COVID-19 Workplace: Confidentiality Tightrope

The price of confidentiality just got a lot higher. Employers are prohibited by federal laws from identifying an infected employee with COVID-19 but are still legally and morally responsible to inform others in the workplace of an eminent health concern. Typically, when an employee comes to discuss a serious health condition, you keep it confidential, but now with this pandemic, there is an obligation to tell others. This process is clearly analogous to walking a tightrope. Even with all the correct protocols put in place, what happens when an overzealous manager emails the company about a confirmed case, or an employee who has tested positive self-reports on social media and/or the information spreads through the grapevine.

Encouraging self-reporting by keeping the identity of any confirmed positive cases confidential will help keep employees safe. Finding out about exposure or potential exposure in the workplace is key in stopping the spread of the virus, especially with the delay in obtaining tests and subsequent results. Good2BeBack can help employers and schools alike find out about symptomatic or infected person(s) before they arrive at their facilities, enabling them to stop them from entering, which can clearly help mitigate the spread of the virus.

Because of the fluid nature of this virus, and untested protocols rushed into place, we must remain flexible yet rigid enough to keep up with the most up-to-date information possible from credible sources. Let’s look at the federal requirements.

Health Insurance Portability and Accountability Act (HIPAA)

The communication of an employee who has tested positive for COVID-19 should be handled with consideration to the privacy provisions of the EEOC and the Health Insurance Portability and Accountability Act (HIPAA). Employers should not share the identity of the individual who has tested positive, but instead communicate with other employees about the confirmed positive case and the measures the employer is taking to clean and sanitize the affected area(s) of the workplace to keep the workforce safe. This also includes the employee’s health information (PHI) and any information that an employer obtains through the employer’s health plan.

Not all testing laboratories are subject to HIPAA, the ones that are cannot disclose test results to the employer without a HIPAA compliant authorization form signed by the employee. Again, many states have state specific protections and language the must be on the form.

Even though OSHA does not require employers to notify other employees if one of their coworkers gets COVID-19, employers must take appropriate steps to protect other workers from exposure to SARS-CoV-2, the virus that causes COVID-19, in the workplace, which may involve employee notification. The CDC recommends employers inform employees that have been exposed to the virus and their possible exposure to a positive coworker in the workplace. However, the CDC reiterates that employers need to maintain confidentiality and comply with applicable federal, state and local laws.

American with Disabilities Act (ADA)

The ADA requirements mandate that an employer keep all medical information about employees confidential, even if that information is not about a disability. Clearly, the information that an employee has symptoms of, or a diagnosis of, COVID-19, is medical information. But the fact that this is medical information does not prevent the manager from reporting to appropriate employer officials so that they can take actions consistent with guidance from the CDC and other public health authorities. The ADA also requires that all medical information about a particular employee be stored separately from the employee's personnel file, thus limiting access to confidential information. An employer may store all medical information related to COVID-19 in existing medical files. This includes an employee's statement that he has the disease or suspects he has the disease, or the employer's notes or other documentation from questioning an employee about symptoms.

New California Law AB 685

Beyond federal laws, some states are strengthening their commitment to keep employees informed and safe from COVID-19 exposure. Starting January 1, 2021, California AB 685 imposes new notice and reporting obligations for COVID-19 workplace exposure. Employers are required to notify workers within one (1) business day of receiving notice of a “potential exposure” to COVID-19. The law mandates notice requirements in the event of a COVID-19 exposure in the workplace, which includes providing written notice to “all employees” who were at the worksite within the infectious period who may have been exposed to the virus. AB 685 also enhances reporting requirements to local health authorities in the event of a COVID-19 outbreak in the worksite. Good2BeBack can help employers comply with CA AB 685 and SB-1159 in reporting outbreaks to employees and to local health authorities, which can save employers dozens to hundreds of hours of work per exposure.

Communicate Confidentiality Expectations at Work

I would suggest employers plan in advance what supervisors and managers should do if this situation (confirmed or suspected positive cases) arises and determine who will be responsible for receiving information and taking next steps. Procedures to ensure confidentiality and data security should be developed and employees trained. Also, all management personnel who are designated as needing to know the identity of an employee should be specifically instructed that they must maintain the confidentiality of this information or they could be in violation of HIPAA and other regulations.

For example, you would inform employees, that you received information that a coworker with whom they may have had close contact during the last 14 days has tested positive for COVID-19 and advise them to self-quarantine and self-monitor for symptoms without divulging any names. For smaller employers, in all likelihood, information will leak out and perhaps the employee who tested positive has already told his or her coworkers, but that’s not on you. If you are confronted from fearful workers, calmly explain under federal law, that you cannot divulge health information and reassure that the organization is taking all the necessary precautions and measures to keep them safe. Take advantage of CDC guidance on communication plans and messaging to your workforce.

If an employee comes to you to report someone who told them they are positive, you need to investigate. ADA confidentiality does not prevent this employee from communicating to his supervisor about a coworker’s symptoms. In other words, it is not an ADA confidentiality violation for this employee to inform his supervisor about a coworker’s symptoms. After learning about this situation, the supervisor should contact appropriate management officials to report this information and discuss next steps.

I don’t know of one person on this planet that hasn’t been affected by COVID-19, and the full impact on work, family, community is not clear yet. We need to raise a collective, compassionate voice at work and ensure that we don’t do more harm than good with “loose lips” that “sink ships”. Employers should also be mindful that guidance from public health authorities is likely to change as the COVID-19 pandemic evolves. Therefore, employers should continue to follow the most current information on maintaining workplace safety and should use the best tools available to do so, like Good2BeBack.

After all, we are all in this together, and how we handle challenges is how we show our character!

Carol Flynn is president of HR Solutions Inc and is a subject matter expert in sexual harassment, organizational development and workplace integration. She has over 25 years in human resource management and is a professor and educator with a Master of Arts in Industrial/Organizational Psychology; life-time certified senior professional in human resources (SPHR); certified EEOC trainer; and past investigative member of the Florida Bar Grievance Committee (FBGC). For further information, see

26 views0 comments