With the resurgence of COVID-19 infections across the United States, employers are facing growing pressure to ascertain whether their employees have contracted the virus. Temperature checks and symptoms screening, while helpful, will not identify employees who are asymptomatic and potentially contagious. This gap is critical because studies show that up to 45% of people infected with the virus do not show any symptoms.1 As a result, COVID-19 testing can be essential to remaining operational or reopening after a workplace outbreak.
The Equal Employment Opportunity Commission (EEOC) has issued guidance stating that mandatory testing of employees for COVID-19 falls within an exception to the Americans with Disabilities Act’s (ADA) general prohibition against mandatory medical examinations of employees. While lawful under the ADA, testing presents serious privacy and information security risks for employers. We describe in this article the common concerns raised at each stage of the testing process, from deciding whom to test to handling the test results. For each stage, we describe practical steps employers can take to help address these concerns.
Who Should be Tested and How Frequently: Reducing the Risk of Unlawful Data Collection
In deciding which employees to test and how frequently to test them, employers must tailor their testing program to align with the rationale for legally permissible testing. Although the ADA generally prohibits medical examinations of employees, such examinations are permissible to determine whether an employee poses a direct threat to the workplace. In guidance issued on April 23, 2020, the EEOC clarified that the COVID-19 pandemic poses a direct threat to the workplace, opening the door for COVID-19 testing of employees to reduce the risk of infection of co-workers and others. That guidance, however, does not mean employers necessarily could justify the substantial privacy intrusion of frequent testing of all employees.
To help minimize intrusiveness and ensure that COVID-19 testing will fall within the “direct threat exception” to the ADA’s general prohibition on employee testing, employers should design their testing program based on objective evidence of how the virus spreads and how the test detects the virus. For example, testing employees who work exclusively in their own office where they can isolate themselves from co-workers may be more difficult to justify than testing factory workers who cannot engage in social distancing because of the nature of the manufacturing process. As another example, testing employees who must engage in business travel to perform their job responsibilities generally should be delayed until a few days after those employees have completed business travel (assuming they are asymptomatic at that time) because studies indicate that individuals may not have reliably detectable levels of virus until several days after exposure.2 Consequently, testing these employees on the day they return from business travel would more likely result in false negatives and arguably would not be necessary to prevent a direct threat to the workplace.
As these examples highlight, employers need to design their testing program to ensure that the testing at least has the potential to materially reduce the risk of COVID-19 infection in the workplace. Therefore, when structuring the program, employers should evaluate a wide range of factors specific to the employer’s workplace, such as where and how employees perform their job responsibilities, the nature of the business, the physical layout of the workplace, and the degree of community spread in the relevant jurisdiction. The results of this evaluation should serve as the basis for a written testing protocol. Adherence to the protocol would assist the employer to conduct testing in a consistent manner across the organization. In addition, the protocol would support the conclusion that the employer conducts COVID-19 testing only as necessary to prevent a direct threat to the workplace. Of course, any testing protocol will need to be administered across similarly situated employees to avoid allegations of discrimination. At the same time, employers should permit limited exceptions as necessary to accommodate disabled employees and employees’ religious beliefs.
Selecting the Test: Accuracy and Reliability
Due to the inherent invasiveness of medical examinations, employers should avoid subjecting employees to COVID-19 tests unless they provide useful results. Indeed, the EEOC’s guidance emphasizes that only “accurate and reliable” COVID-19 tests fall within the “direct threat exception” to the ADA’s general prohibition on employee testing.3 Consequently, employers’ test selection is fundamental to the lawfulness of the testing program.
COVID-19 tests currently fall into the following three high-level categories with varying levels of accuracy and reliability:
- Virus tests: tests for the presence of the SARS-CoV-2 virus that causes COVID-19;
- Antibody tests: tests for antibodies to the virus; and
- Antigen tests: tests for the presence of proteins that are part of the virus.
Of these, the most likely candidate for employers is the virus test. In guidance issued on June 17, 2020, the EEOC opined that the ADA does not permit antibody tests. The EEOC cited the Centers for Disease Control and Prevention’s (CDC) own guidance that antibody tests “should not be used to make decisions about returning persons to the workplace,” because they are not sufficiently accurate or reliable. Also, at least at this time, antigen tests show low levels of accuracy compared to tests for the virus itself and, therefore, also are likely impermissible under the ADA.
Even when selecting a virus test, employers need to confirm the test’s reliability. For example, while many “rapid” testing products are making their way into the marketplace, their accuracy and reliability may be subject to challenge.
How to Conduct COVID-19 Testing in Compliance with HIPAA, the ADA, and the CCPA
The Health Insurance Portability and Accountability Act (HIPAA) and the ADA closely regulate the collection, use and disclosure of health data, and the California Consumer Privacy Act (CCPA) establishes notice requirements for the collection of any type of employee personal information. To lawfully obtain and use the results of employees’ COVID-19 tests, employers must structure the testing process to comply with these laws.
Regardless of whether an employer relies on in-house medical staff, a third-party service provider, or employees themselves to collect the specimen for COVID-19 testing, most employers will have no choice but to rely on a third-party laboratory to test the specimen for the presence of COVID-19. Many testing laboratories are “covered entities” subject to HIPAA. When a HIPAA-covered laboratory conducts the COVID-19 test, the test results and all related health and demographic information are protected health information (PHI) that must be handled in compliance with HIPAA.
HIPAA generally prohibits a covered entity from disclosing PHI without the subject’s first executing a HIPAA-compliant authorization. That means testing laboratories subject to HIPAA cannot disclose COVID-19 test results to the employer without a HIPAA-compliant authorization executed by the employee. Several states add state-specific requirements to the contents of this authorization form. Employers should, therefore, include in their employee-testing packet a HIPAA-compliant authorization form that employees must sign and provide to the testing laboratory when the testing laboratory is subject to HIPAA.
Some testing laboratories are not subject to HIPAA. Using such laboratories would avoid the need to obtain a HIPAA-compliant authorization from each employee who is tested. That benefit generally will not outweigh two key advantages of using a HIPAA-covered testing lab. First, HIPAA-covered labs are required to implement the extensive information security safeguards required by the HIPAA Security Rule, thereby reducing the risk of a security breach (discussed further below) involving COVID-19 test results. Second, employees may have a greater level of trust in a HIPAA-covered testing lab and be less likely to refuse to participate in the testing program.
Once the employer receives the COVID-19 test results, the employer must handle them in compliance with the ADA — regardless of whether the testing laboratory is subject to HIPAA. The ADA applies to any employee health information received by an employer when assessing whether employees constitute a direct threat to the workplace, i.e., are infected by COVID-19.
The ADA requires employers to maintain the confidentiality of the results of employee medical examinations. In particular, the test results must be maintained in a confidential medical file separate from the general personnel file. Only those employees who need the test outcome to protect the workplace from COVID-19 infection should be granted access to the information. For many employers, this means a small group of employees, typically including HR professionals, who are responsible for the organization’s COVID-19 response.
The ADA also prohibits employers from disclosing employee medical information to third parties except in narrow circumstances that generally will not apply in the context of COVID-19 testing. Consequently, those employees authorized to review test results should be trained not to disclose them to third parties with one important exception. The EEOC has issued guidance stating that employers may disclose positive COVID-19 test results to relevant public health authorities.
The ADA raises one other noteworthy consideration. The ADA allows employers to conduct voluntary medical examinations only as part of an “employee health program.” Such programs must comply with several regulatory requirements, including (a) a prohibition on disclosure to the employer of employee medical information gathered through the program, and (b) distribution of a notice to employees that informs employees, among other things, of the confidentiality requirement. To complicate matters further, in certain conditions, an “employee health program” that offers voluntary COVID-19 testing will be subject to ERISA. As a result of these requirements, voluntary COVID-19 testing may not be an attractive option for many employers.
CCPA Notice Requirements
The CCPA requires covered employers to provide employees who reside in California with a “notice at collection” at or before the point when the employer obtains the test results. This notice must describe the categories of personal information to be collected and how the employer will use the information. Generally, employers will find it most convenient to provide the notice either as part of a general announcement of the testing program or when the specimen is collected (unless the employee engages in self-collection). The employer must then use the test results only for the purposes detailed in the notice and ensure that the testing lab does the same.
Safeguarding Test Results to Reduce Data Security Risks
Employers need to protect against a security breach involving COVID-19 test results in their own possession. In many states, the unauthorized acquisition of health data may constitute a data breach. Nineteen states, the District of Columbia and Puerto Rico define health information as “personal information” for purposes of data breach notification laws. In these states, a breach of COVID-19 test results — whether positive or negative — might require notifications to the affected employees and, in some states, to government authorities.
The security breach risk is especially high for employers in California, which is one of the states that classifies health information as “personal information” for purposes of data breach notification laws. Under the CCPA, California residents now have the right to recover up to $750 in statutory damages for a breach of health data, on an individual or class-wide basis, when that breach results from the employer’s failure to implement reasonable safeguards for the compromised information.
Employers also should consider the risk of a security breach when contracting with testing laboratories. If the testing laboratory is subject to HIPAA and employees’ test results are compromised, the laboratory would be required to notify relevant employees and the U.S. Department of Health and Human Services of the security breach. Although the laboratory would bear the brunt of the cost, the employer likely would incur costs itself and be confronted with employee complaints. Consequently, employers should ensure that any agreement with a testing laboratory, at a minimum, impose stringent information security standards on the laboratory and address the risks associated with a security breach. Even when the testing laboratory is not subject to HIPAA, employers should consider obtaining similar provisions in the service agreement because, as described above, many state data breach notification laws require notification when health information is compromised.
Employers planning to test their employees for COVID-19 should consider taking the following steps:
- Implement a protocol that aligns the scope and frequency of testing with the objective of reducing the direct threat of COVID-19 infection to the workplace;
- Select an accurate and reliable COVID-19 test;
- Inform employees of the testing program and provide a CCPA notice at collection when applicable;
- Require employees to execute a HIPAA-compliant authorization to allow any HIPAA-covered testing laboratory to disclose the COVID-19 test results to the employer;
- Implement safeguards for test results that are maintained by the employer; and
- Include in the service agreement with any testing laboratory provisions that address information security and the risk of a security breach.