TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | OSHA revises guidance on tracking COVID-19 in the workplace Related reading: The pandemic and the evolution of health care privacy

rss_feed

The U.S. Occupational Safety and Health Administration revised guidelines May 19 that require employers to determine whether employees who have contracted COVID-19 did so in the workplace. 

According to OSHA's recordkeeping requirements, employers are required to conduct investigations about the cause of an employee's infection with certain parameters. In the revised guidelines, which went into effect May 26, "employers should be taking action to determine whether employee COVID-19 illnesses are work-related and thus recordable. Given the nature of the disease and ubiquity of community spread, however, in many instances, it remains difficult to determine whether a COVID-19 illness is work-related, especially when an employee has experienced potential exposure both in and out of the workplace." 

OSHA also announced it "is exercising its enforcement discretion in order to provide certainty to employers and workers." Additionally, employers with less than 10 employees "and certain employers in low hazard industries" do not have recording obligations. 

In its recommendations to compliance safety and health officers, OSHA said employers "should not be expected to undertake extensive medical inquiries, given employee privacy concerns and most employers' lack of experience in this area." OSHA also notes that it "is sufficient in most circumstances for the employer" to ask the employee how they think they caught COVID-19, "while respecting employee privacy, discuss with the employee his work and out-of-work activities" and review the work environment. 

In an article for HR professional association SHRM, Burr & Forman Attorney Kathryn Willis said, "Employers cannot assume that an employee contracted COVID-19 from going to the grocery store or otherwise being out in public." She said employers must make reasonable efforts, including by asking "the employee limited questions about how he or she believes COVID-19 was contracted." This might include inquiries about the subject's work and nonwork activities and work environment.  

Collecting workplace-related information with regard to contracting COVID-19 is part of a larger data collection obligation employers have during the pandemic.

Littler Mendelson Parter Phil Gordon, in comments to the IAPP, said, "The updated OSHA guidance in combination with state, county, and city orders regarding COVID-19 symptom screening through temperature taking and symptom questionnaires means that employers potentially are collecting significant amounts of employee health information." 

Of course, more data collection creates potential privacy issues.

In that respect, Gordon added, "Privacy pros need to team up with HR to ensure that data minimization principles are followed both in terms of collection and retention of employee health data. Privacy pros also need to ensure that as new business processes are implemented to screen for COVID-19 infection that the information that is collected and retained is adequately secured. This health information generally will not be subject to (the Health Insurance Portability and Accountability Act); however, it is subject to the confidentiality requirements of the American with Disabilities Act. In addition, more than a dozen states define health information as the type of information which, if compromised, would trigger security breach notification obligations." 

The guidance is an example of a larger paradigm shift in which privacy issues are popping up in laws and requirements that are traditionally non-privacy-related. 

Kirk Nahra, CIPP/US, a partner for WilmerHale, said, "This guidance is part of the continuing real-time guidance that is coming from the government about how to balance laws that largely were written for other purposes — OSHA and (Equal Employment Opportunity Commission)/ADA standards, for example — with the needs and risks related to COVID-19. Employers are struggling to balance all of these obligations, many of which are at least in tension. None of these laws are generally thought of as 'privacy' laws, but employee information is at the core." 

Before the current pandemic, he points out, determining whether an illness was "work-related," tended to arise "from something like a hazardous chemical in the workplace," for example. The new guidance, however, "provides both guidance and flexibility in the current pandemic," he said. 

This comes after the Department of Health and Human Services relaxed other enforcement obligations for the health care industry, specifically with telehealth activities between caregivers and their patients. 

In the bigger picture beyond the current pandemic, Nahra believes the mixing of privacy-related issues in the HR and health care industries could have a lasting impact on future guidance.  

He said, "It will be part of the broader debate about employee privacy in general that this entire scenario is creating, and also will raise issues when the pandemic is over as part of the general flood of 'temporary' guidance expires and we try to return to the 'old' state." 

Photo by kate.sade on Unsplash


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Comments

If you want to comment on this post, you need to login.