Home 5 Lab Industry Advisor 5 Lab Compliance Advisor 5 Compliance Perspectives-lca 5 Compliance Perspectives: Avoid Privacy Pitfalls in Pandemic Planning & Response

Compliance Perspectives: Avoid Privacy Pitfalls in Pandemic Planning & Response

by | Mar 5, 2018 | Compliance Perspectives-lca, Essential, Lab Compliance Advisor

From - G2 Compliance Advisor Although not officially a pandemic, the 2018 flu season has been the worst in nearly a decade. So why not use it as an opportunity to review your lab's pandemic preparations… . . . read more

Although not officially a pandemic, the 2018 flu season has been the worst in nearly a decade. So why not use it as an opportunity to review your lab’s pandemic preparations—or, if you haven’t already done so, start the preparation process? In so doing, you need to account for something that tends to go overlooked in pandemic planning: the privacy ramifications. After all, many if not some of your pandemic measures will require you to collect, use and disclose personal information about your employees. For example, you might have to ask employees if they have a medical condition that increases their vulnerability to flu. This article explains pandemic preparation privacy risks and how to avoid them.

The Privacy Rights of Your Employees
Most employees do have some privacy rights vis-à-vis their employers. But the scope and extent of those rights differ depending on how and where your lab operates and the type of personal employee information involved. Thus, while HIPAA is about patient rather than workplace privacy, it comes into play when labs and other employers seek to collect, use and disclose (for simplicity’s sake, we’ll refer to all three of these verbs collectively as “use,” unless the context requires otherwise) personal health information about their employees. Workplace-related privacy rights of employees may also stem from:

  • State personal privacy laws, both statutory and common law, i.e., law made by courts in individual cases that form precedent for subsequent cases;
  • Provisions of employment contracts, both individual non-union and especially collective bargaining agreements affecting union employees;
  • Privacy assurances contained in your own HR policies and Codes of Conduct; and
  • Any other things you do to foster reasonable expectations of privacy of your employees.

The Practical Impact of Employee Privacy Rights
The most significant privacy restriction for labs, especially in the flu and infectious disease control context, is the requirement to get employees’ consent to use their medical and other personal health information. Getting proper consent is an issue unto itself. The consent form must be clearly written so the employee knows what she’s signing; and the decision to sign the form must be totally voluntary. Any signs of trickery or coercion nullify the consent.

However, as a practical restriction, consent is sometimes overrated. Explanation: Where privacy restrictions do exist, they are subject to exceptions allowing for use of personal information for a wide variety of purposes without consent. As explained by a leading privacy attorney (who, fittingly perhaps, asked not to be quoted by name), “an employer has a legitimate need to collect, use and disclose certain types of personal information about employees in order to operate the business and fulfill its obligations to employees.” Examples of legitimate functions for which consent-less use of an employee’s health or other personal information is generally justified:

  • Verifying the employee’s eligibility for sick leave or disability benefits;
  • Determining what accommodations to make for employees or job applicants with physical or mental disabilities required by the ADA; and
  • Filing workers’ compensation claims.

Rule 1: Consent MAY BE Required for Pandemic Planning
If you take just one thing from this article, let it be this: It is unclear whether pandemic preparation and response is a function that falls into the use-without-consent category. Equally unclear, then, is whether employees are required to provide you the personal health information your lab needs to make preparations for pandemic. Bottom Line: You may need and should probably acquire employees’ consent to use their personal employee information for pandemic planning.

Rule 2: You Must Keep Personal Information Used to Minimum Necessary
Use of personal information must also be kept to the minimum necessary to accomplish whatever pandemic planning or response function you need the information to carry out. Thus, for example, it would be inappropriate to ask employees to undergo a physical exam or submit a complete medical record to assess their vulnerability to infection. Note that the minimum necessary restriction applies regardless of whether the use is consented to.

Rule 3: You Must Notify Employees of Information Use
You also need to notify employees of the personal information you use and why you need it for pandemic planning and response. “Transparency is an essential principle of personal privacy rights,” our attorney expert explains.

Rule 4: Information Must Be Kept Secure
Labs and other employers must maintain the security of any personal health information they collect from employees. Security measures include:

  • Physical barriers such as keeping files locked;
  • Electronic measures such as password protection and encryption; and
  • Administrative controls such as keeping the number of staffers with access to the information limited to the minimum necessary.

Rule 5: Information Must Be Properly Destroyed After Use
Finally, you must ensure that the personal information you collect from employees for pandemic planning and response is properly destroyed after it’s no longer needed.


Here are some of the specific things you can and can’t do to ensure that your pandemic planning and response actities don’t violate employees’ privacy based on government guidelines, expert opinions and privacy best practices:

1. Identifying Employees Who May Need Alternative Work Arrangements

Situation: You generally have no right to ask employees who they live with. But gathering this information could become important to pandemic planning to the extent it enables you to determine which employees might have to make alternative work arrangements.

Wrong: Asking: “Do you have young children or elderly parents at home that you might have to stay home and care for in the event of a flu pandemic?”

Right: Distribute a survey asking employees if they may have to make alternative work arrangements to care for kids or elderly parents. This way, you will be able to estimate how many employees may be absent without collecting detailed personal information.

2. Identifying Employees Who Might Be Susceptible to Infection

Situation: You might want to warn any employees that have asthma, immunity deficiencies or other medical conditions that make them vulnerable to the flu to get vaccinated and take special precautions. But asking about an employee’s general medical condition may also be a privacy violation.

Wrong: Asking employees to furnish detailed information about their medical condition, e.g., making them tell you if they have asthma.

Right: Let all employees know that individuals with certain kinds of conditions are at risk and need to consider taking additional precautions.

3. Asking Employees If They’ve Been Vaccinated

Situation: You have an obvious interest in knowing if your employees have been vaccinated. But this again is personal information.

Wrong: Asking employees: “Have you and your family members gotten your flu vaccine?”

Right: Encouraging employees to get vaccinated and giving them information about vaccinations, such as vaccination clinic schedules.

4. Asking Employees for Personal Contact Information

Situation: Assuming you don’t already have this information, you may want to ask employees for contact information they can use to provide updates about a pandemic situation. But this is private information that employees might be loath to provide.

Wrong: Asking—and especially requiring—employees to give you their personal email or phone number.

Right: Asking employees to advise you how they prefer to be contacted and giving them alternative ways to get information from you without having to disclose their private contact information, such as having the employee agree to call in to the office at agreed-upon intervals.

5. Asking Employees Who Call In Sick If They Have the Flu

Situation: In a pandemic, you’ll probably want to keep track of how many employees are diagnosed with the flu.

Wrong: Asking employees who call in sick: “What’s wrong with you? Do you have the flu?”

Right: Asking employees who say they’re sick how long they expect to be out and when they plan to return. In short, asking for a prognosis is okay; but asking for a diagnosis is not.

6. Notifying Other Employees that a Co-Worker Has the Flu

Situation: If managers learn that an employee has the flu, they might want to notify others at the lab, including the employee’s co-workers.

Wrong: Disclosing an employee’s diagnosis to somebody else within the lab is just as impermissible as asking an employee to furnish his diagnosis to begin with.

Right: Letting others know that the employee isn’t available, and if necessary, when he’s expected to return.

Pandemic, Privacy & Practical Limits

☒ What You CAN’T Do ☑ What You CAN Do
Ask: “Do you have kids or older parents that you might have to stay home and care for?” Hand out a survey asking employees if they might have to make alternative work arrangements without specifically asking who they live with.
Ask: “Do you have asthma or other medical condition that makes you at high risk of infection?” Notify ALL employees that certain medical conditions heighten the risk of infection and advise any employee who has such conditions to take special measures to protect themselves.
Ask: “Have you and your family been vaccinated?” Encourage employees to get vaccinated and provide information, such as vaccination schedules and clinic locations, to help them do so.
Asking employees for personal emails or other contact information in case you need to notify them of pandemic developments. Ask employees what contact arrangements they want to make and explore ways to maintain contact that don’t involve getting private emails, e.g., letting employees call in themselves at agreed intervals.
Asking an employee who calls in sick: “Do you have the flu?” Asking an employee who calls in sick: “How long do you expect to be out of work?”
Telling an employee’s colleagues: “Joe has the flu.” Telling an employee’s colleagues: “Joe has called in sick and isn’t expected to return until Thursday.”

Subscribe to view Essential

Start a Free Trial for immediate access to this article