Taking Employees’ Temperatures and other Employer Health and Privacy Quandaries

With COVID-19 sweeping the country, health and privacy questions abound. Employers need to remember that there are limits on what health information they can ask their employees for, especially when HIPAA and other privacy laws apply, even in this type of emergency. Several governmental departments and agencies have provided guidelines for what to do, what not to do, and how.

Can I take my employee’s temperature at work?

In normal circumstances, no. During the COVID-19 epidemic, maybe. Under Equal Employment Opportunity (“EEOC”) guidance, it is permissible to take an employee’s temperature if COVID-19 has become widespread in the area of your business, according to the CDC or local health authorities. This is not a clear mandate permitting employers to take temperatures. If your business is located in an area where COVID-19 is widespread and you choose to take temperatures, keep the following in mind:

• Not everyone who has COVID-19 will have a temperature and not everyone with a temperature has COVID-19;
• Only a limited number of people should be taking the temperatures; they should be medical staff whenever possible (or at least senior employees or members of HR);
• Do not act in a discriminatory manner;
• Take the temperature in private; and,
• Think carefully about whether and how to record the information (do not include it in personnel files).

Can I ask for a doctor’s note before people return to work, if they have or believe they may have COVID-19?

Yes, but doing so may cause delays to the employee’s return to work as the health system is already stretched to near capacity in some areas without the need for writing doctor’s notes.

Can I require employees to inform us if the employee (1) has come in contact with someone believed or confirmed to have COVID-19, (2) is showing symptoms that may be COVID-19; or (3) believes or is confirmed to have COVID-19?

Yes, employers can require employees to share this type of information. Keep in mind that obtaining the information puts you in possession of health information that should be kept private and secure. It should be shared only with those who need to know and details about an individual’s identity should not be disclosed when providing any updates to employees.

Does HIPAA apply when a business chooses to take a temperature, ask for a doctor’s note, or for information about whether employees have or may have COVID-19?

Not unless HIPAA already applies. With the exception of your employer-provided health plan, which is technically a separate legal entity, HIPAA does not apply to most businesses outside the health care industry. One important exception is self-insured health plans, whose sponsoring employers are often subject to HIPAA. HIPAA applies only to “covered entities” and their “business associates.” A “covered entity” is an entity that provides health care, is an insurance provider (insurance company or health plan), or a healthcare clearinghouse. A “business associate” is a business that provides services to a “covered entity” and in providing those services, needs or may have access to “protected health information.” “Protected health information” or “PHI” is information (1) created by or for a “covered entity,” (2) that is related to an individual’s health or health care, and (3) can be used to identify the individual.

Businesses should remember that HIPAA prevents employers from seeking or obtaining health information from their health plans, insurance providers or plan administrators, unless one of the limited exceptions apply.

If my business learns that an employee has or may have COVID-19, with whom and when can that information be shared?

In general, HIPAA and other privacy laws (see below) prohibit the disclosure of health information. While there are exceptions, such as for public safety, medical professionals, not employers, should be making such disclosures. HIPAA and other privacy laws still apply, even in emergencies. If you are unsure about whether and how to disclose health information within your business or to others (such as the government), seek experienced legal counsel in advance of any disclosure.

Do other privacy laws apply when a business chooses to take a temperature or ask for a doctor’s note?

It depends on your location, but probably. Most states provide for a general right of privacy and some federal nondiscrimination laws provide additional privacy protections, especially for health-related information. While employees do not normally have much or any expectation of privacy in the workplace, they may have an expectation of privacy in their personal information, especially health information. Accordingly, any health information obtained from an employee should be treated as sensitive and personal information that should be kept private and secure. You should seek experienced legal counsel before determining what information to collect, how to store and use it, as well as whether and how to disclose it.

For more information about the referenced guidance and whether and how HIPAA and other privacy laws apply to your business, contact Clark Hill attorney Charles Russman (crussman@clarkhill.com; 248-988-5868) or visit our COVID-19 Resources page.

For further information on this subject, visit the Department of Health and Human Services, Equal Employment Opportunity Commission, or Centers for Disease Control.