As our clients begin the process to safely reopen their facilities to workers, we have received numerous questions focused on the collection, transmittal, and storage of information related to employee medical information related to COVID-19.
The following guidance was prepared to assist anyone that may need a starting point as they determine their organization’s course of action. Ultimately, this is an issue that will require coordination with IT, HR, and legal counsel, but the resources below (all from .gov sites) are current and authoritative for this issue.
As a preface, we have seen a bit of misinformation regarding HIPAA in terms of the collection of medical information in the workplace. To clarify, HIPAA only applies to a well-defined set of covered entities. If you or your organization are a HIPAA-covered entity, you are likely aware of this status already, but here are two resources that can help you define whether HIPAA applies:
Most of our clients will instead fall under EEOC and OSHA for any regulatory guidance.
Legal guidance from the US Equal Employment Opportunity Commission (EEOC) about collecting and storing data. Note that Section B addresses storing medical information:
Legal guidance from the US Department of Labor (OSHA) regarding employer requirements to record COVID-19 illness:
https://www.osha.gov/SLTC/covid-19/standards.html
Business Response Overview (CDC):
https://www.cdc.gov/coronavirus/2019-ncov/community/guidance-business-response.html
Resuming Business Toolkit (PDF from the CDC). A clearly-written and helpful step-by-step guide on resuming operations:
https://www.cdc.gov/coronavirus/2019-ncov/downloads/community/Resuming-Business-Toolkit.pdf
We hope you find the above resources helpful. If you would like to continue to explore technical options to assist with your COVID-19 reporting requirements, please don’t hesitate to contact us.
—
Steve Waters – Chief Information Security Officer
