When employers receive notification of an employee's confirmed case, many ask the following questions: "Who needs to know?" "Who is allowed to know?" The Centers for Disease Control and Prevention (CDC) has issued "Interim Guidance for Businesses and Employers to Plan and Respond to Coronavirus Disease 2019 (COVID-19)." This guidance recommends that, in the event of a confirmed employee case of COVID-19, employers should "inform fellow employees of their possible exposure to COVID-19 in the workplace" and direct employees to the CDC's Public Health Recommendations for Community-Related Exposure. In following the CDC's recommendation to inform coworkers of possible exposure, however, employers must be mindful of employee privacy rights.

Applicable privacy legislation and guidance

Privacy rights regarding medical information come from a variety of sources under federal, state and even international law. The Health Insurance Portability and Accountability Act (HIPAA) is a frequent source of employer questions about employees' health-related privacy rights. HIPAA protects all "individually identifiable health information" from disclosure. Individually identifiable health information includes many aspects of an individual's health, including an individual's current medical condition.

HIPAA's privacy obligations, however, apply only to "covered entities," which include health care providers, health plans, health care clearinghouses and "business associates" of covered entities. Employers are not typically covered entities under HIPAA. As a result, employment records and employer inquiries are generally not subject to HIPAA's privacy rules. However, employers should consult applicable state law to ensure compliance with any additional obligations. Further, some employer may be covered by the EU General Data Protection Regulation (GDPR). This international privacy law protects sensitive data like health care information.

The CDC's Interim Guidance warns employers to be mindful of employee privacy rights under the Americans with Disabilities Act ("ADA") when informing coworkers of possible exposure. ADA regulations require that employers keep confidential information about the medical condition or history of any employee that the employer obtains from a medical examination or inquiry. Employee medical condition and medical history information should be kept separately in the employee's medical file.

The Equal Employment Opportunity Commission (EEOC) enforces the ADA and has expanded its guidance to include specific information for employers during COVID-19. The EEOC advises employers to follow the CDC's guidance but notes that federal anti-discrimination laws (like the ADA) still apply.

The EEOC notes that employers must keep employee medical information confidential and in a separate medical file, consistent with the ADA. Employee medical information related to COVID-19 may be kept in the employee's existing confidential medical file. The EEOC notes that information to be kept in the confidential medical file includes "an employee's statement that he has the disease or suspects he has the disease, or the employer's notes or other documentation from questioning an employee about symptoms." Further, the EEOC's specific pandemic guidance for the ADA has been updated for COVID-19 to note that employee medical information regarding COVID-19 symptoms is subject to the ADA's confidentiality and recordkeeping requirements.

The employer must balance the sick employee's privacy rights against the CDC's recommendation that employers inform coworkers of potential exposure. In doing so, a best practice is to avoid naming the sick employee to his or her coworkers. The CDC's Interim Guidance recommends that employers not reveal the identity of the sick employee, and this tactic may help employers avoid liability under the ADA and other federal, state and international privacy laws.

The CDC recently provided specific guidance for protecting critical infrastructure workers. The guidance notes that employers should compile "[i]nformation on persons who had contact with the ill employee during the time the employee had symptoms and 2 days prior to symptoms," specifically including employees who had close contact within 6 feet of the sick employee during the relevant time period. Again, employers of critical infrastructure workers should be careful to protect the sick employee's privacy while compiling potential exposure information. A possible solution is to work with the sick employee to determine work areas he or she visited during the relevant time period and coworkers with whom the sick employee had close contact. Employers should avoid revealing the identity of the sick employee to compile this information.

During the outbreak of COVID-19, employers must carefully follow guidance from the CDC, the Occupational Safety and Health Administration ("OSHA"), and other applicable health authorities to mitigate the risk of workplace exposure. In the event of a confirmed employee case of COVID-19, employers should communicate with employees so that they can make informed decisions regarding potential exposure. However, in doing so, it is critical that employers protect sick employees' privacy rights. Effective communication with coworkers and with sick employees will help employers strike the appropriate balance between disclosure and privacy.

Caroline H. Page ([email protected]) is an attorney at Burr & Forman in Birmingham, where she practices in the firm's Labor & Employment and Corporate & Tax groups. 

Read more:

• The Families First Coronavirus Response Act: What employers should know
• COVID-19 will add to employers' already increasing health care costs
• Interoperability may jeopardize consumers' health care privacy