During a pandemic data privacy concerns may appear to take a back seat. However, while the Office of Civil Rights has expanded electronic platforms which may be used for HIPAA-related purposes and the EEOC now lets you take temperatures, the fundamental rules for both patient and employee privacy need to be followed to avoid liability issues once the world turns its attention back to compliance matters.
On March 19, 2020, the EEOC updated its prior pandemic guidelines to take into account COVID-19 guidance from the CDC. Primary changes relate to the ability of an employer to take the temperatures of both existing employees and those post-offer and pre-hire. While temperature checks continue to be considered a physical exam as defined by the ADA/ADAAA, based on CDC recommendations, the EEOC now considers this practice to be an acceptable business and safety need.
Taking employee temperatures (and that of visitors when allowed again), should involve providing notice, and ensuring compliance with HIPAA and other privacy regulations. Posting form notices that temperatures will be taken provides the data that can be useful to later show that you were compliant with all CDC recommendations and processes.
The EEOC also notes that such information must be kept secure in order to be ADA/ADAAA compliant. This clears the way for employers who deem temperature checks necessary as long as they observe some basic confidentiality requirements such as limiting access to the data and storing it securely.
When it comes to taking the temperature of visitors in a health care setting, you will want to keep records of the visitor names as well as the resident/patient name. This is HIPPA-protected information, so facilities are advised to ensure their data storage is HIPPA compliant.
There is also a question of how long to store the data. Right now, we do not have clear guidance or statute on this question, but it is worth noting that in many instances, a minimum time frame for keeping data such as employment applications is one year. Another recent post addresses the issues of taking employee temperatures.
Additional issues have also arisen as to whether or not temperature information would be biometrics. Iowa does not have a specific statute regarding how biometric data would be kept, accessed, or destroyed, however, surrounding states do. Perhaps one of the most complex is the Illinois Biometric Privacy Act. Based on the definition in the Act, it seems unlikely that taking the temperature of an employee or anyone else would be considered biometrics as covered by this statute, however, such documentation should still be afforded appropriate security and privacy. Under the ADA, it may be considered employee health or exam information and when eventually destroyed, should be done in a secure manner.
In an effort to protect their workforce, some employers have recently begun questioning employees about underlying conditions such as pregnancy and heart or lung disease. The EEOC continues to state that inquiries of this type are not appropriate as they violate the ADA/ADAAA as well as the Pregnancy Act.
You may tell employees to come to HR with questions or concerns, you may ask about travel, fevers, coughs, and if anyone they encountered is symptomatic. Although OSHA guidance suggests you assess underlying conditions in your workforce, pursuant to the EEOC you MAY NOT question employees about their underlying conditions unless that employee raises that issue with you.
It’s Still on You to Comply
Although healthcare providers have many concerns to address right now, from protecting the safety of their residents and patients to ensuring their providers stay healthy and an adequate workforce is available, compliance should still be on your mind. We have no reason to believe that there will be any relaxation of compliance regulations and every reason to believe that providers who do not maintain health-related information in a secure manner will face issues following the pandemic.
If you have facilities in multiple locations that are logging temperatures, make sure that the person performing the screenings understands their role in protecting privacy and there is a secure location available to them to store the logs.
Davis Brown Law Firm blogs, legal updates, and other content are for educational and informational purposes only. This is not legal advice and it does not create an attorney/client relationship between Davis Brown and readers. Each circumstance is different; readers should consult an attorney to understand how this content relates to their personal situation. You should not use Davis Brown blogs or content as a substitute for legal advice from a licensed attorney in your state. Reproduction of Davis Brown content without written consent is prohibited.