Privacy & Information Security Law Blog

Hunton & Williams Labor & Employment partner Susan Wiltsie reports:

Fears of a worldwide Ebola pandemic appear to have abated, but the tension between workplace safety and employee privacy, thrown into relief by this health emergency, remains an issue relevant to all employers. Any potential health threat created by contagious illness requires employers to plan and put into effect a reasonable response, including policies governing the terms and conditions under which employees may be required to stay away from the workplace, and in which their health care information may be relevant to workplace decisions.

The likelihood of contracting Ebola from employees who may have been exposed to the disease is low, and fears of association with such individuals usually are scientifically unfounded. The decision regarding whether potentially exposed individuals should be barred from the workplace is particularly difficult. Employers do not want to appear hysterical; yet they need to be prudent about protecting co-workers, customers, visitors and vendors. Also, a very real risk exists that an infected employee on a manufacturing floor or otherwise in the chain of commerce could create a panicked boycott of the goods/services of their employer. As one way to address these issues, some employers have adopted policies that those employees who travel to the impacted areas in West Africa will not be able to return to work until 21 days after their last possible exposure. Such policies make particular sense for employers in the health care field. In cases where the employee has not made a choice – for example, when an employee is identified by public health officials as someone who may have been exposed, employers may decide to have any mandated leave time be paid. Telecommuting, if feasible, also is a good option. In unionized workplaces, these issues normally will be mandatory subjects of bargaining; employers who unilaterally implement such procedures may be engaging in unfair labor practices in violation of the National Labor Relations Act.

No approach to these issues will be free from legal risk.  Attempts to limit access to the workplace also expose employers to claims of discrimination under the Americans with Disabilities Act (“ADA”) or (for entities receiving federally funded assistance) the Rehabilitation Act of 1973 (“Rehab Act”). In addition to protecting qualified applicants and employees with disabilities from employment discrimination, these statutes prohibit discrimination based on an employee’s relationship or association with an individual who has a disability. See 42 U.S.C. § 12112(b)(4). Although temporary viral illnesses do not normally meet the definition of “disability” under the ADA, some Ebola-related conditions and long-term side effects may rise to that level, particularly in light of the more expansive definition of the term “disability” under the Americans with Disabilities Act Amendments Act of 2008.

Significantly, there is no requirement under the ADA or the Rehab Act that the employee’s association with a person potentially exposed to Ebola be a family relationship. The key question is whether the employer is motivated by an individual’s relationship or association with any person who has a disability. The Equal Employment Opportunity Commission’s publication entitled “Questions and Answers About the Association Provision of the Americans with Disabilities Act” provides helpful guidance on this issue, implicitly acknowledging a zone of privacy around an individual’s personal associational choices.

Perhaps the thorniest privacy issue facing employers with regard to contagious illnesses is the extent to which they may disclose information about an employee’s medical condition. Media attention to the particulars of each diagnosed case of Ebola outside of West Africa presents employers (particularly health care providers) with the Hobson’s choice of being transparent enough to reassure the public and opaque enough to protect employee privacy.

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), enforced by the Office for Civil Rights of the Department of Health and Human Services, protects the confidentiality of protected health information by generally prohibiting its disclosure in the absence of explicit authorization from a patient. However, HIPAA applies only to health plans, health care clearinghouses, and most health care providers. It does not apply to employers – for instance, if an employer provides a self-insured health plan for employees, the plan, but not the employer, is subject to HIPAA. Moreover, HIPAA specifically exempts disclosures of health information made for purposes of worker’s compensation-related matters.

Thus, the significant amount of employee health information to which employers obtain access by virtue of standard workplace policies and procedures – medical appointment verification forms from physicians, verification of conditions qualifying for family and medical leave, explanations for routine absences, drug testing results, the results of medical examinations that are rationally related to job duties – is not subject to certain HIPAA requirements. Analogous state laws may provide greater protection. California’s Confidentiality of Medical Information Act, for instance, requires employers to protect the privacy and security of any medical information they receive. (Cal. Civ. Code §§ 56.20-56.245.) At bottom, however, most employers are more likely to face liability for disclosure of medical information under common law invasion of privacy theories (e.g., unreasonable intrusion upon seclusion) than under HIPAA or analogous state statutes.

Employee concerns about co-workers with contagious illnesses may be channeled into productive and appropriate efforts to prevent contagion. These may include education and training of employees, medical services such as vaccination and post-exposure medicine, modifying the work environment to provide additional protection, such as installing physical barriers (clear plastic sneeze guards), conducting business through drive-through service windows, improving ventilation, installing additional hand sanitizer dispensers and, where appropriate, providing protective personal equipment such as respirators and surgical masks.

While Ebola does not meet the definition of “pandemic,” OSHA’s general guidance on protecting workers during a pandemic prescribes evaluation of contagion risks based on specific job activities that may expose people to infection. Emergency responders and workers in critical infrastructure and key resource sectors (including employees in the fields of health care, laboratory work, mortuary/death care, emergency transport and airline services) face greater risks of infection than employees who do not regularly interact with the general public. OSHA regulations prescribe safety standards for such individuals, including OSHA’s Bloodborne Pathogens standard (29 CFR 1910.1030), Respiratory Protection standard (29 CFR 1910.134), and Personal Protective Equipment standard (29 CFR 1910.132).

Thoughtful and deliberate planning at the senior levels of an organization, ongoing monitoring of the most recent reports and recommendations from the CDC, the WHO and other health organizations, and investment in employee education and training will allow employers to safely navigate competing concerns about workplace safety and worker privacy.