From Employers to Homeschooling to Healthcare: Federal Government Provides Guidance Clarifying Data Privacy Requirements During COVID-19
Date: April 21, 2020
In response to the COVID-19 health emergency, businesses, schools, and even parents have collected and used personal information in an unprecedented manner. For example, many organizations have begun, for the first time, screening and recording the body temperatures of their employees, contractors, and customers. Other organizations have started tracking the location and contacts of individuals who have tested positive for COVID-19 in order to minimize exposure to others. Even parents who have begun homeschooling or assisting with remote educational programs have starting using online platforms and tools that collect and retain personal information on their children. Given that the United States does not have comprehensive data privacy laws applicable to all sectors and activities, businesses and organizations may be subject to multiple federal and state data privacy and cybersecurity requirements when collecting personal information in these and other circumstances.
In order to assist with understanding the broad range of potentially applicable data privacy obligations during the COVID-19 pandemic, several federal agencies have begun issuing and updating guidance applicable to specific business, educational, and healthcare activities and functions. This guidance addresses, among other areas, the following: (i) collecting employee health records and disclosing COVID-19 exposure to co-workers, (ii) protecting children’s personal data in the online education context, and (iii) disclosing Protected Health Information (“PHI”) beyond contractual limitations to prevent the spread of the current pandemic. This guidance has been especially valuable to employers, educators, parents, health care organizations, and their service providers.
Employee Health Data and Confidentiality
On April 9, 2020, the U.S. Equal Employment Opportunity Commission (“EEOC”) updated its guidance related to the types of personal information that organizations may collect on their employees during the COVID-19 health emergency, with a special emphasis placed on temperature taking and employee confidentiality. As background, the Americans with Disabilities Act (“ADA”) prohibits an employer from making “disability-related inquiries” and requiring “medical examinations” of employees, except under limited circumstances. According to the EEOC, measuring an employee’s body temperature is generally considered a medical examination for ADA purposes. In March of 2020, the EEOC stated that because of the severity of COVID-19, “employers may measure employees’ body temperature,” but that any medical information derived from the examination “would be subject to ADA confidentiality requirements.” The March guidance also addressed issues related to the types of questions employers could ask, and employment-related actions that employers could take against employees and job applicants.
In April, the EEOC updated its guidance to address new privacy-related issues and concerns related to COVID-19. In particular, the EEOC stated that the ADA requires that all “medical information about a particular employee be stored separately” from the individual’s personnel file (e.g., such as in an employee’s medical file) and subject to limited access restrictions. This medical information includes an employee’s self-disclosure that he or she has, or may have, COVID-19, or the employer’s notes or other documentation from questioning an employee about corresponding symptoms.
In addition, the EEOC recently gave a webinar where it addressed how employers could balance the need to maintain the confidentiality of an employee’s medical information and notify co-workers of possible exposure to COVID-19. Here, representatives from the EEOC stated that “[e]mployers should make every effort to limit the number of people who get to know the name of the employee” who has been diagnosed with COVID-19, but “exactly who in the organization needs to know the identity of the employee will really depend on each workplace and why a specific official needs this information.” For instance, a designated representative of the employer may interview an employee diagnosed with COVID-19 to identify the co-workers with whom he or she possibly had contact through the workplace, so that the employer can then properly notify those co-workers of the possible exposure. However, according to the EEOC, such third-party notification can be effectuated without disclosing the employee’s name. “For small employers,” according to the EEOC, “co-workers might be able to figure out who the employee is, but employers are still in that situation prohibited from confirming or revealing the employee’s identity.” The guidance is significant because the EEOC is not suggesting that employers refrain from notifying employees of the possible exposure to COVID-19 because co-workers “might be able to figure out” the identity of the diagnosed employee; but rather, the EEOC stresses the importance of employers maintaining the confidentiality of an employee’s name and underlying medical records when notifying co-workers of possible COVID-19 exposure. These notice and confidentiality obligations involve difficult and sensitive issues, especially in the context of smaller employment settings, and employers should exercise caution and diligence on how, and to whom, they disclose COVID-related health information.
Remote Learning and Children’s Online Privacy
On April 2, 2020, the Federal Trade Commission (“FTC”) published guidance related to the scope and applicability of the Children’s Online Privacy Protection Act (“COPPA”) in the remote learning context. The guidance is intended to assist both educators, their service providers, and parents and guardians who have now become homeschoolers or are assisting with remote education during the COVID-19 crisis. As background, COPPA applies to operators of commercial websites and online services, including some education technology platforms that are directed to children under 13 and that collect, use, or disclose personal information (e.g., first and last name; address; online contact information; a telephone number) from such children. COPPA also applies to operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13.
Generally, organizations that are subject to COPPA must comply with several privacy-related disclosures and security measures, such as the following: posting online privacy policies describing their information practices; obtaining verifiable parental consent before collecting personal information online from children; providing parents and guardians with access to such personal information to review and/or have deleted; and, maintaining the confidentiality, security, and integrity of such information.
The FTC’s most recent guidance serves as a reminder that “schools can consent on behalf of parents to the collection of student personal information — but only if such information is used for a school-authorized educational purpose and for no other commercial purpose.” This third-party consent framework applies regardless of “whether the learning takes place in the classroom or at home at the direction of the school.”
Education technology service providers often provide online tools and platforms for schools, and thus collect and retain information on students (including children under the age of 13) when performing their services. In order to obtain consent from the school instead of from the parent, the FTC provides that these providers must provide the school the necessary COPPA-required notice of its data collection and use activities, and, as a best practice, should make the COPPA notice available to parents, and, where feasible, let parents review the personal information collected.
Because COPPA applies to the operators of commercial websites and services, it generally does not impose obligations directly on schools or homeschooling parents. Yet, according to the FTC, as schools and parents continue remote learning programs, “they should consult with their attorneys and information security specialists to review the privacy and security policies of the [education technology] services they use” and thoroughly assess “whether a particular site’s or service’s privacy and information practices are appropriate.”
U.S. Department of Health and Human Services
On April 2, 2020, the U.S. Department of Health and Human Services (“HHS”) announced a “Notification of Enforcement Discretion” addressing additional uses and disclosures of PHI in response to the COVID-19 health emergency. This enforcement discretion complements and supplements HHS’s previous notification issued in March, which provided that HHS would not impose penalties for noncompliance with certain privacy and security requirements against certain health care providers “in connection with the good faith provision of telehealth” during the COVID-19 pandemic.
Under the current privacy and security regulations promulgated by HHS, “business associates” are generally only permitted to use and disclose PHI for public health and health oversight purposes if expressly permitted by the agreement executed between them and the covered entity (e.g., health care provider) to whom they are providing services. However, according to its April notification, HHS stated that it will not impose potential penalties for violations of certain provisions of the privacy and security regulations “against covered health care providers or their business associates for uses and disclosures of [PHI] by business associates for public health and health oversight activities during the COVID-19 nationwide public health emergency.”
However, according to HHS, such disclosures are only subject to its enforcement discretion if: (i) the business associate makes a “good faith” use or disclosure of the covered entity’s PHI for public health or health oversight activities consistent with certain federal requirements (e.g., disclosure of PHI to public health authorities to control the spread of COVID-19), and (ii) the business associate informs the covered entity within ten (10) calendar days after the use or disclosure occurs or commences. In addition, HHS makes clear that other federal data privacy and security regulations still apply to PHI, and business associates remain liable for complying with requirements to implement safeguards to maintain the confidentiality, integrity, and availability of electronic PHI.
As the COVID-19 pandemic continues to unfold, federal and state governments are trying to create the appropriate balance between privacy and business, education, and healthcare interests. The guidance they are providing will assist businesses, service providers, and even parents to navigate the complex data privacy framework within the United States.
FOR MORE INFORMATION
For more information about recommended steps, please contact one of our Thompson Hine attorneys listed below:
Deborah S. Brenneman
Cori R. Haper
Steven G. Stransky
Thomas F. Zych
We have assembled a firmwide multidisciplinary task force to address clients’ business and legal concerns and needs related to the COVID-19 pandemic. Please see our COVID-19 Task Force page for additional information and resources.
This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgment of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel.
This document may be considered attorney advertising in some jurisdictions.
© 2020 THOMPSON HINE LLP. ALL RIGHTS RESERVED.