Skip to main content
April 2, 2020

Employee Privacy With Respect to COVID-19

Coronavirus: Labor and Employment Advisory

To help our clients navigate the coronavirus (COVID-19) crisis, Arnold & Porter has established a Coronavirus Task Force covering a wide range of issues and challenges. Subscribe to our "Coronavirus (COVID-19)" mailing list to receive our latest client Advisories and register for upcoming webinars.


Almost every employer in the United States is or will be facing the question of how to handle information regarding their employees' exposure to or positive testing for coronavirus disease (COVID-19). What information relevant to COVID-19 can employers collect from employees? What liability could employers face for sharing (or not sharing) this information?

Privacy law in the United States provides employers with relatively little certainty to answer these questions. Unlike employers in other countries, which are subject to laws such as the EU's General Data Protection Regulation (GDPR) or Canada's Personal Information Protection and Electronic Documents Act, employers in the United States cannot look to an overarching, prescriptive statute governing their treatment of employees' personal information. Although employers' group health plans are subject to the privacy regulations implementing the Health Insurance Portability and Accountability Act (HIPAA), employers themselves are not, and the COVID-19 privacy issues facing employers generally do not involve the claims-related information held by their group health plans. At the state level, health information privacy statutes, while strictly regulating health care providers and health insurers, rarely extend to employers, leaving to common law the adjudication of employee health information privacy rights.1

Where state law is silent, employers can and should turn to fundamental privacy law principles, such as transparency, notice, choice and fairness, to guide their practices.2 And in certain specific contexts, the Americans With Disabilities Act (ADA) and the Family and Medical Leave Act (FMLA) set rules that, while focused on discrimination rather than privacy, limit what employers may request and how they may react once aware of employees' medical information related to COVID-19.

Wherever possible, an employee who has been exposed to or tested positive for COVID-19 should be made aware of the employer's need to make certain disclosures to the workforce and employers should give the employee reasonable choice whether to permit particular uses or disclosures, as discussed in greater detail below. In California, the employee's written authorization for certain disclosures may be required.3 Even absent such a requirement, keeping the employee informed is prudent and will reduce the likelihood of subsequent complaints. And such a dialogue reinforces the employee's role in helping to halt the spread of the disease.

Approaching this from a practical perspective, these are answers to some of the most common questions that have arisen in the past several weeks.

Whom should we inform if one or more employees test positive for COVID-19, and what should we reveal about their identities?

  • An employer should disclose to other employees that a co-worker (or a visitor to the office) has tested positive for COVID-19, without disclosing any identities.
  • An employer should not disclose the identity of an employee who has tested positive, or anything specific about his/her medical condition or symptoms, to others in the workplace. Under the ADA, any information regarding the medical condition or history of an employee that an employer obtains as part of an examination or inquiry into a disability could constitute a confidential medical record that can be disclosed only to certain individuals in limited circumstances. 42 U.S.C. § 12112(d)(3)(B) and 12112(d)(4). The FMLA also prevents the disclosure of records related to medical histories in connection with an employee's leave request or eligibility. 29 C.F.R. § 825.500(g). The EEOC and some courts have gone further and taken the position that any information concerning an employee's medical condition is protected under the ADA or FMLA. In any event, employers should err on the side of confidentiality.

What could we ask the employee to reveal or let us reveal?

  • An employer may ask whether an employee is willing to disclose symptoms or a positive diagnosis to others, or whether the employee is comfortable with the employer's doing so. However, employers should be careful to exert no pressure on the employee to agree to either mode of disclosure. Any disclosure of identity under these circumstances should be truly voluntary on the part of the employee.
  • An employer should ask an employee who has tested positive to provide a list of individuals (employees, clients, contractors, vendors) with whom the employee came in contact in the last 14 days in connection with their employment, as well as floors they may have visited, whether they were in shared spaces such as a cafeteria, etc. An employer may disclose this information to the office (without disclosing the identity of the individual), but we recommend first discussing this with the employee.

What disclosures should we make regardless of the employee's consent?

  • Even if it is not possible to get prior consent from an employee who has tested positive for COVID-19, the employer should notify specific co-workers, clients, vendors, etc. that a person with whom they were in contact over the past 14 days has now tested positive, and that they should take appropriate cautionary measures.

What requirements for employee disclosures should we impose?

  • During this emergency period, every employer should require all employees to disclose to the employer if they test positive for COVID-19 or have been in contact with someone who tests positive (and those employees should be required to work from home and not be allowed in the office until they are medically cleared). The ADA allows employers to make sensitive medical inquiries of employees who pose a "direct threat" to the health and safety of themselves or others in the workplace, 42 U.S.C. § 121113(b); 29 C.F.R. § 1630.2(r), and COVID-19 infection or exposure clearly poses such a threat.
  • To the extent employees are working in the office (or plan to return to work in the office), employers should also require such employees to disclose if they or someone they live with are experiencing any coronavirus-related symptoms (fever, cough, body aches, sore threat, etc.). Upon receiving such a report, the employer should require the employee to work from home.42 U.S.C. § 121113(b); 29 C.F.R. § 1630.2(r).

© Arnold & Porter Kaye Scholer LLP 2020 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.

  1. California's Confidentiality of Medical Information Act, Cal. Civ. Code §§ 56-56.37, is an outlier in regulating employers as well as health care providers and health plans. See id. §§ 56.20-56.25.

  2.  Under the recently effective California Consumer Privacy Act (CCPA), employers must provide their California-resident employees a privacy notice at or before the point of collecting personal information, including health-related information. The CCPA does not, however, impose restrictions on employers' use or disclosure of employee personal information.

  3. See Cal. Civ. Code § 56.20(c).