COVID-19 Mandates Bring New Security Risks for Employers

Companies are finding themselves in new territory as they collect information about employees’ COVID- 19 vaccination status and test results. Whether they’re doing it to comply with government mandates or of their own accord, companies are now in the business of collecting and protecting sensitive employee health data.

Ryan Blaney, head of the global privacy and cybersecurity group at law firm Proskauer and a partner in the firm’s healthcare practice, explains what employers need to know to protect employee health information— and shield themselves from the legal and reputational damage that could stem from a data breach.

Below is an edited and condensed version of the interview with Blaney recorded for ACG’s GrowthTV, which you can watch here.

What are some of the challenges you’re hearing from clients as they track COVID-19 vaccination or testing data from their employees?

Ryan Blaney: We’ve seen a transition from voluntary disclosure to more mandatory disclosure, and that often changes the attitudes about an employee disclosing certain information. We’ve found that a lot of our clients are getting a lot more questions from their employees, and they’re being scrutinized more closely in their collection practices.

One of the things that we get questions about is whether the Health Insurance Portability and Accountability Act (HIPAA) applies. HIPAA is a federal law designed to protect patient health information from being used, stored or disclosed without a patient’s permission.

Our clients, who generally tend to be middle-market employers, are having to respond to questions from their employees who are saying, “I can’t turn this over because you, employer, are violating my HIPAA privacy rights.” That’s one of the main misunderstandings that we run into. Yet HIPAA generally does not apply in this context, and it certainly doesn’t apply to the individual. It’s a narrow federal statute that applies, essentially, to covered entities and business associates of those covered entities— doctors, hospitals, a health plan.

What should a company consider as it decides how it’s going to collect vaccination and testing data from employees?

RB: The first decision that any company has to make is whether they’re going to collect this data in-house or use a third party. Certainly, if they’re doing it in-house, there are risks associated with that collection. Are you going to be asking someone to email a copy of their vaccination card, for example? If so, you’re going to have to scrutinize your own email systems and decide whether you’re comfortable that they’re secure enough to receive this type of information.

If you’re not comfortable collecting vaccination data in-house, are you going to use a third party to act on your behalf? Well, now you have other issues. This third-party vendor is going to have access to your employees’ personal information, so you’re going to have to ensure that the third party has in place security and a reputation of being able to handle sensitive data. You’ll have to do your diligence around that vendor so that you’re comfortable with those aspects.

What can a company do to mitigate its risk of exposing sensitive data, and what’s at stake if a breach occurs?

RB: First of all, what is being collected is important. If you have a security incident where the data is breached, who is going to hold the company accountable will depend on what type of information is being collected.

We advise that you collect only the minimum necessary amount of information. For example, maybe you don’t need to collect information about where an employee got their vaccination, or details beyond what’s on their card. Maybe you just need to collect whether they got the shot or not, rather than whether it was Pfizer or Moderna.

What is being collected is important. If you have a security incident where the data is breached, who is going to hold the company accountable will depend on what type of information is being collected

Ryan Blaney

Limit collection to what you absolutely need to accomplish your goal, which is to protect other members of your workforce and your company as a whole. That limited collection will then mitigate some of the risks if there is a breach. The other thing that I recommend is to control access to the information, and limit it to a small number of people and know who they are. Not all managers should have access to this information.

If you do ever have a breach, the regulators that are going to come after you are going to be the same ones
that investigate other privacy-related breaches. These are state attorneys general, and potentially some federal agencies—perhaps the Department of Labor. If on the off chance it was health information that was covered by HIPAA, you would have the Health and Human Services Office of Civil Rights.

The other risk is a potential class-action lawsuit, with private plaintiffs. California, for example, has certain privacy rights that other states don’t give.

The last piece, which I think is probably the most important in terms of potential risks, is the threat to your brand. If there’s media coverage, which there could be, especially if it’s a high-profile brand, you’d have to defend yourself publicly.

That blow to the brand can be especially damaging for middle-market companies that are looking to get investors and trying to show that they have great practices around privacy and other things. If you have to deal with coverage in the media of an incident, and now all your employees’ COVID-related information is out there, that can be problematic.

In a worst-case scenario where a trove of employee data is compromised in a breach, what should a company do in response?

RB: First and foremost, you need to make sure that the breach is no longer occurring. If it’s a ransomware attack or bad actors were in your system, you need to make sure they are no longer inside and put in place safeguards.

Then, you need to gather the facts of the incident and understand how the breach occurred.

The other thing is to be transparent. But you have to understand that anything that you say to your employees who are impacted is timed with certain disclosures to regulators.

There are all sorts of state laws that stipulate when you can make notifications to a regulator versus
the impacted individual, and those are going to be triggered by general privacy laws. In most states, even if the healthcare information isn’t covered by federal law, it could potentially be covered by state privacy laws and state data protection laws. You’re going to have to do an analysis and make sure that you’re complying with state laws, including in the state where the person impacted resides. You have to make sure that you comply and that you notify regulators in a timely way.