Published in NH Business Review (5/21/2020)
As the Coronavirus crises transitions into its next phase and the economy starts to reopen, businesses face significant new information privacy laws.
They will be collecting sensitive personal and health information about employees, customers, vendors and other individuals who work at or enter their facilities. That will include information like body temperature, past and present symptoms and illnesses, Covid-19 test results, existing health conditions that make individuals vulnerable, and the social interactions and travel histories of individuals. Most businesses are unaccustomed to the rules for properly handling such information, and are unaware of the privacy law requirements that apply to it.
Collection, use and disclosure of health information about employees is strictly limited by the Americans with Disabilities Act.
Under the ADA, requests for health information must be either related to an employee’s fitness for duty or job-related and consistent with business necessity, including to determine if employees pose a direct threat to others.
In response to the current crisis, the Equal Employment Opportunity Commission and Centers for Disease Control and Prevention are permitting the widespread gathering of health information about employees to stem the spread of the coronavirus. However, when doing so, employers still must comply with ADA privacy requirements, including gathering only the health information necessary to address Covid-19 issues, ensuring only the proper and limited use and strict confidentiality of such information, and securely retaining health information separate from other records.
Personal and health information about employees, customers, vendors and other individuals also is governed by a multiplicity of varying state, federal and foreign privacy regulations.
A few prominent examples are HIPPA, the Massachusetts Right of Privacy Act, the California Consumer Privacy Act, the New York Stop Hacks and Improve Electronic Data Security Act, or SHIELD Act, the European Union General Data Protection Regulation, or GDPR, and the Canadian Personal Information Protection and Electronic Documents Act or PIPEDA. These laws generally apply to information that any business collects and uses about individuals who reside in those jurisdictions, even if the businesses have no physical presence there.
Privacy regulations require businesses to implement significant controls with respect to personal and health information. The most meaningful requirements include the following:
- Notify individuals about the purposes for the collection, use and disclosure of personal and health information, and with respect to certain sensitive such information, obtain consent from individuals before engaging in such activity.
- Ensure that the collection, use and disclosure of such information is only for legitimate purposes that are specifically permitted by applicable privacy regulations.
- Notify individuals of their rights with respect to such information, and honor those rights whenever exercised by individuals.
- Implement security controls that are appropriate to protect the sensitive of the information collected, used, and disclosed by the business.
Because many businesses have not previously engaged in the widespread handling of sensitive personal and health information, they likely are unfamiliar with the privacy requirements that apply to such information, and are unaware of and unprepared to implement the controls required by such regulations. Consequently, before and as businesses reopen, they should work with an experienced cybersecurity attorney to conduct a rapid privacy risk assessment, implement the controls that can be implemented within the next several weeks, and address additional privacy law requirements over a more extended period of time.
When doing so, businesses must identify an appropriate privacy standard to use for compliance. The National Institute of Standards and Technology, or NIST — a non-regulatory technical agency that is part of the U.S. Department of Commerce – recently promulgated a comprehensive standard called the Privacy Framework. Whereas NIST’s existing standard, the Cybersecurity Framework, focused primarily on security controls, the Privacy Framework provides a useful regime for businesses to use to start to come into compliance with the multitude of differing existing and forthcoming privacy laws.
The next phase of our “new normal” will inevitably involve businesses collecting, using and disclosing a greater volume and wider variety of sensitive personal and health information. Existing privacy regulations are strict, and new such laws are emerging routinely from state legislatures. Now is the time to make your business information privacy compliant.
Cam Shilling chairs and John Weaver is a member of McLane Middleton’s Information Privacy and Security Practice Group.