The global pandemic has created unique risks for handling employees’ exposure to, or positive testing for, COVID-19.  To ensure a safe workplace, companies have to address delicate issues surrounding employee safety. 

The United States does not have a federal privacy law to address this specific situation (unlike Europe and Canada) and the treatment of employees personal information.  Interestingly, the HIPAA laws do not cover employers and are limited to health care providers and insurance companies.  Similarly, most state privacy laws apply to health care providers and health insurance companies but do not include employers. 

Even though there is no direct privacy statute that applies to this unique situation, related statutory laws focused on discrimination may apply.  The Americans with Disability Act and the Family and Medical Leave Act restrict employers from requesting certain medical information from employees.

A company that learns that an employee has been exposed to, or tested positive for, COVID-19, has an obligation to disclose information to other employees needed to ensure the protection of other employees’ safety and health.  But such disclosures have to avoid any specific identification of the employee suffering from the virus (or exposed to the virus).

Some companies are making generic disclosures of workplace risks and conditions to other employees based on specific authorizations from the sick employee.  Such authorization has to be voluntarily given and in writing and subject to periodic updates. 

Again, any disclosure should NOT include the identity of the employee (or should not be singular information such that the individual can be identified).  The disclosure can identify a “co-worker” or “contractor” who tested positive or was exposed to the COVID-19 virus (e.g. a close family member).

If the employer discloses the employees name or provides information about his/her specific medical condition, the employer may violate the ADA (Title 42) Section 12112(d), which covers such information as a “confidential medical record” that can only be disclosed for very limited purposes.  The Family and Medical Leave Act also bars disclosure of medical history information relating to an employee’s eligibility for leave.  29 C.F.R. Section 825.500.  The Equal Employment Opportunity Commission has construed these provisions from the ADA and the FLMA to protect such information about an employee’s medical condition. 

With respect to testing, the EEOC issued guidance on March 21, 2020, suggesting that employers may require testing of all employees, whether or not the employee suffers from symptoms or has been exposed.  Such a policy, however, has to be reviewed carefully and executed after consultation with counsel.  Under the ADA, a company could argue that requiring such testing is necessary to respond to a medical condition that could pose a direct threat of harm to other employees. 

When discussing the issue with the employee, the employer should ask the employee who the employee was in contact with during the last 14 days, including the office where the employee worked, the location of any shared spaces in which the employee worked, and visits and meetings the employee may have had with other employees.  Such information may be disclosed generically without identifying the employee.

The new COVID-19 pandemic paradigm requires careful strategies that balance privacy and workplace safety.  To preserve a company’s commitment to trust and integrity, the company has to strike a balance that is consistent, fair, and transparent.