FAQ’s

Best Practice: For employers with a trained nurse or medical professional on-site, the trained personnel should be taking temperatures and/or training non-medical personnel to do so.  In the event the nurse or medical professional is providing training to others, the training should be documented in writing.

For employers that do not have a trained nurse or medical professional on-site, the employer should designate one or more management-level personnel to conduct the testing.  This individual should review the directions to use the thermometer or scanning equipment to ensure proper use.  That individual should also be trained to follow up in the event of an error or a result that is inconsistent with common sense (i.e., a reading that is much too low or too high).  The training process should be documented.

These questions are intertwined.  Best Practice: is to use equipment that requires no direct contact between the temperature taker and the employees.  Scanners that can measure temperature remotely are ideal.  Forehead scanners also minimize the amount of contact.  If you have issues sourcing these types of thermometers, oral or other types of thermometers are a reasonable substitute.  In the latter case, make sure to clean the thermometers thoroughly between each employee, so as to not spread infection.  Read and following the directions for cleaning that accompany the thermometer.  If no directions are available, rinse the tip of the thermometer in cold water, clean it with alcohol or alcohol swabs, and then rinse it again before next use.

If you are using a temperature measurement that requires contact between the temperature taker and the employees, the taker should be equipped with adequate personal protective equipment to ensure safety for both parties.  The taker should be provided with gloves, goggles, face masks, and gowns.  If the taker is not using a “touchless” system, he or she should change gloves with each scan.

The temperature taker is not the only one for whom best practices should be considered with a temperature-taking process; employers should be cognizant of the various states’ and municipalities’ social distancing requirements for the employees awaiting to have their temperatures checked as well.

Best Practices:

• Consider whether additional shifts can be established to reduce the number of employees in the worksite at one time
• Stagger shift start- and end-times greater than normal when possible (while still ensuring safe operations), to eliminate employees from congregating during the shift change-over, and from over-crowding at entrances and exits
• Create corridors (outside, but preferably covered) where employees can enter the facility through a temperature-checking line
  • Have multiple such lines and entrances if possible to reduce crowding
  • Consider placing markings (whether in tape or otherwise) on the ground in the corridor to demarcate six (6)-foot lengths to provide for greater social distancing by employees while in line

Whether employees must be compensated for time spent having their temperature taken (and waiting in line to do so) is likely to be a contested issue in the coming months.  To the extent that any legal authority requires a temperature test before an employee is allowed to work, it is likely that time spent undertaking such a test will be compensable.  However, even if such a test is not required, both good employee relations and state law requirements may counsel in favor of paying employees for this time.

Note also that the FLSA generally prohibits pausing compensable time once an employee’s work day starts (aside from an unpaid lunch period).  Thus, if the employee’s compensable time begins with the temperature check (or waiting in line), all subsequent pre-shift activities will likely be compensable, as well.  By implementing the Best Practices outlined above regarding staggered shifts, this should also reduce the amount of time spent by employees passing thru a temperature-checking process.

The CDC states that a fever for COVID-19 purposes is any temperature at 100.4 degrees Fahrenheit/38 degrees Celsius or higher.  However, ensure that you also consult state and local guidelines regarding temperature levels.  Certain state and local governments and agencies have set their own, more restrictive (and some less restrictive) thresholds for what constitutes a fever.  Of course, such guidelines should dictate whether employers disqualify an employee from entering the work site.

Discreetly notify the employee that he or she has a fever and do not allow him or her to enter the work environment.  The employee should begin quarantine procedures, and should not return to work for 14 days, and only if by that point, the employee has been fever-free for three (3) days and is otherwise symptom-free as well.

Effective March 15, 2020, for example, Secretary of the U.S. Department of Health and Human Services (HHS) Alex M. Azar (Secretary) waived certain penalties and sanctions under the HIPAA Privacy Rule against hospitals in its March 2020 COVID-19 and HIPAA Bulletin. These waivers were issued in response to President Donald J. Trump’s declaration of a nationwide emergency concerning COVID-19, and the Secretary’s earlier declaration of a public health emergency on January 31, 2020. The Secretary’s guidance makes clear that the Privacy Rule is not suspended during this crisis and provides guidance about the ability of entities covered by the HIPAA regulations to share information, including with friends and family, public health officials, and emergency personnel. But, in the following areas, the Secretary has waived sanctions and penalties against covered hospitals that do not comply with the following provisions of the HIPAA Privacy Rule:

• the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).

• the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).

• the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.

• the patient’s right to request privacy restrictions. See 45 CFR 164.522(a).

• the patient’s right to request confidential communications. See 45 CFR 164.522(b).

The waiver became effective on March 15, 2020, and there is more information and access to resources in the Bulletin about where it applies and for how long.

As part of its guidance on HIPAA privacy and disclosures in emergency situations, the Bulletin reminds readers what entities are covered by these rules – covered entities and business associates. There can be some tricky questions here, but these are the basic rules from the Bulletin:

The HIPAA Privacy Rule applies to disclosures made by employees, volunteers, and other members of a covered entity’s or business associate’s workforce. Covered entities are health plans, health care clearinghouses, and those health care providers that conduct one or more covered health care transactions electronically, such as transmitting health care claims to a health plan. Business associates generally are persons or entities (other than members of the workforce of a covered entity) that perform functions or activities on behalf of, or provide certain services to, a covered entity that involve creating, receiving, maintaining, or transmitting protected health information. Business associates also include subcontractors that create, receive, maintain, or transmit protected health information on behalf of another business associate. The Privacy Rule does not apply to disclosures made by entities or other persons who are not covered entities or business associates (although such persons or entities are free to follow the standards on a voluntary basis if desired). There may be other state or federal rules that apply.

When conducting its business, an organization can be a HIPAA covered entity and/or a business associate. However, when that business is functioning as an employer, it is neither a HIPAA covered entity nor a business associate, although it may sponsor a covered health plan subject to the HIPAA privacy and security rules. As organizations face the coronavirus threat to their workforce and their business, many questions arise about the collection, processing, and disclosure of medical information from employees, their family members, and visitors to their facilities. These can be thorny questions and organizations should seek qualified counsel, but here are some general rules:

Generally, measuring an employee’s body temperature is a medical examination. This means that under the ADA, taking an employee’s temperature generally would be impermissible unless it was job-related and consistent with business necessity. However, because the CDC and state/local health authorities have acknowledged community spread of COVID-19 and issued attendant precautions, employers may measure employees’ body temperature. See additional questions at the EEOC’s What You Should Know About the ADA, the Rehabilitation Act, and COVID-19.

No. As stated above, employers acting as employers are not covered entities or business associates under HIPAA.

In general, the ADA does apply here, although employers need to remember to avoid discrimination against a person because of his or her known relationship or association with a person with a known disability. The more relevant issue is whether the employer would be collecting “genetic information” under the Genetic Information Nondiscrimination Act (GINA), which includes the manifestation of disease in a family member. Genetic information under GINA including the manifestation of disease in a family member including a spouse, and the collection of that information generally is prohibited, except in limited circumstances.

Yes. For example, California’s Department of Industrial Relations’ Coronavirus Disease (COVID-19) – FAQs provide:

Can an employer require a worker to provide information about recent travel to countries considered to be high-risk for exposure to the coronavirus?

Yes. Employers can request that employees inform them if they are planning or have traveled to countries considered by the Centers for Disease Control and Prevention to be high-risk areas for exposure to the coronavirus. However, employees have a right to medical privacy, so the employer cannot inquire into areas of medical privacy. (emphasis added).

California also has other limitations on the collection of employee medical information, such as constitutional protections and limitations on the collection of personal information under the California Family Rights Act (“CFRA”). In California and other states, if this information is accessed and/or acquired by an unauthorized party, it could result in a breach of security, requiring notification. Many states also recognize common law privacy rights, such as protection from intrusion upon seclusion. While these common law rights generally would present a low risk, the circumstances of the collection could expose the organization to liability.

Generally, no, the CCPA does not prohibit covered businesses from collecting personal information. If your organization is subject to the CCPA, you will want to consider whether an exception applies. For example, medical information under the California Confidentiality of Medical Information Act (CMIA) is excluded from the CCPA.

Section 56.05 of the CMIA defined medical information as

any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment. “Individually identifiable” means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient’s name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual’s identity. (emphasis added).

Businesses subject to the CCPA that collect medical information from California employees directly, without the involvement of health care professionals, may not be able to rely on the CMIA exception under CCPA. In that case, the businesses notice at collection should cover this information and describe the purpose(s) that information will be used. The same may be true for California businesses that, for example, are directing security personnel to collect temperature from non-employee visitors to their facilities.

According to the CDC,

if an employee is confirmed to have COVID-19, employers should inform fellow employees of their possible exposure to COVID-19 in the workplace but maintain confidentiality as required by the Americans with Disabilities Act (ADA). Employees exposed to a co-worker with confirmed COVID-19 should refer to CDC guidance for how to conduct a risk assessment of their potential exposure.

EEOC’s ADA regulation 1630.14(d)(4)(i) says that any medical information regarding the medical condition of an employee shall be treated as a confidential medical record, except:

• Supervisors and managers may be informed regarding necessary restrictions on the work or duties of the employee and necessary accommodations;

• First aid and safety personnel may be informed, when appropriate, if the disability might require emergency treatment; and

• Government officials investigating compliance with this part shall be provided relevant information on request.

The EEOC also has interpreted the ADA to allow employers to disclose medical information to state workers’ compensation offices, state second injury funds, workers’ compensation insurance carriers, health care professionals when seeking advice in making reasonable accommodation determinations, and for insurance purposes.

Difficult circumstances can present themselves during these times and organizations will have to consider the circumstances on the ground, weighing multiple factors as they decide how to respond to these and similar questions. For instance, an organization may determine its compliance risk is outweighed by its reputational and moral risks to those in its community, and the needs of local public health authorities. For those organizations that proceed where there is unclear regulatory guidance, some key principles should guide them:

• proceed cautiously and engage as minimally necessary,

• make clear the purpose and use and disclose information only as necessary to serve that purpose,

• ensure security is maintained for information, and destroy it when no longer needed, and

• remain aware of changes to federal and state guidance, particularly in localized areas.

These are no doubt challenging times. Organizations need to do the best they can weighing various factors including privacy rights, compliance, the health of others, the community, and legitimate business, just to name a few.