How to Communicate About Possible COVID-19 Exposure Without Violating Privacy Rules

March 24, 2020Legal Alerts

How to Communicate About Possible COVID-19 Exposure Without Violating Privacy Rules

The COVID-19 pandemic has created messaging challenges for companies around the world, especially when it becomes necessary to notify people of possible exposure to the virus. In the rush to share information, however, it is critical to stay aware of the privacy implications of what your team communicates.

The Centers for Disease Control and Prevention (“CDC”) has advised that “[i]f an employee is confirmed to have COVID-19 infection, employers should inform fellow employees of their possible exposure to COVID-19 in the workplace.” You might also choose to advise your clients, customers, and others of such possible exposure. In doing so, however, you must be careful to release only information that does not violate any confidentiality or privacy rules.

Federal law, including the Americans with Disabilities Act (ADA) and Family and Medical Leave Act (FMLA), require employers to keep employee and applicant medical information confidential apart from very specific exceptions. Notifying people—even privately—of possible exposure to an illness is not an exception to those rules.

Consequently, Rule #1 of any communication about possible exposure is do not disclose the identity of the employee who has reported COVID-19 symptoms. That means do not include the employee’s name, but also be extremely cautious disclosing “anonymous” details that could be used to identify the individual. Furthermore, you should double-check your employee handbooks, employment contracts, and collective agreements in order to strictly adhere to any additional promises made regarding employee confidentiality and privacy.

Notifications of possible exposure resulting from the sickness of non-employees implicate different rules. For example, if the possible exposure is caused by a customer that has tested positive for COVID-19, you may have confidentiality obligations in the customer contract or privacy policy.

In addition, certain sectors or individuals may be subject to additional federal or state confidentiality protections. For example, public schools must be sure to adhere to the PII restrictions set forth in the Federal Educational Rights and Privacy Act (FERPA) when disclosing that a student has tested positive for COVID-19.

As always, you should consult legal counsel in order to identify and follow all applicable rules.