The Coronavirus has raised new questions regarding privacy for businesses across California.
HIPAA Does Not Apply to Dealerships
There has been a recent rash of employees and consumers claiming various exemptions from local and state health orders under HIPAA, the Health Insurance Portability and Accountability Act. While the law does include important privacy rules, it does not apply to dealerships, as they are not “covered entities.” For purposes of HIPAA, covered entities include heath care providers, health plans, and health care clearinghouses. However, while HIPAA does not apply to dealerships, the American’s with Disabilities Act does, which means that privacy remains an important issue for businesses dealing with the Coronavirus.
All businesses should require symptom screening of employees and customers before they enter a place a business in order to stop the spread of the virus. Depending on local rules, this check may take place at home or on site, and information about symptom check requirements should be posted at all entrances to the facility.
Some businesses are choosing to actively engage in screening by taking temperatures of employees and customers before they enter the business facility. In these circumstances, businesses should make every effort to ensure the privacy and confidentiality of the employee or customer. For example, temperatures should be taken in a location that allows for privacy. If another staff member will be conducting the temperature check, the staff member should be trustworthy with respect to confidentiality.
If the business will keep records of symptom checks, employees and customers should receive a CCPA compliant notice of the data collection and how the data will be used. For example, if employees must submit a form daily attesting to having conducted a symptom check, those employees should receive a CCPA notice. In addition, any records related to symptom checks should NOT be stored in the employee file, must be stored securely, and access to these records should be limited.
Privacy and Coronavirus Outbreaks
As a general rule, employers should NOT disclose the identity of an employee who has contracted coronavirus or who is suspected of having the virus. Employers should make every reasonable effort to protect the confidentiality of employees’ medical information, as required by the ADA. Any health information about an employee, including his or her Coronavirus status, should be maintained securely and separately from the employee’s personnel file.
Nonetheless, employers also have an obligation under state and most local rules to investigate potential exposures at the business and take action to isolate employees with a suspected exposure. To protect employee privacy, though, this investigation should focus on interviewing the infected or exposed employee to ascertain his or her contact with other employees and customers. If the infected or exposed employee reports being within six feet of another employee or customer for over 15 minutes, that employee or customer should be informed of the potential exposure, while the infected employee’s privacy is protected.
These privacy issues are complicated, and as businesses develop and modify their plans, they should consult with competent attorneys familiar with these privacy matters.