent reports and recommendations from the CDC, the WHO and other health organizations, and investment in employee education and training will allow employers to safely navigate competing concerns about workplace safety and worker privacy.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code