In taking steps to protect their businesses and workforces from COVID-19, companies must be mindful that employee health and medical information is subject to privacy protections. We outline below the U.S. legal framework and how it applies to likely workplace scenarios involving COVID-19. We also highlight a disturbing rise in fraud schemes preying on employee concern over COVID-19, mostly involving phishing scams.
I. Can I require employees be tested for COVID-19 or inquire about an employee’s medical condition?
Under Title I of the Americans with Disabilities Act of 1990 (“ADA”), employers cannot ask employees disability-related inquiries or require that they submit to medical examinations, including COVID-19 testing, unless the inquiry is job-related and consistent with a business necessity or is required by health authorities. The former will depend on when an employer “has a reasonable belief, based on objective evidence, that: (1) an employee’s ability to perform essential job functions will be impaired by a medical condition; or (2) an employee will pose a direct threat due to a medical condition.” EEOC guidance issued during the 2009 H1N1 virus outbreak states that taking an employee’s body temperature may be considered a medical examination. 
The Equal Employment Opportunity Commission (“EEOC”) has shared four factors to help determine whether an employee’s medical condition poses a direct threat: (i) the duration of the risk; (ii) the nature and severity of the potential harm; (iii) the likelihood that the potential harm will occur; and (iv) the imminence of the potential harm. Employers should consult the risk exposure categories and broader guidelines issued by the Centers for Disease Control and Prevention (“CDC”) and World Health Organization to help assess whether an employee exposed to COVID-19 poses a direct threat.
Employers may also ask employees non-disability related inquiries such as travel history and whether they are experiencing flu-like symptoms, so long as such questions are not directed to employees of only certain races or ethnicities. Any such information provided by employees should be viewed as part of their confidential medical record.
II. Can I establish a voluntary reporting service for employees?
Under the ADA, employers may establish a confidential self-reporting resource for employees who choose to voluntarily disclose their exposure to or diagnosis of COVID-19.
III. How should I treat information that an employee has a confirmed case of COVID-19?
Employers should check with their local and state public health departments for specific mandatory reporting requirements. HIPAA permits covered entities to disclose protected health information, without authorization, to public health authorities in order to prevent or control disease (45 CFR § 164.512(b)(1)(i)). Absent mandatory reporting requirements, information that an employee has been exposed to or has received a confirmed COVID-19 diagnosis should be shared only on a need-to-know basis and documented separately from the employee’s general personnel file. Employers must not—beyond the team authorized to address the diagnosis disclosure—name or provide personal information that, in the aggregate, could identify the affected individual.
Certain states have health privacy laws that extend beyond HIPAA’s scope and requirements. For example, California’s Confidentiality of Medical Information Act (“CMIA”) requires all entities (including employers not covered by HIPAA) that receive medical information to establish policies to maintain the confidentiality of such information. The CMIA also prohibits employers from using or disclosing such medical information without a signed authorization from the employee, except as compelled by law (Cal. Civ. Code § 56.20(a)).
Certain states may also issue specific response procedures. For example, regulations issued by the California Division of Occupational Safety and Health (“Cal/OSHA”) concerning COVID-19 require employers in healthcare settings to maintain a written exposure control plan that includes “procedures to communicate with employees and other employers regarding the suspected or confirmed infectious disease status of persons to whom employees are exposed in the course of their duties.” (Aerosol Transmissible Disease standard, California Code of Regulations, Title 8, Section 5199.)
IV. What else can I do to protect my employees and my business?
Sadly but predictably, the public’s intense interest in COVID-19 has attracted the attention of fraudsters. We are aware of reports of “phishing” scams that are leveraging purported information about the coronavirus to lure email recipients into clicking nefarious links. Employees that click these links may download malware onto corporate systems or be tricked into providing over their login credentials. We are aware of malicious email-based campaigns that have appeared as alerts sent from public health centers, including the World Health Organization and the CDC (sent by very similar domains, including cdc-gov[.]org and cdcgov[.]org). In certain instances, the bad actors appear to provide updates on new COVID-19 cases in the recipients’ geographic area.
In anticipation of continuing malware campaigns, employers should encourage employees to be vigilant when reviewing correspondence and to engage with only official sources of information. Employers may also consider conducting workplace or online training about COVID-19-related phishing and malware campaigns.