As businesses prepare to reopen, they are weighing implementation of various practices to ensure a safe environment and minimize the spread of COVID-19. To protect employees, clients, customers and visitors, businesses must adopt new measures, which may include testing and other screening procedures, self-reporting obligations, and certain medical examinations. Thinking ahead to key issues under the Americans with Disabilities Act (ADA), the Health Insurance Portability and Accountability Act (HIPAA), the Occupational Safety and Health Act (OSHA), and state privacy laws can help companies mitigate risk in a compliant manner. The below provides an overview of some rules and best practices for businesses welcoming back employees and other visitors onto their premises.

Workplace Testing and Other Screening Considerations

  • The ADA generally permits employers to (1) measure an employee's body temperature as part of a screening procedure, and (2) administer COVID-19 tests to detect the presence of the COVID-19 virus before permitting employees into the workplace. However, employers must treat the results of these checks and tests as confidential. This means employers must limit access to the information and must securely store the information separately from the employee's personnel file.
    • Employers collecting body temperatures and COVID-19 test results must remain mindful of the potential applicability of state data privacy laws that may cover and regulate this information. Additional compliance obligations will apply in the event these state laws are applicable.
    • The use of tests and other screening procedures does not alleviate an employer's responsibility to continue to observe infection control practices in the workplace to prevent transmission of the virus (e.g., enforcing social distancing, encouraging use of masks and regular handwashing, etc.).
  • Employer-sponsored group health plans are not required to cover employer-mandated COVID-19 tests for those employees returning to the workplace (i.e., testing conducted to screen for general workplace health and safety purposes).
  • Antibody tests are currently considered a prohibited "medical examination" under the ADA. This means employers cannot administer or require antibody tests as a condition of employment or as a condition for reentry into the workplace. Note that this rule may change based on future CDC guidance or recommendations.
  • The ADA allows employers to require a doctor's note (or similar forms and communications from healthcare providers) certifying fitness for duty in connection with an employee's return to work. Employers are also permitted to use questionnaires to ask employees about recent exposure to or symptoms of COVID-19, or to ask employees to self-report potential exposure or infection.
  • An employer-sponsored health plan is considered a separate legal entity from the employer itself. So while an employer may not be covered by HIPAA, the employer's health plan definitely is. Therefore, although the ADA allows the temperature checks and COVID-19 testing and screening described above, HIPAA prohibits employers from using employees' health claim records as a source for information on COVID-19 status unless the employee has signed a HIPAA-compliant authorization permitting this use by the employer.
    • Because employers (in their role as employers) are not covered by HIPAA, the results of employer-administered COVID-19 tests or screening procedures stored in regular (non-health plan) employment records are not subject to HIPAA's rules and requirements. However, if any of the documentation outlined above contains medical information, it must be maintained as confidential and securely stored separate from the employee's personnel file. No separate "COVID-19" file is required; an employer may store medical information related to COVID-19 in existing confidential and segregated medical files, if any.
  • Employers should remain apprised of any local orders or guidelines outlining additional screening measures employers are required to implement to ensure a safe workplace. These orders or guidelines vary based on jurisdiction and industry type.
  • In addition to implementing safeguards to make the workplace safe for employees and visitors, employers must also consider how they can keep employees safe from visitors, who, in addition to customers, may also include the business's suppliers and contractors. Businesses that provide healthcare services must also protect their patients from visitors, who, in addition to those mentioned above, also include family members. Depending on the nature of the business and factors such as whether or not social distancing can be maintained, employers may choose to restrict the presence of visitors entirely, or they may choose to implement screening procedures for visitors, such as requiring visitors to complete screening forms regarding their potential exposure to COVID-19, symptoms, etc. Employers may also require satisfactory temperature checks for visitors before allowing them onto the premises; if visitors will be on the premises for longer periods, additional temperature checks may also be required on the same schedule as employees or if a visitor begins to exhibit potential COVID-19 symptoms.

Privacy Considerations

  • While a number of federal and state regulators have issued pandemic-related guidance, very little direction has been provided addressing an employer's privacy obligations as they prepare for a return to work. Despite the lack of formal legislation specific to the issue of data collection (tracking and tracing) of employees during the pandemic, guidelines can be derived from general privacy principles. When collecting employee COVID-19-related data, observing the following best practices can keep employers on the right side of the regulatory equation:
    • Plan ahead. Devise policies that will, to the best of your abilities, not conflict with existing employee data protections. Consider current business practices and technologies that are employed in the business to ensure that policies and procedures related to COVID-19 data collection comply with existing regulatory requirements.
    • Be transparent. Explain the purpose and reasoning behind data collection. Explain that personal data will be protected and will not be used in a manner that is not consistent with applicable laws. Explain how and where data will be kept, and who will be privy to it. Explain what rights employees have regarding the data.
    • Convey safety as a priority. Clearly expressing the priority of safety in this effort will go a long way toward gaining compliance and goodwill in the collection of this information, which is necessary to maintain a safe working environment.
    • Minimize data collection. Be certain to collect the minimum amount of information needed (e.g., symptoms, exposure to carriers, testing results, etc.) to make informed decisions related to your employees' return to the office. Refrain from collecting information that may be considered discriminatory (e.g., pre-existing conditions). Remember that medical information must be maintained as confidential.
    • Separate data. Be certain to keep employee pandemic-related records completely separate from other employee data stored in personnel records (e.g., work history, salaries, legal documentation, etc.). Further, ensure that pandemic-related employee data is stored securely, using strong technical and administrative safeguards.
    • Have data retention/disposal rules. Limit the time period this data is retained. Be certain to have a comprehensive and secure data disposal/destruction policy as well. State data privacy laws may also impose additional retention requirements.
    • Effectively manage third parties. The foregoing guidelines are also applicable and should be observed when receiving information from third parties who may be visiting your facilities/office.
  • In determining whether to restrict or screen visitors to the workplace, employers should consider visitors' privacy. To that end, employers should post their screening policies so they are clearly visible to potential workplace visitors (and translated for non-English speakers as applicable to the specific workplace). If employers choose to collect information or forms from visitors, they should establish protocols for collecting and maintaining this information, including measures to protect personal information.
  • While it is less likely that employers will use "contact tracing" apps in connection with the reopening of workplaces, if these apps are used, concerns are being raised over how the mobile data will be processed and whether the collection and use of this data is lawful. Employers who are considering undertaking "contact tracing" would be well served to follow the guidance above and give careful consideration to the use and processing of this data.

Additional Safety-Related Considerations

  • Under OSHA, employers have a general duty to provide a safe workplace for their employees. In the era of COVID-19, this means that employers must make arrangements for enhanced cleaning and sanitizing throughout the workplace, but especially in "high touch" areas such as central doors, elevators and restrooms. Other precautions that employers should consider include installing plexiglass barriers when the nature of the employees' work does not permit social distancing; temporarily restricting (or carefully scheduling) employees' use of common areas in which people tend to congregate; and temporarily restricting the use of break rooms with "high touch" food and beverage equipment (refrigerators, coffee and soda machine, microwaves, etc.) that would be difficult to adequately sanitize after each use.
  • If employees customarily use personal protective equipment (PPE) such as masks or gloves in performing their nonhealthcare jobs (for example, for protection from chemicals), then the business may need to find new sources of supply for these items. The combination of the worldwide shortage and the increased demand for PPE among both medical professionals and the general public means that a company's usual suppliers probably won't have inventory on hand to fill orders on short notice. Plan far ahead.
  • If an employer's or business owner's ability to provide a safe workplace depends upon visitors wearing masks, then the employer or business owner can require visitors to wear masks as a condition of entering the business premises. We're all familiar with the signs saying, "No shirt, no shoes, no service." A sign requiring visitors to wear masks is no different. Consider making disposable masks available for those customers who don't have their own.
  • Employers may also consider other options to protect their employees from infection by visitors, such as:
    • Adjusting business practices to reduce close contact with visitors, such as offering curbside pickup, delivery options, or opening a drive-thru;
    • Implementing other engineering controls such as:
      • Erecting partitions;
      • Marking floors to guide spacing at least six feet apart; and/or
      • Moving, re-arranging, or removing furniture.
    • Providing workers, customers and other worksite visitors with a place to wash their hands as well as access to tissues and no-touch trash receptacles.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.