The presence of the Novel Coronavirus (“2019-nCoV” or more commonly known as “COVID-19”) is unprecedented in modern day times, as most of us have never experienced a global health threat. There are many unknowns with COVID-19 including, to what extent businesses are permitted to collect and share personal information and data in order to protect and preserve the public welfare. Currently, there are no overarching federal data privacy laws or protections to guide businesses on how to handle personal information and data during a pandemic. Specifically, how will your business balance collecting and sharing protected health information, employment data and location data in order to help control the rapid spread and ultimate containment of COVID-19.
Personal Health Data
An employee’s health information is private and is protected under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. However, this past February, the U.S. Department of Health and Human Services published a bulletin which provides details on when disclosure of a person’s private health information is allowed. Among the reasons, “to prevent a serious and imminent threat” to public health. Only HIPAA covered entities and their business associates are permitted to share, with limitations and consistent with applicable law, certain patient information under the HIPAA Privacy Rule during an outbreak of infectious disease or other emergency situation. Under most circumstances, the covered entity must make reasonable effort to limit the disclosures to the “minimum necessary” to accomplish the purpose. Employers are not covered entities and are not subject to HIPAA restrictions. Regardless, private health disclosures should be shared only with authorized personnel and care should be taken to protect the employee’s private health data from an inadvertent disclosure that could result in privacy violations.
In 2009, the U.S. Equal Employment Opportunity Commission (“EEOC”) provided guidance regarding pandemic planning for the flu. However, it has directed employers to the Center for Disease Control’s (“CDC”) website for guidance with preventing stigma and discrimination in order to determine the risk of COVID-19.
The need for “contact tracing” will grow stronger as a means to quickly address a public health issue as the number of COVID-19 cases continue to grow within the U.S. Contact tracing is the process of tracing a person’s physical location and past movements in order to build a comprehensive chronicle of a person’s whereabouts and determine with whom the person may have had contact. Companies should consider the need for requesting certain information from employees and with whom the information is shared.
Pandemic Fears = Opportunistic Cybercriminals
The time is ripe for data privacy risks and cyber intrusions. As companies prepare for alternate work arrangements, they must keep in mind their heightened obligation to protect clients’ and employees’ personal information. For example, in China, there were reports of cybercriminals disseminating Remote Access Trojans disguised as files or documents that seem to provide new notifications or updates related to COVID-19. Companies should remind their employees to verify the source of emails and text messages before clicking on links or opening attachments that could lead to data loss. Additionally, companies should review their cybersecurity and business continuity plans and practices, test remote access and continuity of business operations, information security safeguards and provide employees with constant reminders of their obligation to safeguard the company’s networks and client personal data and information.
The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert related to potential cybersecurity scams stemming from the coronavirus (COVID-19) pandemic.