COVID Compliance Considerations for Reopening Your Business
June 24, 2020
Reopening a business in the middle of a pandemic isn’t just unprecedented, it’s also a lot of work. Companies are doing a lot more work these days to implement new strategies and protocols to protect employees and others, all while trying to avoid liability and risk by keeping up with the latest COVID guidance, regulations, news, and research. This is made even more difficult by the fact that the “noise” around COVID is at an all-time high.
Many states and cities are enacting new regulations, but because we have yet to see many court cases, there’s no legal precedent for bringing employees back to work. It’s no wonder that countless leadership teams and human resources professionals are confused about how they should return to work.
Organizations that are able to demonstrate action, accountability, and compliance are in a far better position to bring employees back safely, and also provide solid evidence to anyone who might question how they’re protecting their employees (e.g. regulators, insurance companies, journalists, lawyers, and even from employees themselves).
There are four primary regulatory considerations that are likely to impact the way companies return to work. A company’s ability to demonstrate compliance with the following regulations can have a profound impact on business continuity and employee trust moving forward:
- Public health guidelines
- Federal regulations
- State regulations
- Data protection regulations
Public Health Compliance
While many public health decrees are advisory in nature, they can serve as a good measure for whether reasonable care was taken to protect employees from infection. If an employee gets sick and takes legal action against your business, they may claim that the organization was not properly adhering to guidelines issued by public health authorities like the CDC and OSHA. This can sometimes feel like a moving target, since these organizations’ guidance is changing rapidly as more is learned about COVID-19.
The best way to demonstrate action and accountability is to develop workplace policies and practices around scheduling, leave requests, and travel, while also incorporating basic safety guidelines for those who do come into the workplace. This might include things like: frequent hand-washing, wearing masks, maintaining distances of 6 feet, alternating work shifts to reduce exposure, and daily health monitoring to manage risk.
Simple adherence to the aforementioned public health guidelines will do more to prepare businesses for compliance with new regulations than will any other efforts, because these measures prioritize employee safety and emphasizes accountability when returning to work.
To learn more about developing an effective return-to-work strategy that incorporates public health guidelines, watch a recording of our webinar: Getting Back to Business: HR Tools to Help You Return to Work Safely.
The Occupational Safety and Health Administration (OSHA) updated their guidelines on June 18, recommending that employers should “continue to focus on strategies for basic hygiene, social distancing, identification and isolation of sick employees, workplace controls and flexibilities, and employee training” during each phase of the reopening process in the U.S.
In the Equal Employment Opportunity Commission (EEOC)’s most recently updated version of the Pandemic Preparedness in the Workplace and the Americans with Disabilities Act, the federal agency stipulates that all information regarding the medical condition or history of an employee – including daily health monitoring surveys – must be collected and maintained on separate forms and in separate medical files and be treated as a confidential medical record.
On April 9, 2020, the Office for Civil Rights (OCR) announced it would not impose penalties for violations of the Health Insurance Portability and Accountability Act (HIPAA) rules against covered entities or business associates in connection with the good faith participation in the operation of COVID-19 testing sites during the COVID-19 nationwide public health emergency.
OCR also mandated that anyone covered by HIPAA should maintain robust privacy compliance programs and monitor future OCR announcements about the HIPAA Privacy Rule, which recognizes the need for health care providers to give employers access to health information in certain situations.
Because COVID testing falls under HIPAA’s workplace medical surveillance exception, health care providers may disclose health screening results directly to an individual’s employer when the service was provided at the employer’s request, and when the employer needs the health data to demonstrate compliance with legal obligations related to workplace health monitoring.
Health care providers must give the individual written notice that their health data will be disclosed to their employer, and are required to limit the disclosure to only the health survey results, and nothing else.
On April 1, 2020, the U.S. Department of Labor (DOL) introduced the Families First Coronavirus Response Act (FFCRA), a temporary regulation which mandates that businesses with fewer than 500 employees must give entitlement to take leave related to COVID-19 if their employee is unable to work for various reasons, like: isolation orders, recommended self-quarantine due to an employee having COVID symptoms that would prohibit them from coming to work, caring for a vulnerable individual or for child whose school or care facility is closed.
Health monitoring enables companies to identify whether an employee is safe to come to work, which can help them more easily determine who is eligible to receive paid leave due to new FFCRA regulations.
Each U.S. State has their own phased approach to reopening businesses, but the laws are changing on a near-daily basis, as they’re likely to shift more as new data emerges, especially new statistics that indicate an increase or decrease in COVID infection rates in a particular city or state.
- For a static list of the most up-to-date statewide orders for employee temperature and health screenings, click here.
While each state regulation is different, it’s important to note that 26 states (including Florida, Illinois, and Texas) recommend health monitoring practices for either all businesses or certain industries, and 27 states (including California, New York, and Ohio) require health monitoring practices for either all businesses or certain industries. Of those 27 states that require health monitoring, 9 require temperature screenings for either all businesses or certain industries, like restaurants, personal care services, and fitness centers.
We previously mentioned the HIPAA Privacy Rule, but there are a few other state and federal privacy regulations that companies need to comply with, especially as they begin health monitoring and temperature screening practices to reopen their businesses. Ultimately, companies need to protect their employees’ data protection rights, and not just for compliance with privacy regulations, but also to build trust by demonstrating that they’re keeping employee data safe.
In May 2020, the Public Health Emergency Privacy Act (PHEPA) was introduced by several U.S. Senators. It requires opt-in consent and data minimization, limits data disclosures to the government, and has overly broad exemptions for manual contact tracing, public health research, public health authorities, and entities regulated by HIPAA.
Privacy experts believe PHEPA is a good start, but has room for improvement, as it expressly applies to health data (like health survey and testing results), and outbreak tracking data (such as location, proximity, or any data collected by a personal device). The bill extends to government and private entities that electronically process health data, or that develop websites or mobile apps for COVID-19 purposes.
The COVID-19 Consumer Data Protection Act (CCDPA) was also introduced by several U.S. Senators, but privacy experts at Electronic Frontier Foundation (EFF) believe it is misstep because it would preempt state laws related to the processing of personal data for COVID tracking and contact tracing purposes, and, among other things, that it would cut back on the newly passed legal rights of Californians (CCPA) to access, delete, or opt-out of the sale of their personal health data collected for COVID purposes.