Businesses face difficult decisions when an employee, customer, student, or vendor. has or may have COVID-19. They are obliged to protect the privacy of the affected individual, yet they also have a responsibility to protect the public health. Conflicting laws in the locations where a business operates, or where the affected individuals reside, organizations operate or and where affected individuals reside, may further complicate these decisions.
Businesses first need to be aware that privacy regulations apply during this public health crisis. As the United States Department of Health and Human Services (HHS) has reinforced, “the protections of [HIPAA’s] Privacy Rule are not set aside during an emergency.”
Similarly, the Data Protection Commission in the Republic of Ireland and the United Kingdom’s Information Commissioner’s Office are reminding businesses about the rules for handling health and personal information under Ireland’s the General Data Protection Regulation (GDPR) and Great Britain’s similar law. Thus, organizations remain required to notify individuals of the collection and use of health and personal information about them, to honor the rights of individuals to control such information, and to maintain the privacy and security of that information.
Privacy regulations do, however, permit the collection and disclosure of health and personal information in circumstances applicable to the current crisis. For example, such information may be disclosed if the affected individual has given informed consent, and if the information has been appropriately de-identified. Certain privacy regulations also permit organizations to collect and disclose health and personal information without consent, when an emergency threatens the health of the affected individual, and when doing so is necessary to protect the public health. Businesses should consult with counsel before disclosing such information to ensure that disclosure is permitted under the circumstances and applicable privacy law.
In response to COVID-19, governments are clarifying and easing some privacy restrictions. For example, the European Data Protection Board issued a statement assuring organizations that “the GDPR provides for the legal grounds to enable [them] to process personal data in the context of epidemics, without the need to obtain the consent of the data subject, [including when] necessary for…reasons of public interest in the area of public health or to protect vital interests…or to comply with another legal obligation.” Similarly, the Information Commissioner’s Office for the United Kingdom issued a FAQ stating that employers may collect health and personal information (like physical symptoms and travel history) to identify whether employees safe workplace.
Similarly, under HIPAA, HHS waived certain Privacy Rule penalties and sanctions for covered hospitals, including to permit telemedicine via insecure communications, when those communications apply to the COVID-19 emergency, and only for up to 72 hours after a covered hospital has instituted its disaster protocol. Because of statements issued by the Center for Disease Control, an advisory from the United States Equal Opportunity Commission employers are permitted to ask questions of sick employees to determine whether they may have COVID-19, and also to require employees in the workplace to measure their body temperature.
While COVID-19 has created a new normal for all, privacy laws have anticipated this type of crisis. Businesses can take a step back, work with experienced counsel, and ensure that the actions they take to collect, use, and disclose health and personal information to address COVID-19 are in compliance with applicable privacy regulations.