Published in NH Business Review (5/21/2020)
As the coronavirus health crises eases and the economy reopens, businesses face significant new information privacy issues. They will be collecting sensitive personal and health information about employees, customers, vendors, and other individuals who work at or enter our offices and facilities. That will include information like body temperature, past and present symptoms and illnesses, COVID-19 test results, existing health conditions that make individuals vulnerable, and the social interactions and travel histories of individuals. Most businesses are unaccustomed to the rules for properly handling such sensitive information, and are unaware of the privacy law requirements that apply to that information.
Collection, use, and disclosure of health information about employees is strictly limited by the Americans with Disabilities Act (ADA). Under the ADA, requests for health information must be either related to an employee's fitness for duty, or job-related and consistent with business necessity, including to determine if employees pose a direct threat to others. In response to the current crisis, the Equal Employment Opportunity Commission and Centers for Disease Control and Prevention are permitting the widespread gathering of health information about employees to stem the spread of the coronavirus. However, when doing so, businesses still must comply with ADA privacy requirements, including gathering only the health information necessary to address COVID-19 issues, ensuring only the proper and limited use and strict confidentiality of such information, and securely retaining health information separate from other records.
Personal and health information about employees, customers, vendors, and other individuals also is governed by a multiplicity of varying state, federal, and foreign privacy regulations. A few prominent examples are HIPPA, the Massachusetts Right of Privacy Act, the California Consumer Privacy Act, the New York Stop Hacks and Improve Electronic Data Security Act, the European Union General Data Protection Regulation, and the Canadian Personal Information Protection and Electronic Documents Act. These laws generally apply to information that any business collects and uses about individuals who reside in those jurisdictions, even if the businesses have no physical presence there.
Privacy regulations require businesses to implement significant controls with respect to personal and health information. The most meaningful requirements include the following:
- Notify individuals about the purposes for the collection, use, and disclosure of personal and health information, and with respect to certain sensitive such information, obtain consent from individuals before engaging in such activity.
- Ensure that the collection, use, and disclosure of such information is only for legitimate purposes that are specifically permitted by applicable privacy regulations.
- Notify individuals of their rights with respect to such information, and honor those rights whenever exercised by individuals.
- Implement security controls that are appropriate to protect the sensitive of the information collected, used, and disclosed by the business.
Because many businesses have not previously engaged in the widespread handling of sensitive personal and health information, they likely are unfamiliar with the privacy requirements that apply to such information, and are unaware of and unprepared to implement the controls required by such regulations. Consequently, before and as businesses reopen, they should work with an experienced cybersecurity attorney to conduct a rapid privacy risk assessment, implement the controls that can be implemented within a short period of time, and address additional privacy law requirements over a more extended period of time.
When doing so, businesses must identify an appropriate privacy standard to use for compliance. A leading industry association, the National Institute of Standards and Technology, recently promulgated a comprehensive standard called the Privacy Framework. Whereas NIST's existing standard, the Cybersecurity Framework, focuses primarily on security controls, the Privacy Framework provides a useful regime for businesses to use to start to come into compliance with the multitude of differing existing and forthcoming privacy laws.
The next phase of our 'new normal' will inevitably involve businesses collecting, using, and disclosing a greater volume and wider variety of sensitive personal and health information. Existing privacy regulations are strict, and new such laws are emerging routinely from state legislatures. Now is the time to make your business information privacy compliant.
Cam Shilling chairs McLane Middleton's Information Privacy and Security Practice Group. Other members of the team include attorneys John Weaver, Annie Cho, and Katelyn Burgess and technology paralegal Dawn Poulson.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.