On Friday, March 13, 2020, President Trump declared a national state of emergency related to the COVID-19 coronavirus pandemic. The states of Florida, Georgia, New York, California, Washington and others have also declared states of emergencies related to the pandemic. Professional and college sports teams are postponing or cancelling their seasons, concerts, meetings and other large gatherings are being cancelled, and schools are closing at a rapid pace.
All of these steps are aimed at stopping the spread of COVID-19. Congress passed and President Trump has now signed the ‘Families First Coronavirus Response Act’’ to provide health plan coverage for COVID-19 testing, as well as paid leave for employees and other relief related to the pandemic. Click here for more info. The IRS also has released guidance allowing for COVID-19 testing without copays under High Deducible Health Plans (HDHPs) without jeopardizing Health Savings Accounts (HSAs).
How do these declarations, cancellations and other guidance impact an employer’s right to take steps of its own to fight the spread of COVID-19 when it impacts its employees’ privacy rights?
Can an employer inquire about an employee’s exposure to COVID-19? Asking for this information from employees seems to be counter to the increasing privacy protections given to all employees. It is important to remember basic privacy principles, whether it is under the Health Insurance Portability and Accountability Act (HIPAA) (which applies to group health plans, health care providers and business associates), the California Consumer Privacy Act (CCPA), the European Union’s General Data Protection Regulation (GDPR), or other relevant privacy laws.
Most privacy laws contain narrow exceptions for public health and safety purposes, but the information collected still be the minimum necessary for the purpose that it is collected. If any information is collected, employers need to involve their privacy and security departments to ensure that its privacy rules are followed and its rules are applied consistently across the organization.
For example, if an employer is notified that an employee has contracted COVID-19, how much information can be provided to other employees so that they can be protected? Is it necessary to give out the affected employee’s name? The “minimum necessary” principal should be followed but not to the extent it deprives workers of useful information. Employers should consider the safety reason for information being collected, how broadly the information is being shared, and who is responsible for making these decisions. This analysis is very similar to the data privacy assessment process used under HIPAA and other privacy laws. Employers should consider looking to this process as it gathers and releases personal health information, following existing privacy notifications and disclosures requirements. The protection of personal health information remains paramount.
We will continue to update you on the status of proposed legislation, regulations and any other changes, as soon as information becomes available. We also have a dedicated webpage to provide you with updates regarding COVID-19.
If you have questions about plan design changes to address COVID-19 in the meantime, please contact your Executive Compensation and Employee Benefits Counsel at Smith, Gambrell & Russell, LLP.