For many businesses, recovery from the pandemic fallout hinges in part on employees working safely and virus-free outside their homes. That leaves organizations facing the very real possibility that they will serve as both trackers and guardians of health data to ensure the safety of employees.
And that brings significant burdens tied to privacy. The rollout of effective vaccines, while promising, isn’t likely to change an organization’s obligation to protect health data; it could, in fact, open new challenges, if companies begin to rely on such things as "immunity passports" to verify that an employee is safe to work in person or travel for business.
So then, what do businesses need to keep in mind to ensure their own safety measures put in place for a healthy workplace don't pile on risks tied to compliance?
What may or may not fall under HIPAA
Most organizations will not suddenly find themselves subject to regulations dictated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). That law targets health plans, doctors, hospitals and other health care providers, requiring them to protect the privacy and security of certain personal health information. HIPAA generally will not apply just because companies are taking employee temperatures and engaging in contact tracing.
But there are exceptions.
For an employer that uses a third-party to administer temperature taking or contact tracing, for example, or a security guard employed by the company, it remains to be seen whether the activity will fall under the domain of HIPAA’s privacy rule providing for “business associates,” said Jo-Ellyn Sakowitz Klein, senior counsel of the firm Akin Gump Strauss Hauer & Feld LLP.
“If a company engages a physician to conduct COVID-19 testing of its employees, the physician may be subject to HIPAA, and, for example, the company’s employees may be asked to sign a HIPAA-compliant authorization form permitting disclosure of their testing results to the employer,” Klein explained.
Peter Kimmel, principal of facilities management consultancy FM Benchmarking, envisions potential HIPAA violations occurring once an employee's temperature taken at the office reaches the threshold of a fever.
Whether organizations must implement a suite of safety measures that include health data collection also remains fuzzy. Much of the compliance seems voluntary. “Mandatory” edicts from state governments and agencies like the federal Center for Disease Control (CDC) and Occupational Safety and Health Act (OSHA) are often contradictory, further confusing employers.
“None of these groups talk to each other,” noted Kimmel, who is also publisher FM Link, a news roundup on facilities management.
Should an employee have a fever, for instance, questions will emerge about who is in charge of securing and protecting that information, while simultaneously protecting the company from liability should employees from becoming ill.
“Who determines that the employee should go home? It could be HR. Somebody is going to have to be the gatekeeper,” Kimmel pointed out. Oherwise, “the lawyers are going to have a field day” with class-action suits related to COVID-19 workplace liabilities.
Tech solutions, tech complications
As the shock of economic shutdown wore off last spring, tech firms sprang into action, introducing workplace devices to help track infection. For example, Juvare made its contact tracing and case management technology available, promising “the highest control around privacy standards.” The technology lets users drill down into details regarding an employee, his/her test results and illness outcome.
Another company, eMazzanti Technologies, pumped its thermal cameras for passive temperature checks as a non-intrusive technology to help control the spread of the virus. “With a workforce that is highly dependent on digital services for the foreseeable future, the new normal COVID-19 office security is necessarily stronger, more vigilant, and more dispersed,” Almi Dumi, chief information security officer at eMazzanti Technologies, wrote in a recent paper.
To simplify the process and avoid collecting unnecessary information, employers may simply ask employees to stay at home if they show certain symptoms, rather than asking them about specific symptoms they have, Dumi said. This would minimize the health data that a company must collect and protect.
Invisible Health Technologies (IVT) suggested that another way to limit, control and safeguard information is to not connect devices like its thermal imaging technology.
“If the logs are recorded, the system can be sandboxed off a network, and then the unit will hold the data,” said Andrew Southern, IVT’s CEO and co-founder. If the unit is connected to a network, the organization can limit the access via site-specific network protocols (e.g., VLANs).
Similarly, the key to Microshare’s Universal Contact Tracing device provides company users with “visibility and control,” said Tim Panagos, chief technology officer of Microshare, whose Bluetooth-driven tracer is being positioned as an alternative to the cellphone-based contact tracing apps from Apple and Google.
When it comes to collecting health data at work, “we’re very much entering a new world, and potential concerns [over privacy] will come out in real time,” Panagos told SC Media. Microshare serves Europe, as well as the U.S., and based on that experience, he believes Europeans are more trusting of their governments than Americans. Offering an opt-out option may go a long way in allaying employee fears over who is collecting data and how it will be used.
The potential and risks of a "immunity passport"
Whether an employee is willing to share medical data with an employer depends on a number of factors, including age and familiarity with data use.
In the past six months, 45 percent of Millennials and 49 percent of Generation Z have always or often shared COVID-19 health data with an organization, compared with just 21percent of Baby Boomers, said Kris Lovejoy, global cyber security leader at EY. “Millennials (53 percent) and Generation Z (47 percent) are more likely than Generation X (43 percent) and Baby Boomers (35 percent) to regularly take the time to understand how a company uses their personal data by reading available materials.”
Even as governments around the world roll out vaccines, the notion of “immunity passports,” meant to show the bearer has been vaccinated will present its own security challenges.
“The opportunities for hackers and forgers will be immense,” said Colin Bastable, CEO of Lucy Security.
More specifically, “consider how a quarantine system based on immunity certificates would work. Recipients would have to show their certificate in every public place they travel,” said Paul Bischoff, privacy advocate with Comparitech. “Would a certificate be a paper document, which is vulnerable to forgery, or an app that's vulnerable to all sorts of other surveillance, including location and proximity tracking?”
Essentially everyone in the workforce would appear in a database. “What information would be attached to those records? Would it be based on our Social Security numbers? Our home addresses, phone numbers, and email addresses?” asked Matt Gayford, Principal Consultant at the Crypsis Group. “In addition to the listing of individuals, each record needs a unique identifier to tie the immunity passport to your digital device. That means a permanent link between something like your Social Security number and your mobile device.”
At the enterprise level, these risk-free certificates will be accompanied “with some major data privacy traps each company’s data privacy officer will fear,” said Dirk Schrader, global vice president at New Net Technologies (NNT).
While Schrader rightfully points out that court decisions and laws around the world have underscored that employees’ personal health data “is mostly not a company’s business,” accommodating immunity passports complicates matters – particularly if a company requires them to prove employees can travel or attend onsite meetings.
Let's say “your vaccinated employees do return to work and suddenly a single employee stays at home again," he said. "How will that fact be interpreted by colleagues? There are so many potential mistakes; it seems unviable from a data privacy perspective.”
Contending that he has “no issue with an employee sharing their personal COVID-19 immunity status with their employer,” Chris Hauk, consumer privacy champion at Pixel Privacy, agreed that an immunity passport “offers too many opportunities for privacy violations.” He said whether the passport is in a physical format or is a virtual version stored on a mobile device or in the cloud, it “would be a privacy breach waiting to happen.”
To sidestep privacy concerns, Schrader believes that many companies will wait until their country’s government offers “reliable guidance” or examples emerge to illustrate how privacy concerns can be handled.
Until then, organizations might feel as if they’re walking a tightrope between public good and personal privacy. “Remaining healthy and reopening the economy is paramount, but we must consider other uses for the data if this health surveillance infrastructure were to be implemented,” said Gayford. “A system like this could easily be misused to limit our individual privacy.”
But Tim Wade, technical director of the CTO team at Vectra, urges businesses to take a broader perspective. “The safeguarding of an individual’s health/medical data is not a cost to be carried, but an investment to make whose return is an increase in both fairness and trust,” said Wade, who believes personal privacy always directly supports the public good.
“Businesses that intend to bring employees back into the office should do well to understand that cutting corners with respect to privacy erodes fairness and trust, and will be the costlier choice in the end.”