Employee Privacy during COVID-19 in Pennsylvania, New Jersey, and New York

Employee Privacy during COVID-19

By Michael Brumbach, Lisa Grandner and Andrew Ho.

As America starts to get back to our new “normal”, some employers have already been taking precautions for the reopening of America’s businesses. Such precautions have included mask requirements, staggered work schedules, and temperature/fever tests.

However, businesses may now find themselves in possession of health information and must keep in mind that there are significant legal ramifications when handling employee (or other) health data. With this in mind, the following article includes recommendations from the U.S. Equal Employment Opportunity Commission (EEOC) regarding COVID-19, as well as laws to look out for when dealing with employee health data.

The most glaring protections of employee health data stem from the Health Insurance Portability and Accountability Act of 1996, otherwise known as HIPAA.  However, recent developments in New York law, namely the SHIELD ACT, may have created new consequences for businesses that fail to properly protect their employee’s health information.

HIPAA requires that employers keep medical records confidential, and isolate medical records from files that employees such as supervisors or managers may access. This information includes: health insurance documents, requests for medical leaves of absence, FMLA reports, documentation regarding the underlying matters for FMLA paperwork, physician’s examination reports, medically-related excuses for absenteeism, medical job restrictions, accident and injury reports, worker’s compensation reports, and any other document that contains private medical information about an employee.

The Americans with Disabilities Act (ADA) requires that all medical information, including COVID-19 related documentation, for employees be stored separately from the employee’s personnel file. Businesses may maintain logs of temperature results, but they must keep this information confidential. However, businesses are permitted to disclose the names of employees who have tested positive for COVID-19 to public health organizations. Additionally, the EEOC has relaxed its standards and is permitting temporary staffing agencies to disclose the names of positive COVID-19 employees to their employers. The EEOC reiterates that employers must keep any medical information, including temperature logs, separate and confidential from the employee’s personnel file.

Jump to: New York | Pennsylvania | New Jersey

New York Law Update

The SHIELD ACT requires employers in possession of New York residents’ private information to “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.” The SHIELD Act substantially expands the definition of “private information,” which, if compromised, could trigger notification obligations. Private information now includes Biometric information.

The SHIELD Act’s data security requirements came into effect on March 21, 2020.  The SHIELD Act defines biometric information as data generated by electronic measurements of an individual’s unique physical characteristics, such as a fingerprint, voice print, retina or iris image or other unique physical or digital representation of biometric data which are used to authenticate or ascertain the individual’s identity. Arguably, this may apply to temperature checks. The SHIELD Act does not mandate specific safeguards but instead provides that a business will “be deemed to be in compliance with” this standard if it implements a “data security program” that includes all of the elements enumerated in the SHIELD Act. The business needs to ensure that records containing the private information of New York employees are securely destroyed promptly after the applicable retention period expires. Critically, the SHIELD Act specifically states that it does not confer a private right of action but rather provides for enforcement by the state’s attorney general. Businesses, large or small, that are in compliance with other regulatory schemes requiring information security, such as the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act Security Rule, or the New York State Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies, are deemed compliant with the SHIELD Act.

For laws that are more general, the New York State Human Rights Law (NYSHRL) and the New York City Human Rights Law (NYCHRL) may apply, along with the Americans with Disabilities Act (ADA) and Equal Employment Opportunity Commission (EEOC) Guidance. the New York City Commission on Human Rights (NYCCHR) recently adopted the EEOC’s Guidance and noted that “[i]n general, compliance with the EEOC guidance will satisfy employers’ obligations with respect to disability protections under the New York City Human Rights Law as they relate to COVID-19.” Although the NYCCHR did not address whether compliance with the guidance will satisfy employers’ obligations under the NYSHRL, because the NYCHRL offers broader protections than the state law, employers who follow the guidance can be satisfied they are complying with both state and city law.

Most importantly, the fact that an employee has a fever is subject to the ADA’s, NYSHRL’s, and NYCHRL’s confidentiality requirements for medical records and such information must be maintained on separate forms and in separate medical files. Best practices may include not retaining data concerning temperatures. Critically, employers must provide appropriate training and safety practices prior to requiring any employee to take a colleague’s temperature in the workplace.

Back to top

Pennsylvania

The Pennsylvania Department of Health has set some guidelines for the essential businesses that are currently open. These guidelines can be helpful in predicting the requirements as businesses re-open.

Can an Employer require mandatory temperature checks? Employers are encouraged to implement temperature screenings for all employees if the employer discovers that the business has been exposed to a person who either has COVID-19 or probably has COVID-19.

What are the requirements for temperature checks? Unlike New York, temperature checks do not need to be done by a medical professional for Pennsylvania businesses. Temperature checks should be conducted for at least fourteen (14) days after exposure. However, in COVID-19 hot-spots, the Pennsylvania Department of Health recommends that temperature checks be done as a matter of routine.

Here are a few examples of how this will work out in practice:

  • Example 1: After you return to the office, you receive an email from Matt saying that he has a cough and a fever. You think he might have COVID-19. What should you do with regard to temperature checks? You may require that everyone participate in temperature checks for the next 14 days.
  • Example 2: Philadelphia is declared a hot-spot at the same time that we all return to the office. What should your office do? Your boss may require everyone in the office to have their temperature taken every day until Philadelphia is no longer considered a hot-spot.
  • Example 3: Philadelphia is not a hot-spot, and no one reports having COVID-19. Should your office still conduct a temperature screening? No. The Pennsylvania Department of Health does not recommend temperature checks if the employer is not aware of potential or actual exposure to the virus.
Regarding Masks:

Are all employees required to wear masks? All employees of life-sustaining businesses must wear masks in the workplace. However, there are three (3) reasons an employee may be exempt from the mask requirement: (1) if the employee has a medical condition that prevents them from wearing a mask; (2) if the employee would face a safety risk by wearing a mask; or (3) if the employee is working sequestered alone in a room. If an employee is working alone in their own personal office space then they do not need to wear a mask.

Here are a few examples of how the mask requirements will work out in practice:

  • Example 1: Emily is working in her office alone, with the door closed. Does she need to wear a mask? No, Emily does not need to wear a mask while she is working in her office alone.
  • Example 2: Rachel meets with Emily in Emily’s office. Do they need to wear masks? Yes. Both Emily and Rachel should wear a mask.

Does the type of mask matter? Not really. Employers may either approve masks that an employee obtains, or may approve masks that an employee wears in accordance with the Department of Health’s guidelines.

Regarding Disclosure:

Should employees tell their employer if they feel sick? Yes. Employees who become sick at work are advised to leave work immediately. Employees who have symptoms of COVID-19 should notify their supervisor about their symptoms, and should stay home. Sick employees should remain home, and should not return to work until the CDC’s criteria to end home have been met.

How much information may an employer ask from an employee who calls in sick? The EEOC has relaxed some restrictions regarding the types of information an employer can ask in response to the coronavirus pandemic. Employers are permitted to ask an employee if the employee is experiencing symptoms of COVID-19. Employers are required to maintain all information about an employee illness as a confidential medial record.

Can employers ask their employees about specific COVID-19 symptoms? Yes. Employers are allowed to ask their employees if they are experiencing the COVID-19 symptoms including fever, chills, cough, shortness of breath, or sore throat.

Back to top

New Jersey

As of this date, there is currently no state requirement in place to test employees for fevers or for COVID-19. Additionally, New Jersey’s Department of Health has not provided any guidance regarding protecting employee’s privacy related to COVID-19 and instead refers businesses to the Center for Disease Control (CDC) for interim guidance.

The CDC does state that employers should not require a positive COVID-19 test result or a healthcare provider’s note for employees who are sick to validate their illness, qualify for sick leave or to return to work. However, as previously mentioned, HIPAA and the ADA require employers to keep their employee’s health data confidential.

For best practices, human resources policies should be reviewed to ensure that policies and practices are consistent with public health recommendations and with existing state and federal workplace laws.

Back to top


Should you have any questions, please call our office at (914) 703-6300 or contact:

Jeffrey T. Miller, Executive Partner
jmiller@pmtlawfirm.com 

Link this page to your…