Preparing for the federal COVID mandate

Protecting employee privacy

Published on


This month, the Biden Administration announced that it has directed the Department of Labor’s Occupational Safety and Health Administration (OSHA) to issue Emergency Temporary Standards requiring that employers with 100 or more employees mandate that employees be fully vaccinated for COVID-19 or test on a weekly basis for COVID. OSHA has not yet released these Temporary Standards, but the news has already raised important questions for employers, including how to handle employee medical information. This article reviews the state of the law with respect to employee health information and makes recommendations regarding what every employer should do now to prepare for the new Temporary Standards.


Medical privacy in the workplace is governed by a complicated legal landscape of federal laws (for instance, the Health Insurance Portability and Accountability Act, or HIPAA, the Americans with Disabilities Act (ADA), and the Occupational Safety and Health Act) and state laws (California Confidentiality of Medical Information Act (CMIA) and California Consumer Privacy Act (CCPA). Whether an individual law might apply depends on an employer’s industry or size, the data collected, and the purpose for the collection.

In addition, all Californians have a constitutional right of privacy. That right extends to an individual’s medical information. California employers must ensure employees’ medical information is kept confidential and protected from unauthorized use and disclosure. Further, under the ADA, employees’ medical information must be stored separately from personnel files and access must be limited.

Health status – COVID test results

An employee’s COVID-19 “status” is individual medical information subject to privacy laws. Employers must keep this information confidential and protected from unauthorized use or disclosure.

Employers should establish a confidential point of contact for employees to report that they have tested positive for COVID-19 or been exposed to someone who has. This point of contact should be trained in privacy rights issues and utilize a process to ensure the confidentiality of the individual employee’s information. Employers’ processes should include a clear protocol for sharing information as necessary (for example, report to local governments, inform supervisors and potentially exposed employees) as well as how to protect the employee’s privacy rights during those processes.

To alleviate some of the concerns regarding information sharing, employers should also consider asking employees either before or after they have tested positive for authorization to share any positive test results with others as necessary to reduce the risk to others. Employers should prepare their contact tracing protocols balancing an individual’s right to privacy with the need to protect others.

Obviously, other employees may deduce which employee tested positive based on information relayed and who is thereafter absent from work. This differs from an employer disclosing individual results. Remember that due to privacy laws, employers cannot confirm the medical status of any particular employee.

If an employee is absent from work, the employer may ask for an explanation. If the employee discloses a medical reason for an absence, that information constitutes a confidential medical record and must be kept confidential and protected from unauthorized disclosure.

Storing health information

The ADA requires employers to store all information collected as a result of disability-related inquiries, examinations, and the interactive accommodation process as a confidential medical record, regardless of how it was obtained. We recommend that employers handle all medical information collected from an employee in compliance with the ADA, as nearly any health information could end up becoming relevant to the ADA in the future. For example, if an employee tests positive for COVID and later develops long-lasting symptoms that result in a disability, having treated that information in compliance with the ADA will protect the employer.

The ADA rules require that disability-related information be collected on separate forms, kept in a medical record that is separate from general personnel information, and stored in a location that is accessible only to authorized personnel who have a legitimate business need to access the information, such as designated human resources personnel. This is also good advice under California’s CCPA, as unauthorized access to medical information may give rise to a private lawsuit.

Employers may keep and maintain employee information as hard copy and/or electronic records. If electronic records are kept, employers must comply with applicable federal, state, and local laws and store the information using industry best practices. Hard copy information should be stored in a secure manner, such as in a locked cabinet.