Search for:

Many employers in the US are grappling with appropriate efforts to contain and protect the workforce against COVID-19. Those efforts include employee and visitor screening activities that range from requiring all personnel to provide an affirmation upon admission to a worksite to taking vital signs or other hands-on screenings. But are those screening activities lawful under applicable privacy and confidentiality laws in the US? And what should employers do when they have reason to suspect someone is infected? Are there obligations to inform other employees or health authorities?


The Health Insurance Portability and Accountability Act of 1996 (HIPAA) imposes restrictions on disclosures of protected health information only on a covered entity’s or business associate’s workforce. As such, unless a disclosure is made by or on behalf of an employer’s Group Health Plan, HIPAA should not generally apply to the scenarios described above, since the Group Health Plan is considered to be a separate legal entity under HIPAA, and we assume that none of these activities would be paid for by the Group Health Plan under covered insurance transactions. Business associates are generally persons or entities that perform functions or activities on behalf of a covered entity, such as a Group Health Plan, which as noted should not be implicated here. Accordingly, HIPAA’s Privacy Rule does not apply to the collection, use, or disclosures of individually identifiable health information made by an employing entity in the context of worksite COVID-19 screening activities.


The Illinois Biometric Information Privacy Act (BIPA) restricts the collection, use, or other processing of biometric identifiers by entities (including employers), unless certain requirements are met. Those requirements include, among others, informing individuals that biometric information is being collected or stored; informing individuals about the purpose and length that this information will be retained; obtaining a “written release” for the collection, use, and storage of that information; and establishing and posting a policy on these issues. In the context of an employer performing COVID-19 worksite screening activities seeking to obtain body temperature through a hand-held thermometer or a scan for temperature, BIPA should not apply because the term “biometric identifier” generally refers to “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” Photographs or human biological samples used for testing or screening, or demographic data, are specifically excluded. Performing temperature scans or other basic screening activities should, therefore, not fall within the definition of “biometric identifier” that triggers the application of BIPA, unless specific data is collected.

Other State Privacy Laws

At the state level, several states have generic medical confidentiality laws, but those laws should generally not restrict worksite screening activities. California, for example, has the Confidentiality of Medical Records Act. This law generally restricts the disclosure of “medical information” without first obtaining authorization, subject to numerous statutory exceptions. The term “medical information,” however, refers to “individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care services plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment.” An employer performing worksite screening activities would generally fall outside the scope of this definition. Texas also has the Medical Record Privacy Act that imposes similar restrictions on medical information. That statute, however, specifically exempts an “employer” from its scope.

Americans with Disabilities Act

Finally, even if worksite screening activities are permissible, employers must still take steps to protect the confidentiality of affected employees. Title II of the Americans with Disabilities Act (ADA) (42 USC § 12101 et seq.) establishes the basic rule is that, with limited exceptions, employers must keep confidential any medical information they learn about an applicant or employee (42 USC § 12112(d)(3)(B)). Information could be confidential, even if it contains no medical diagnosis or treatment course, and even if it is not generated by a health care professional. For example, an employee’s request for a reasonable accommodation for COVID-19 treatment or recovery may be considered medical information subject to the ADA’s confidentiality requirements.

ADA also restricts an employer from requiring a medical examination, or making certain disability inquiries of employee, unless that examination or inquiry is shown to be job-related and consistent with business necessity. Employers may, however, perform voluntary medical examinations as part of a worksite employee health program, and inquire about the ability of an employee to perform job-related functions. (42 USC § 12112(d)(4)). The extent and frequency of those medical examinations in the context of COVID-19 worksite screening, and the mandatory or voluntary nature of those activities, should, therefore, be carefully considered with counsel.

Regulatory Guidance for Employers

The Centers for Disease Control and Prevention recommends employers take the following steps at worksites:

  • Separate sick employees. If upon arrival to work, an employee becomes sick, separate that employee from others, and send them home immediately. This includes visitors and other non-employees.
  • Actively encourage sick employees to stay home, and not return to the workplace until they are free of fever (100.4° F [37.8° C] or greater using an oral thermometer), signs of a fever, and any other symptoms for at least 24 hours, without the use of fever-reducing or other symptom-altering medicines (e.g. cough suppressants).
  • Do not require a healthcare provider’s note for employees who are sick with acute respiratory illness to validate their illness or to return to work. This is because healthcare provider offices and medical facilities may be extremely busy, and unavailable to provide documentation in a timely way.
  • Review and be prepared to follow a “Business Infectious Disease Outbreak Response Plan” based on the present condition in each worksite.
  • Coordinating with state and local health officials is strongly encouraged. Since the intensity of an outbreak may differ according to geographic location, local health officials will be issuing guidance specific to their communities.

Brian Hengesbaugh is chair of the Firm's Global Data Privacy and Security Business Unit, a Member of the Firm's Global IP Tech Steering Committee, and a Member of the Firm's Financial Institutions' Group. Brian is listed in The Legal 500 Hall of Fame and was recognized as a Regulatory & Compliance Trailblazer by the National Law Journal. He is also listed as a Leading Lawyer for Cyber law (including data protection and privacy) in The Legal 500 and is listed in Chambers. Formerly Special Counsel to the General Counsel of the US Department of Commerce, Brian played a key role in the development and implementation of the US Government’s domestic and international policy in the area of privacy and electronic commerce. In particular, he served on the core team that negotiated the US-EU Safe Harbor Privacy Arrangement (Safe Harbor), and earned a Medal Award from the US Department of Commerce for this service. In addition, Brian participated on behalf of the United States in the development of a draft Council of Europe Treaty on Cyber Crime, and in the negotiation of a draft Hague Convention on Jurisdiction and the Recognition of Foreign Judgments. Brian has been quoted in the Wall Street Journal, New York Times, Forbes, CNET, Slate Magazine, Compliance Weekly, BNA Bloomberg, PCWorld and other news publications on global privacy and security issues.