How Small Businesses Can Protect Themselves When Handling COVID-19 Screening Data

Are you screening employees for COVID-19 symptoms? If you are, you need to be careful with what you do with that personal information. Here’s information to help you avoid running afoul of the law.

We’re now more than a year on from the initial impact of the pandemic and the COVID-19 vaccine race is very much underway. However, at the current rollout pace, it won’t be until 2022 that all Americans have been offered the jab.

In the meantime, after an exceptionally difficult 12 months that saw many small businesses close and make cuts, many of us are trying to regain a sense of normality by enabling employees to return to the workplace. And according to the Centers for Disease Control and Prevention (CDC) screening employees for symptoms of COVID-19 is a safe way of doing so.

In comparison with measures such as social distancing or mask-wearing, screening employees for COVID-19 can seem like a hefty, resource-consuming task. But for many small businesses, it’s not that difficult as long as it’s approached the correct way.

Although this method won’t work for asymptomatic employees, a simple COVID-19 symptom questionnaire is a useful tool to help small businesses make their premises COVID-secure. And not only this, but it can also help businesses to protect themselves against COVID-related litigation.

However, given that screening for coronavirus symptoms means that small businesses need to collect personal information, you must take special care when handling this data. Failure to do so could expose you to legal risks. 

Employee Privacy Laws to Be Aware of 

There are a number of regulations that exist to protect employees’ privacy and confidentiality, which need to be considered in the context of screening employees for COVID-symptoms. Below are some specific regulations that small businesses must take heed of. 

The Americans With Disabilities Act (ADA)

This act obliges employers to store all employee medical information separate from personnel files in order to maintain its confidentiality. Originally designed to be an anti-discrimination act to protect workers with disabilities, the ADA also applies to the collection of information surrounding confirmed or suspected cases of COVID-19 in the workplace. The U.S. Equal Employment Opportunity Commission provides specific guidance on this.

Health Insurance Portability and Accountability Act (HIPAA)

In line with the HIPAA, businesses must ensure that the medical information they are collecting from employees will be used solely for the purpose of COVID-19 symptom screening. This act prevents businesses from transferring the data to other parties, selling it, or storing it inappropriately. More guidance can be found at the Office for Civil Rights (OCR).

Relevant State Laws

Small businesses should also seek legal advice according to their geographic location, as a number of states have specific employee-privacy laws. Specific state laws to be aware of include:

  • The Illinois Biometric Information Privacy Act (BIPA)
  • California Consumer Privacy Act (CCPA)
  • The Texas Capture or Use of Biometric Identifier Act (CUBI)

Each of these laws contains specific rules around informing employees of data that is being collected, along with how the data is processed and stored. 

Tips For Small Businesses When Processing Screening Data

Draw Up a Data Governance Policy 

When it comes to collecting personal, medical information regarding COVID-19 symptoms, the state of Illinois sets a good example of best practice for small businesses. It’s best to communicate openly with your small team of employees to ensure they’re aware of exactly what information will be collected, why it will be collected, and how long it will be held for.

Once you’ve told them, write this information up formally in a data governance policy and share it internally so that employees can refer back to it if ever they need to. If you need to review the policy, make sure you let other team members know.

Less is More When Collecting Data 

When screening your employees for COVID-19 symptoms, try and limit the number of medical questions you’re asking them to a minimum. Beyond assessing whether your employees are suffering from the following symptoms, there’s no need to ask for any other data: 

  • A fever
  • A new cough
  • Difficulty breathing
  • A sore throat
  • Body aches
  • Vomiting or diarrhea
  • A new loss of taste or smell

Identify a Workplace COVID Coordinator

Make just one or two employees responsible for managing and executing the screening process. And ensure they have the seniority and capacity to effectively manage this. Don’t make the mistake of presuming an employee can fit this around all their existing work, so assess their resource capacity with them then reassign some of their work to other employees as needed.

Store the Information Safely

Once you’ve established which employees will be in charge of collecting the data, they should then store it securely. Avoid storing sensitive medical information on shared drives or files that others also have access to. Ensure these files are password protected and encrypted. A data privacy vault is a good solution here and could be a good investment if you don’t already have one.

Dispose of Data Wisely and Often

COVID symptom screening data will only be relevant for a few weeks at a time, so it’s a good idea to regularly dispose of paperwork or delete digital documents on a regular basis. If you are dealing with paperwork, be sure to shred it before putting it in the recycling bin.

Workplace Education

Given the amount of misinformation surrounding COVID-19, it’s understandable that there’s also a social stigma attached to contracting the virus. In order to reduce the risk of discrimination against team members, besides keeping employee medical information private, it’s also important to educate your employees about COVID-19. Part of keeping your office COVID-secure also involves teaching your team about the virus, explaining best practices around hygiene, mask-wearing, and social distancing.

To conclude, given the risk of litigation if small businesses do not take the issue of data privacy seriously, data breaches when screening for COVID-19 symptoms could end up being a costly mistake.

To avoid this, small businesses must stay informed of the regulations that apply to them and implement best practices when conducting screenings and processing data. And, of course, it’s always wise to seek relevant legal advice for the final word on how well your business is complying with data privacy requirements.

About the Author:
Written by Adam Day, President & CEO at Time Rack, a time and attendance and HR services company that provides COVID return-to-work-safely services for businesses across a broad range of industries and workplace settings.

Get started image

Ready to get started?

Get the expert support you need

Start Now