Businesses face difficult decisions when an employee, customer, student, vendor, etc. has or may have COVID-19. They are obliged to protect the privacy of the affected individual, yet they also have a responsibility to others and the public to protect their health as well. To make matters worse, depending on the locations where organizations operate and where affected individuals reside, conflicting laws may make those decision more confusing.
Businesses first need to be aware that privacy regulations apply during this public health crisis. As the United States Department of Health and Human Services (HHS) has reinforced, "the protections of [HIPAA's] Privacy Rule are not set aside during an emergency."
Similarly, the Data Protection Commission in the Republic of Ireland and the United Kingdom's Information Commissioner's Office are reminding businesses about the rules for handling health and personal information under the General Data Protection Regulation (GDPR) and Great Britain's similar law. Thus, organizations remain required to notify individuals of the collection and use of health and personal information about them, honor the rights of individuals to control such information, and maintain the privacy and security of that information.
However, businesses also should know that privacy regulations permit the collection and disclosure of health and personal information in circumstances that apply in the current crisis. For example, such information may be disclosed if the affected individual has given informed consent, and if the information has been appropriately de-identified. Certain privacy regulations also permit organizations to collect and disclose health and personal information without consent when an emergency threatens the health of the affected individual, and when doing so is necessary to protect the public health, although a business should consult with counsel before disclosing such information to protect public health to ensure that doing so is permitted under the circumstance and applicable privacy law.
In response to COVID-19, governments are clarifying and easing some privacy restrictions. For example, the European Data Protection Board issued a statement assuring organizations that "the GDPR provides for the legal grounds to enable [them] to process personal data in the context of epidemics, without the need to obtain the consent of the data subject, [including when] necessary for ... reasons of public interest in the area of public health or to protect vital interests ..., or to comply with another legal obligation." Similarly, the Information Commissioner's Office for the United Kingdom issued a FAQ stating that employers may collect health and personal information (like physical symptoms and travel history) to identify whether employees have or might have COVID-19, particularly in light of laws requiring them to ensure a safe workplace.
Similarly, under HIPAA, HHS waived certain Privacy Rule penalties and sanctions for covered hospitals, including to permit telemedicine via insecure communications, when they apply to the COVID-19 emergency, and only for up to 72 hours after a covered hospital has instituted its disaster protocol. And, because of statements issued by the Center for Disease Control, an advisory from the United States Equal Opportunity Commission permits employers to ask sick employees questions designed to identify whether they may have COVID-19, and to require employees in the workplace to measure their body temperature.
While COVID-19 has created a new normal for all, privacy laws have foreseen this type of crisis. Businesses can take a step back, work with experienced counsel, and ensure that the actions they take to collect, use, and disclose health and personal information to address COVID-19 are in compliance with applicable privacy regulations.