16 COVID-19 Employee Health Checks Create New Privacy Risks

Elizabeth A. Brown, 2020-11-03

As businesses reopen in the wake of the COVID-19 pandemic, more employers are monitoring and tracking their employees’ health more often. Yet monitoring and tracking health data can create legal risks for employers, including claims of invasion of privacy. In fact, employees have few legal protections under privacy law against these kinds of practices, because the Health Information Portability and Accountability Act (HIPAA) and other privacy laws are unlikely to apply in these cases. At the same time, employers need to act carefully to ensure that their collection of COVID-19 health data do not intrude upon the few privacy rights their workers do have.

16.1 Health Monitoring at Work

More employers are watching for signs of COVID-19 infection by, for example, by taking employees’ temperature and checking for other data points that correlate with infection. This relatively new practice may build on existing workplace wellness programs, through which many employers monitor employee health more generally through workplace-sponsored FitBits, Apple Watches, and health apps provided through the employer’s online portal. Such workplace wellness programs aim to improve employee health and lower health insurance costs over the long term. This includes encouraging their workers to use wearable devices to help them track various aspects of employee health and wellness (Brown 2020, 266). Smartwatches and smart rings may soon be able to predict the onset of coronavirus infection because of increases in body temperature, well before an infected person develops a cough or other more obvious symptoms (Brown 2020, 303).

Collecting health data from employees, however, involves risks that many employment lawyers and in-house counsel do not understand well yet. Until recently, many employers measured employee health only at a distance. Workplace wellness programs, a common feature of large-firm benefit packages, are designed to encourage the kind of healthy habits that employers hope will lower their health insurance premiums (Brown 2020, 258–59). Such programs commonly offer incentives to employees - say, an Amazon or Target gift card - for wearing FitBits or Apple Watches that can collect data about employees’ heart rates, sleep patterns, and other aspects of their health. A large-scale study released in 2019 suggests that these programs are effective (Song and Baicker 2019). But there are downsides to health data collection and analysis. Many wellness programs are outsourced to health care analytics companies, which can help connect employees with various health vendors through a single platform. This, in turn, can centralize employers’ ability to track, or help, workers on tobacco cessation, weight management, mental health, heart health, musculoskeletal health, and weight coaching, among other issues, allowing more potentially intrusive monitoring of many aspects of employee wellbeing (Brown 2020, 270–71).

Biometric tracking technology, including wearables, offers new ways to collect health data from employees. In a 2019 survey of employers (n = 2,012, response rate = 27%), among firms offering health benefits, 11% of all firms, and 18% of large firms, collected information from workers’ mobile applications or wearable technologies (Kaiser Family Foundation 2019, 196). Analysts predict that greater adoption of wearables different from fitness bands like the Fitbit, including “smart hearables and smart shoes,” will lead to sales of 260 million units in 2023, resulting in a market worth almost $30 billion (CCS Insight 2019). Many of these wearables can and will be deployed in the workplace, not only for data collection but to track productivity, improve safety, and monitor employee and client interactions. Many wearables specifically target employee health data collection, however, including the Fitbit Care, which offers employers a customized storefront to help incentivize employees to use the device.

16.2 Privacy Risks and Privacy Law

After COVID-19, employers will likely collect health-related data more directly and more often. Employers may require some level of health screening simply to return to work, and not just as part of a workplace wellness program. In some instances, employers may be obligated to report instances of COVID-19 infection to other staff members (Shabani, Goffin, and Mertes 2020). And employers may check employees’ temperature and potential symptoms of COVID-19 on a daily basis without necessarily violating the Americans with Disabilities Act (Equal Employment Opportunity Commission 2020b). Employer may also adopt health screening because they fear liability if their employees who get sick in the future. For example, in businesses with high levels of customer interaction, customers who claim that they contracted COVID-19 from employees might have a plausible claim for negligence if they can show that the employer did not take reasonable precautions to keep customers safe from infection.

The risks of this new kind of health data collection are substantial. If an employer starts taking employee temperatures, requiring blood draws, or testing for antibodies, that employer may start amassing a health profile of employees that could suggest other health concerns unrelated to COVID-19. They may learn, for example, that some employees are immune-compromised, or obese, or have cardio-pulmonary disease. Similarly, many employers are now offering femtech benefits, which help female employees manage their reproductive health, as part of the same workplace wellness portfolios that may assist in detecting early signs of COVID-19 infection. These benefits may make female employees’ decisions to try to become pregnant or avoid pregnancy more visible to the employer. It is easy to imagine an employer misusing that data in hiring and promotion decisions, even if doing so violates anti-discrimination laws (Brown 2020, 266–68).

Privacy law, at both the federal and state levels, does little to protect employees in this regard. Many people assume that the Health Information Portability and Accountability Act (HIPAA) protects the privacy of their health information. That is not true, however, if employers use wearables to help collect information relating to COVID-19 and other health concerns. Under the Department of Health and Human Services’ Privacy Rule, “covered entities” that must keep “individually identifiable health information” private pursuant to HIPAA. These “covered entities” include health plans and health insurers or their business associates, 45 C.F.R. \(\S\) 160.103, but does not include the kinds of wearable technology makers that employers are likely to use to collect health data for COVID-19 detection and other health data gathering purposes (Brown 2020, 291). Even if HIPAA did offer such protection, no individual worker could sue an employer under it, because there is no private right of action under HIPAA. Only the Department of Health and Human Services’ Office of Civil Rights can enforce HIPAA’s privacy rule.

Few other privacy laws provide any meaningful protection in this context. While the idea of a more comprehensive federal privacy law is evolving, current legislative discussions focus more on the notion of consumer data privacy than employee data privacy. Few relevant state privacy laws exist. It will be hard for most employees to show a causal link between the collection of their health data and any adverse consequences they may suffer at work. Only Illinois’ Biometric Information Privacy Act, 740 ILCS 14/20, has been held to require no such proof of actual injury or adverse effect. Rosenbach v. Six Flags Entertainment Corp., 129 N.E.3d 1197, 1207 (Ill. 2019). It is unclear whether an employer’s health-information collection to test for COVID-19 is likely to qualify as the kind of biometric data collection that law regulates (Bodie and McMahon 2020, 9–10). But a recent lawsuit may answer that question. In September 2020, a former Amazon employee filed a class action lawsuit against Amazon, arguing that Amazon’s COVID-19 screenings – including facial recognition scans and temperature checks – violated the Biometric Information Privacy Act, in part because Amazon allegedly carried out those screenings without the notice and consent that law requires. Class Action Complaint ¶¶ 78-86, Jerinic v. Amazon.com, No. 2020-CH-06036 (Ill. Circuit Court, Cook County, filed Sep. 28, 2020).

As a result, there are significant privacy risks inherent in more expansive collection of health data that COVID-19 is likely to spur. The more widespread the collection of health data, the more difficult it may become for employers to shield themselves from accusations that they are using health data illegally.

In addition to privacy intrusions, other risks of employee health data collection include drawing inaccurate conclusions about employees based on faulty inputs and biased algorithms. The rise of personalized medicine, with its focus on “risk scores,” provide another potential data source that can be used in connection with data collected through wearables to build a potentially flawed health profile of a company’s employees. HIPAA also does not protect against the misuse of health data collected by third party vendors an employer might engage for that purpose. (Brown 2020, 290). More widespread health data collection spurred by COVID-19 monitoring may also increase the risk of gender bias, if algorithms based on medical research conducted largely on men may result in less accurate predictions about the health of female employees (O’Dea 2020).

These risks are hard for employees to avoid. Any employee consent to health data collection should be both informed and voluntary. Informed consent means that the employee at least has the opportunity to understand what data will be collected and how it may be used against her. Voluntary consent means that the employee has the option to refuse the collection of his or her health data. The employee cannot truly consent to data collection if it is inevitable that her health data will be shared online, especially since all online activity provides data in some way. As Waldman (2018, 68) explains, if “something is done out of necessity, it cannot truly be a matter of free choice.”

In addition, employees may feel coerced by economic pressures to agree to monitoring that they would not otherwise accept, especially in a time of high unemployment and astronomical health care costs for the uninsured. Employees may not have a meaningful choice as to whether to provide their health information at work. If mandatory health screenings become common, employees will be less likely to opt out of them, because they want to keep their employer-sponsored health insurance. Thus, the costs of health data collection are greatest for poorer workers and those whose socioeconomic status makes it less feasible for them to walk away from the financial incentives of wellness programs (Brown 2017, 212). Because of recent sharp increases in unemployment, more people now lack health insurance, which is, in a pandemic, a matter of life or death.

The fact that many employees voluntarily share some aspects of their health data online, through social media and apps such as Strava, could work against the employee in any violation of privacy claim. An employer accused of privacy violations might point to the employee’s own disclosure of how many miles she ran, or how much weight he lost, to bolster a claim that the employee did not have a reasonable expectation of privacy in the health data at issue.

If employees do suffer from misuse of their health data at work, anti-discrimination laws are no more likely to protect them than privacy laws. Consider, for example, an employee whose employer fires her because the data collected by her wearable devices show not only her temperature and other COVID-19-related data, but also that she is not as physically active as her employer would like her to be. Title VII of the Civil Rights Act probably would not protect her from employer discrimination on that basis, because it does not treat physical activity level as a protected class like “race, color, religion, sex, or national origin.” 42 U.S.C. \(\S\) 2000e-2(a). If she cannot show that “pregnancy, childbirth, or related medical conditions” caused her relatively low activity levels, the Pregnancy Discrimination Act of 1978 will not protect her. 42 U.S.C. \(\S\) 2000e(k). The Americans with Disabilities Act will not protect her if her inactivity is a choice, not the result of “disability” under that Act. 42 U.S.C. § 12102(1). It is also unlikely that any state or local anti-discrimination laws would be useful in this context.

For COVID-19 screening and beyond, there are at least three options that could reduce how much expanded health data collection may harm employees. The most radical and least politically feasible option would be to decouple health insurance coverage from employment altogether. Most employers collect health data through wellness programs in an effort to mitigate the increasing cost of health insurance. If employers no longer had to bear as much of that cost, they would have less of an incentive to collect employees’ health data. A second option would be to amend HIPAA to improve data privacy protections in light of changing health data collection practices. A third option would be to develop more effective data privacy laws that focus on employee health data privacy protections, in contrast to the customer data privacy focus of most legislative efforts in play now. In the meantime, however, the question of how best to balance employers’ needs to keep employees safe and employees’ rights to keep health data private is likely to be resolved one employer at a time.

References

Bodie, Matthew T., and Michael McMahon. 2020. “Employee Testing, Tracing, and Disclosure as a Response to the Coronavirus Pandemic.” Washington University Journal of Law and Policy 64. https://doi.org/10.2139/ssrn.3667212.

Brown, Elizabeth A. 2017. “Workplace Wellness: Social Injustice.” New York University Journal of Legislation and Public Policy 20: 191–246. https://nyujlpp.org/wp-content/uploads/2017/04/Brown-Workplace-Wellness-Social-Injustice-20nyujlpp191.pdf.

Brown, Elizabeth A. 2020. “A Healthy Mistrust: Curbing Biometric Data Misuse in the Workplace.” Stanford Technology Law Review 23 (2): 252–98. https://www-cdn.law.stanford.edu/wp-content/uploads/2020/06/Brown-A-Healthy-Mistrust.pdf.

CCS Insight. 2019. “Optimistic Outlook for Wearables.” March 20, 2019. https://perma.cc/TM9G-E8CT.

Equal Employment Opportunity Commission. 2020b. “What You Should Know About COVID-19 and the ADA, the Rehabilitation Act, and Other EEO Laws.” December 16, 2020. https://www.eeoc.gov/wysk/what-you-should-know-about-covid-19-and-ada-rehabilitation-act-and-other-eeo-laws.

Kaiser Family Foundation. 2019. “Employer Health Benefits: 2019 Annual Survey.” San Francisco, California: Henry J. Kaiser Family Foundation. http://files.kff.org/attachment/Report-Employer-Health-Benefits-Annual-Survey-2019.

O’Dea, Clare. 2020. “How ’Men as Default Humans’ Threatens to Undermine Precision Medicine.” SWI Swissinfo.ch. June 21, 2020. https://www.swissinfo.ch/eng/sci-tech/why-sex-differences-matter-in-precision-medicine/45848036.

Shabani, Mahsa, Tom Goffin, and Heidi Mertes. 2020. “Reporting, recording, and communication of COVID-19 cases in workplace: data protection as a moving target.” Journal of Law and the Biosciences 7 (1). https://doi.org/10.1093/jlb/lsaa008.

Song, Zirui, and Katherine Baicker. 2019. “Effect of a Workplace Wellness Program on Employee Health and Economic Outcomes: A Randomized Clinical Trial.” JAMA 321 (15): 1491–1501. https://doi.org/10.1001/jama.2019.3307.

Waldman, Ari Ezra. 2018. Privacy as Trust: Information Privacy for an Information Age. Cambridge University Press.