COVID-19: Walking the Line Between Worker Safety and Privacy
Sam Gandhi, Wendy Lazerson and Kate Heinzelman
The COVID-19 pandemic poses unprecedented challenges for employers. Businesses need to walk the line between keeping employees safe and respecting their privacy. How do employers ensure a safe and healthy workplace, and how do they manage layoffs, furloughs and benefits in this rapidly deteriorating economic environment? We’ll find out in today’s podcast.
There is a risk in forcing somebody to come into work who claims that they are fearful should they then be exposed at some point or become ill.
As basic as it may seem, the question of what laws apply here — that’s actually a very complex one in this environment.
We lawyers have been kept on our toes because things are changing on a daily basis.
Do I think that we will go back to a world that feels like a pre-COVID world once this is all done? No. I think this will force some introspection about our privacy laws.
From the international law firm Sidley Austin, this is The Sidley Podcast, where we tackle cutting-edge issues in the law and put them in perspective for businesspeople today. I’m Sam Gandhi.
Hello, and welcome to the special edition of The Sidley Podcast, part of Sidley’s ongoing efforts to help you stay on top of legal developments in the coronavirus crisis. You can find more information in our COVID-19 Resource Center at Sidley.com.
Today, we focus on the privacy and employment challenges posed to businesses during the COVID-19 crisis. I’m joined by Sidley partners Wendy Lazerson and Kate Heinzelman.
Wendy is the co-chair of Sidley’s labor and employment practice and a partner in the firm’s San Francisco and Palo Alto offices. She advises employers on workplace issues and conducts workplace investigations and represents employers in their workplace disputes. Kate advises clients on privacy and cybersecurity issues and on responding to data breaches, particularly in healthcare and life sciences. She joined Sidley from the Department of Health and Human Services and brings the perspective of a regulator, as well.
Wendy joins us from Palo Alto, California, and Kate joins us from Washington, D.C. Wendy and Kate, great to speak with you today.
It’s great to be here, Sam.
Great to be here, Sam. Thanks.
Disclosure of information and privacy are huge concerns in this new landscape, and knowing what to tell employees regarding a potential occupational exposure or when a worker tests positive is tricky. Kate, if I’m an employer, what information can I share with my workforce about other employees’ exposure or illness?
Thanks, Sam, for that question. It’s obviously a really important one in the current environment, and it’s also one of those questions that it’s not just about what you can do. It’s also about what you should do.
In any crisis, it’s really important to think about communications and to be deliberate about them. Keeping lines of communication open is important. Being clear with employees in your communications about what you know and what you don’t know — that’s important for so many reasons, particularly in the context of this virus. Given the transmissibility of COVID, given the many ways in which individuals manifest symptoms, it can be important to communicate with your workforce for multiple reasons: To inform them of the steps that they can and should take to protect themselves; to inform them about potential exposure to the virus if you learn of COVID in your workplace; and also to inform them about what you’re doing to address and respond to the virus and to reported cases so that expectations are set, and to do so in a way that encourages transparency and their willingness to share with you, because that is such an important part of knowing how to protect others in your workplace.
So, what have federal agencies said about the direct question that you asked, about what employers should tell other employees? Regulators have said that you should inform other employees of their possible exposure to the virus, but that you should maintain confidentiality. In recent weeks, representatives of the Equal Employment Opportunity Commission, or EEOC, have explained that certain individuals in your organization — that given the example of a manager or an official of the organization — may need to know, and that that will depend on the workplace and need-to-know considerations.
But they’ve cautioned about making efforts to limit the number of people who get to know the name of the employee — they’ve cautioned against specifically identifying the employee more broadly.
So there’s not a lot of clarity about what this direction — to inform other employees of their potential exposure but maintain confidentiality — means, and that means that employers have to interpret what’s been said and the underlying sources of law and understand and assess the risks and take a fact-informed approach.
I should note that the law here is nuanced and that the ADA [Americans with Disabilities Act] is not the only potentially relevant source of law. There can be state law and certain federal law that affects how information can be collected and how it can be used, and so all of that should be taken into consideration as employers consider what to do and how best to communicate to their employees in cases of reported COVID.
And Wendy, is there a risk to an employer to not disclosing potential exposure or illness?
Yes, Sam. In this environment, and as Kate has pointed out, this is a disease that is highly transmissible. So, therefore, not disclosing to the workforce can place employees in an unsafe situation, and employers do have a duty to provide a safe workplace.
As Kate points out, there are no clear answers here. This is unprecedented, and so employers need to weigh the risks and consider what is the danger to the employees who do not have the disease in the workplace who may be placed in close proximity to an employee who either has the disease or who has been exposed to the disease. And employers will need to look not only at federal guidance but also state guidance and, in some cases, local guidance.
And Kate, what privacy laws are in play here? Have states come out with guidance or executive orders that clarify or, frankly, override existing privacy laws?
Yeah, it’s a great question, and as basic as it may seem — the question of what laws apply here — that’s actually a very complex one in this environment. So a lot of folks start with the question, they say, Well, this is about medical privacy, so isn’t it HIPAA [Health Insurance Portability and Accountability Act] that I should be primarily concerned with? And HIPAA is obviously very important in the context of medical privacy generally, but HIPAA’s scope is limited. HIPAA applies to healthcare providers, health insurers and healthcare clearinghouses.
So while employers outside of those areas may also be HIPAA-covered entities with respect to their employee health insurance plans, for the most part, the COVID-related employment questions that arise actually don’t involve HIPAA, because they involve regular employers and information they receive about their employees in the context of their being an employer as opposed to in the context of them being, for instance, a healthcare provider.
So where do you look for the other rules of the road that apply in this circumstance on the privacy side? The answer is you have to look in a lot of different places. This is multilayered, to put it lightly, and those layers, as I’ll discuss in a minute, are changing rapidly as those states and localities put out guidance and, in some cases, mandatory orders about what employers and businesses should be doing.
The law that drives a lot of the analysis at the federal level — and that is referred to by the federal agencies and several state governments and local governments that have spoken to this question — is the ADA, the Americans with Disabilities Act. So some of the analysis starts there, with the ADA being a primary source of law here. Of course, the Rehabilitation Act, as well.
But state laws are important and can pose limitations on the information that can be both collected and disclosed. State laws and guidance can also, conversely, require disclosures. For instance, there are state laws and state recommendations about reporting cases of COVID to public health authorities that apply in different circumstances and to different types of entities.
So all of that is to say that there are a number of layers to the privacy analysis. They involve federal rules. They involve state rules, and they can sometimes involve local rules, as well. You’d need to check the internet far more often than most of us normally have the time to do just to stay on top of all of this, particularly as these guidances are being updated rapidly.
And Wendy, every family has been relying on grocery delivery, pharmacists, other essential businesses, and the list of essential businesses […] vary by state to state. But if you’re an employer that’s running an essential business, can you force an employee to go into the office as an essential worker?
Well, Sam, that’s a question that has popped up very frequently in the last few weeks. First, figuring out what is an essential business, because that is something that changes also weekly as the various counties issue varying orders [and] amend their orders quite frequently. So what might be an essential business one week may not be an essential business the next.
But in any event, I think answering this question not only involves legalities but practicalities. Are we going to have productive employees in the workplace when they’re there against their will? Probably not. In addition, given the fact that we don’t know everything there is to know about COVID, there is a risk in forcing somebody to come into work who claims that they are fearful […] should they then be exposed at some point or become ill.
So probably, while every situation is different and employers should take a look at the individual facts and circumstances, from a practical standpoint, it’s probably a better practice to give employees a choice, if possible. Because I know we do need to keep our essential businesses running, but the best thing to do would be to give employees a choice, which may mean that they’re not going to continue to get paid if they choose not to come to work.
And Kate, I want to just follow up on the privacy issue a little bit more. I have to think that some may be taking the view that privacy laws just no longer apply in this environment, and is that the case, or are there still any exceptions to that common, maybe, misperception?
You’re right, Sam. Some have been advocating for that approach. Some have been arguing that state and local health departments should be releasing more information than they’re releasing. […] The nature of this virus has prompted some really important questions about how to strike the right balance, and government entities have responded differently.
In some cases, government has said, No, we’re not relaxing the rules. We’re not going to delay enforcement. An example of that is that there’s a new California privacy statute, the CCPA [California Consumer Privacy Act], that went into effect in January that has an upcoming enforcement deadline. A number of businesses wrote to the California attorney general asking for a delay in enforcement, and the attorney general’s office has indicated that there will be no delay.
In other cases, regulators have indicated they will exercise certain flexibilities. So, while the rules haven’t been fully suspended by any means, there are, in some cases, enhanced flexibilities. Just to give a sense of those, the Department of Health and Human Services, which enforces HIPAA, has indicated that they are going to exercise enforcement discretion during this period with respect to certain HIPAA-covered activities. They have called out, in particular, telehealth and certain entities, businesses that are offering testing services. In those cases, they relax some of the HIPAA rules.
But that is not to say that all bets are off. As unprecedented as this is, there are still good reasons for having certain restrictions, and regulators have expressed that.
In your view, do you think some of the walls that these protections were meant to put up have come down, at least temporarily? Do you think they’ll ever go back up, or do you think they’re just down for the duration during this crisis and beyond?
The same question comes up in most national-emergency-type situations. This question was at the forefront of public attention in the wake of 9/11, right, in thinking about how our response to counterterrorism might change our long-term orientation on privacy issues and on civil rights and civil liberties issues.
And to some extent, we’re changed by these experiences. We’re changed by these periods of self-reflection, of changing the rules slightly. You know, we learn from that. So, do I think that we will go back to a world that feels like a pre-COVID world once this is all done? No. I think this will force some productive, hopefully, introspection about our privacy laws and about the ways that we protect medical information and think about the value of medical information.
And hopefully, those changes will be for the better and we’ll be more informed about the trade-off and the risks and the balancing. This conversation about whether medical health privacy law was well suited to the current age began long before COVID and I suspect will continue long after.
You’re listening to The Sidley Podcast. We’re speaking with Sidley partners Wendy Lazerson and Kate Heinzelman about privacy and employment challenges posed to businesses in our age of COVID-19. Wendy is the co-chair of Sidley’s labor and employment practice and defends leading companies throughout the U.S. in all types of workplace disputes. Kate is a member of Sidley’s privacy and cybersecurity, healthcare, and commercial litigation groups and focuses her practice on technology, privacy and regulatory matters.
Wendy, I want to talk about safety in the workplace, and given how infectious the virus is, safety measure are, of course, ramping up in those businesses that are still essential and continuing. Are employers checking people’s temperatures, and what are their obligations to do so?
Sam, this is something that has been evolving over the course of this outbreak. Several weeks ago, it was unthinkable [in] certain states, like California, where I practice, that an employer would ever be taking the temperature of an employee, because taking a temperature is a medical exam. And an employer would never be giving a medical exam to an employee.
But as this has developed and the contagiousness of the disease has become quite evident, the EEOC has issued guidance, and it does suggest — strongly, in certain circumstances — that temperatures be taken.
In any event, employers definitely are taking temperatures, but then the manner in which they do so is important because there needs to be consistency and fairness, and privacy needs to be protected to the extent that it can be. So, for example, think about being in a line at a bank where privacy is important, and distancing helps protect privacy in terms of the disclosure of information. If employees are lined up outside of a factory, for example, and temperatures are going to be taken, there are ways that it can be done that will be more protective of privacy than in other ways.
And also, there would need to be consideration of the safety of the individual or the employees taking the temperature. So there are all kinds of issues that do come into this, but in the current climate, yes, many employers are taking temperatures.
If I’m an employer, do I have any liability if I decide not to do that? Do I have liabilities for not taking what we think are fairly extraordinary safety measures in this era?
Well, Sam, you’re asking a question without a definitive answer because there are no clear precedents for this, but we have to weigh and balance the risks. And given the contagious nature of this disease, it would seem that there are risks for not taking temperatures and, therefore, potentially exposing employees. Yet, on the other hand, we also know that not everybody who has the disease has a temperature. So we have to think about that, as well. I think this is a very complicated issue and requires a lot of careful thought and the weighing of risks.
Kate, I want to talk about another large issue that has always had high risk but a higher risk now where everyone is working remotely, and that’s cybersecurity. In these unusual times, many workers are operating out of their living rooms or kitchens or dining rooms or home offices, and we’re blurring the lines between home and work. And that landscape makes cybersecurity a real challenge. Remote working also increases the risk of cyber theft and hacking. So what are the other risks, and how do you mitigate them?
We’ve seen already that cybercriminals are working to exploit this moment. They’re working to think about how the changes in the ways that we communicate and the platforms that we use can be exploited to their advantage. There have been several alerts from regulators about the types of scams they’re seeing.
So what are the types of things employers can do in this environment to get ahead of these types of threats? Well, one thing you can do is to make sure your employees are aware. Make sure they know that cybercriminals are exploiting this moment, to make sure they know how to securely use applications and your systems, how to properly store documents, as they’re working from home instead of from the virtual fortresses of your offices.
Another thing that employers can think about is whether their existing policies and procedures for responding to attacks, for both recognizing attacks and being able to respond quickly to them, are adapted and adaptable to the new working environment.
As we’re recording this, we’ve recently seen that there are 16.6 million people who are out of work, and many people think that that number is underreported because of the inability of people to actually get on states’ website[s] to apply for unemployment insurance.
Wendy, if an employee has been furloughed because of the business environment as a result of the virus, what rights do they have? And explain the difference between a furlough and actually being laid off.
I think this topic has been given more thought in the last few weeks than ever before because there are so many moving parts here, particularly with the emergency federal legislation — the CARES Act [Coronavirus Aid, Relief, and Economic Security Act] — and now with the stimulus package and the qualification for loans that can be impacted by whether employers keep their employees employed, lay them off or furlough them.
So, a furlough basically is a temporary layoff, and you’re still employed, and you may qualify for benefits under your employer’s healthcare plans and you may continue to accrue benefits because you’re still an employee. A termination is an end of the employment relationship, and some of the things that employers need to think about in an era when they need to preserve their cash is: If I terminate an employee, do I need to come up with a big sum of money to pay out accrued benefits? Is it better financially to continue to employ people and put them on furlough so I don’t have to do that, but I will continue to pay their benefits?
And for there to be a furlough in the first place, you have to have a good-faith intent that you will be bringing these people back to work. So that, ultimately, if you’re doing this to avoid making payments that you would otherwise have to make if you terminate an employee, there could be potential liability for acting in bad faith.
Under the emergency legislation, there are benefits available to employees who have reduced work schedules, as well as who are temporarily furloughed, that would not otherwise be available to them […] in certain circumstances, and these things vary with the size of the employer and other factors. So all of these things have to be looked at very carefully and, again, on a state-by-state basis, because unemployment insurance starts at the state level. And then on top of that, we have, in certain cases, emergency federal benefits available.
There’s new legislation with regard to family leave, and then some states also have their own family-rights act. So, again, this needs to be looked at on a state-by-state basis and to be thought of very carefully — almost like the pieces of a puzzle and putting it all together to figure out what’s best for the employer, what’s best for the employee, in the long term.
And let me ask you one last question on this, which is: Does the WARN Act [Worker Adjustment and Retraining Notification Act] apply? I know various states have various different WARN requirements and notice requirements, but if I’m an employer and I just don't have the funds to keep people employed, even for another 30 days, do I need to follow the WARN Act?
Sam, that’s a very good question, and again, we start the WARN Act analysis on a state-by-state basis because some states do have their own WARN Act and others don’t. But there seems to be general recognition on the parts of the governors where there are states that have their individual acts, […] as well as on the part of the federal government for the federal WARN Act, that this COVID crisis is an unanticipated, unforeseeable situation that requires a waiver of the pay requirements of the WARN. But there are still notice requirements in certain states and federally so that employers are required where the WARN applies.
That’s another whole analysis that needs to be done on an employer-by-employer basis, where reasonable notice must be given to the employees, and the employer must explain in the notice why the layoff is occurring. And now we have new language that we have to include with regard to the COVID crisis as being the reason for the layoff in many of these situations.
Kate and Wendy, as we finish up here, when you advise an employer about […] privacy or employment matters, what’s the number one thing you tell them that’s probably the most important thing for them to think about in this environment?
I’m happy to respond first, and that is, Sam, that this is a rapidly changing situation, and we lawyers have been kept on our toes because things are changing on a daily basis. So it is important for employers to be aware that the answer you get on one day may change on the next day. So it’s very important to be aware that we give the best advice we can with the present information, but this is an evolving situation and to be attuned to that fact.
Well, it’s always hard for me to come up with just one. So I’ll start by seconding what Wendy just said. I couldn’t agree with that more, and piggybacking off of that, you have to think about how you’re going to stay on top of all the new developments, the guidances, the recommendations that are coming out from all corners and at what feels like an increasingly rapid clip.
And as you do that, another thing that’s really core to helping to mitigate some of the privacy and cybersecurity risks specifically is thinking about — as you’re monitoring new information, as you’re taking in new information, as you’re communicating with new people, as your employees are communicating with you in ways that they haven’t before — what are the channels through which you’re going to receive those communications? Who’s going to hold those records? Who’s going to be your intake person?
And having that well ironed out in advance helps to mitigate some of the privacy risks. It helps to fulfill some of your privacy obligations — with respect to medical information, for instance — and it helps manage enterprise risk.
Another consideration that I’ll close with is just that as much as we have frameworks that apply in these circumstances — there are legal frameworks that specifically apply in public health emergencies — we are still dealing with circumstances that are largely unprecedented in this country. And so people who are advising companies and company leaders need to keep that in mind as they look at how the laws and the rules apply in these circumstances.
Sam, I did want to make one more point, and that’s with regard to the application of the Americans with Disabilities Act in the context of COVID. Employers should be aware that certain aspects of the Americans with Disabilities Act apply to all employees and applicants, while others apply, at least according to some courts, only to those with qualified disabilities.
In particular, when thinking about COVID as it pertains to reasonable accommodations, the ADA will only apply to those with a qualified disability, and this may vary depending on the severity of the COVID symptoms the employee suffers from. However, in the case of various privacy protections, such as those involving medical examinations like temperature taking, the ADA may have broader application. So it’s important for employers to be aware that they have to think about the Americans with Disabilities Act carefully — in context and with regard to specific issues.
We’ve been speaking with Sidley partners Wendy Lazerson and Kate Heinzelman about privacy and employment concerns relating to the coronavirus. Wendy, Kate, these are really unusual times for employers, who are balancing safety, privacy and economics for their workforces. Thanks for sharing your insights today.
Thank you, Sam.
Before we wrap up, a word about Sidley Insights, the content section of our website. We’ve set up a special page with the COVID-19 Resource Center. You can read articles related to various legal issues impacted by the coronavirus crisis, including the effects on mergers and acquisitions, securities disclosure, environmental law and contract disputes.
And we’re going to be posting more in the coming days, and we’re planning future podcasts, too. You can find our COVID-19 Resource Center by going to Sidley.com.
You’ve been listening to The Sidley Podcast. I’m Sam Gandhi. Our executive producer is John Metaxas. You can hear more episodes at Sidley.com/SidleyPodcast, or subscribe on Apple Podcasts or wherever you get your podcasts.
This presentation has been prepared by Sidley Austin LLP and Affiliated Partnerships (the Firm) for informational purposes and is not legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. All views and opinions expressed in this presentation are our own and you should not act upon this information without seeking advice from a lawyer licensed in your own jurisdiction. The Firm is not responsible for any errors or omissions in the content of this presentation or for damages arising from the use or performance of this presentation under any circumstances. Do not send us confidential information until you speak with one of our lawyers and receive our authorization to send that information to us. Providing information to the Firm will not create an attorney-client relationship in the absence of an express agreement by the Firm to create such a relationship, and will not prevent the Firm from representing someone else in connection with the matter in question or a related matter. The Firm makes no warranties, representations or claims of any kind concerning the information presented on or through this presentation. Attorney Advertising - Sidley Austin LLP, One South Dearborn, Chicago, IL 60603, +1 312 853 7000. Prior results do not guarantee a similar outcome.