Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back

How Does COVID-19 Impact the Privacy of Health and Personal Information?

Written by: Cameron G. Shilling & John Weaver

3/19/2020

Businesses face difficult decisions when an employee, customer, student, or vendor. has or may have COVID-19.  They are obliged to protect the privacy of the affected individual, yet they also have a responsibility to protect the public health.  Conflicting laws in the locations where a business operates, or where the affected individuals reside, organizations operate or and where affected individuals reside, may further complicate these decisions.

Businesses first need to be aware that privacy regulations apply during this public health crisis. As the United States Department of Health and Human Services (HHS) has reinforced, “the protections of [HIPAA’s] Privacy Rule are not set aside during an emergency.”

Similarly, the Data Protection Commission in the Republic of Ireland and the United Kingdom’s Information Commissioner’s Office are reminding businesses about the rules for handling health and personal information under Ireland’s the General Data Protection Regulation (GDPR) and Great Britain’s similar law.   Thus, organizations remain required to notify individuals of the collection and use of health and personal information about them, to honor the rights of individuals to control such information, and to maintain the privacy and security of that information.

Privacy regulations do, however, permit the collection and disclosure of health and personal information in circumstances applicable to the current crisis.  For example, such information may be disclosed if the affected individual has given informed consent, and if the information has been appropriately de-identified.  Certain privacy regulations also permit organizations to collect and disclose health and personal information without consent, when an emergency threatens the health of the affected individual, and when doing so is necessary to protect the public health.  Businesses should consult with counsel before disclosing such information to ensure that disclosure is permitted under the circumstances and applicable privacy law.

In response to COVID-19, governments are clarifying and easing some privacy restrictions.  For example, the European Data Protection Board issued a statement assuring organizations that “the GDPR provides for the legal grounds to enable [them] to process personal data in the context of epidemics, without the need to obtain the consent of the data subject, [including when] necessary for…reasons of public interest in the area of public health or to protect vital interests...or to comply with another legal obligation.”  Similarly, the Information Commissioner’s Office for the United Kingdom issued a FAQ stating that employers may collect health and personal information (like physical symptoms and travel history) to identify whether employees safe workplace.

Similarly, under HIPAA, HHS waived certain Privacy Rule penalties and sanctions for covered hospitals, including to permit telemedicine via insecure communications, when those communications apply to the COVID-19 emergency, and only for up to 72 hours after a covered hospital has instituted its disaster protocol.  Because of statements issued by the Center for Disease Control, an advisory from the United States Equal Opportunity Commission employers are permitted to ask questions of sick employees to determine whether they may have COVID-19, and also to require employees in the workplace to measure their body temperature.

While COVID-19 has created a new normal for all, privacy laws have anticipated this type of crisis.  Businesses can take a step back, work with experienced counsel, and ensure that the actions they take to collect, use, and disclose health and personal information to address COVID-19 are in compliance with applicable privacy regulations.

Integrity and trust

At McLane Middleton we establish and maintain long-standing relationships with our clients to help us better achieve their unique goals over time. This approach to building trust requires that our esteemed lawyers and professionals use their broad, in-depth knowledge and work together with integrity to ascertain sound resolutions to legal matters for their clients.

Strength in numbers

McLane Middleton is made up of more than 105 attorneys who represent a broad range of clients throughout the region, delivering customized solutions. As a firm we are recognized as having the highest legal ability rating. The firm is rated Preeminent by Martindale Hubbell and is recognized as one of the nation's leading law firms in Chambers USA. Our attorneys are distinguished leaders in their respective practice areas.

Meet Our People

Commitment and collaboration

McLane Middleton's versatile group of attorneys and paralegals become trusted authorities on each case through collaboration. We work with our clients to learn their individual needs first and foremost and, together, we develop comprehensive solutions to their specific legal matters. This approach helps us exceed our clients' expectations efficiently and effectively, client by client, case by case.

Practice Areas

A history of excellence

McLane Middleton was established in 1919 in New Hampshire, and has five offices across two states. However, deep historical roots don't allow you to become innate. Our firm is organized, technological, and knowledgeable. Our history means we are recognized. But our reputation is built on the highest quality of service and experience in very specific areas of law.

The Firm

Intelligence paired with action

Our team continuously seeks opportunities to enhance their professional development and put key learnings to action. The pursuit of further insight guides us to volunteer service opportunities, speaking engagements, and teaching roles. Our lawyers are sought after thought leaders across their industries, and recipients of leadership awards throughout the region.