Pandemic & Privacy During the Flu Season
The difference between flu and coronavirus for purposes of workplace infection control and compliance.
First the good news: The policies and procedures that you’ve put into place to prevent COVID-19 infection in your workplace will serve you well in the upcoming flu season. Now the bad news: You won’t have as much legal leeway to prevent flu as you do to prevent COVID-19. As HR manager, you need to understand where the lines are drawn to ensure your flu measures don’t violate employees’ discrimination and privacy rights. Here’s how.
The Difference between Flu & Coronavirus
Flu and COVID-19 are both respiratory viruses that spread as a result of human contact. And both can be life-threatening. However, COVID-19 represents the more virulent threat. More significantly, at least for HR purposes, is that there are public health emergency orders in effect giving employers authority to take extraordinary workplace health and safety measures to prevent COVID-19 from spreading in the workplace. These measures, which include COVID-19 testing, pre-work screening and mandatory self-isolation aren’t allowed in normal times because they’re deemed discriminatory overly privacy invasive.
Because there’s no public emergency for flu, flu prevention measures are still subject to the normal discrimination and privacy limitations. Of course, things are far more complicated in real life to the extent that flu also happens to be a symptom of COVID-19. Accordingly, employees displaying flu-like symptoms may, in fact, lose their normal legal protections and be subject to the harsher COVID-19 treatment rules unless and until they test negative or are otherwise shown not to have the virus.
Employee Discrimination & Privacy Rights
Human rights laws ban discrimination and require accommodations for disabilities to the point of undue hardship. Human Rights Commission from across Canada have made it clear that coronavirus is considered a “disability” under the law. However, the flu isn’t. As a result, you don’t have to accommodate flu unless you know that the employee has COVID-19.
Most employees also have privacy rights vis-à-vis their employers, which stem from:
- PIPEDA and provincial personal privacy laws, especially in Alberta, BC and Québec which specifically cover employees (as does PIPEDA for employees of federally-regulated businesses);
- Medical privacy laws that protect patients but come into play when you seek to use employees’ personal health information (PHI);
- Common law, i.e., law made by judges in individual cases that create a precedent for future cases;
- Provisions of employment contracts, both individual and collective agreements with union employees;
- Privacy assurances contained in your own HR policies and Codes of Conduct; and
- Any other things you do to foster reasonable privacy expectations among your employees.
7 Basic Rules for Flu & COVID-19 Cases
The most basic privacy protection is the ban on collecting, using or disclosing (which, for simplicity’s sake, we’ll refer to collectively as “use” except where the context requires otherwise) an employee’s PHI without clear, written consent. But there are also exceptions where consent isn’t necessary. We know from previous guidelines issued during the H1N1 pandemic where privacy regulators draw the line for cases of influenza that aren’t subject to a public health emergency. And by wedding them with the current COVID-19 public health emergency requirements, we can come up with 7 basic do’s and don’ts for use of PHI on employees with the flu during the pandemic.
1. Do Ask about Flu for COVID-19 Screening
You don’t need consent to perform screening or collect information to determine if an employee has the flu, including directly asking the question “Do you have the flu or flu-like symptoms.” This rule is based on the privacy law exception that allows for use of employee PHI without consent in the event of a public emergency involving a serious and imminent threat to public health, like the one that’s now in effect for COVID-19.
2. Don’t Report Flu to Public Health Authorities
However, you don’t have the right or duty to report a flu case to public health authorities unless and until the employee is confirmed as having COVID-19.
3. Do Require Flu Cases to Self-Isolate
In normal times, you can strongly urge but not require employees who have the flu to stay home (unless your site is a medical facility, nursing home or other site where people are particularly vulnerable. But during the pandemic, you’re not only allowed but also required to make employees who have the flu or flu-like symptoms leave the workplace and self-isolate as a COVID-19 prevention measure. However, that right becomes much more problematic if the employee tests negative for coronavirus, in which case the normal rules would apply.
4. Don’t Use More than the Minimum Necessary PHI
The remaining privacy restrictions apply to both the flu and COVID-19. The first is to keep the PHI you use to carry out pandemic planning or response to the minimum reasonably necessary to perform the particular function involved. Thus, for example, it would be inappropriate to ask employees to undergo a physical exam or submit a complete medical record as a COVID-19 screening or return to work measure.
5. Do Notify Employees of PHI Use
You must notify employees how you intend to use the PHI you collect from them for COVID-19 screening and pandemic response purposes.
6. Don’t Use PHI for Other Purposes
Don’t use the flu and COVID-19 PHI you collect for any other purposes without first getting the employee’s consent.
7. Keep PHI Secure & Properly Destroy It
You must maintain the security of any PHI you collect from employees, via measures such as:
- Physical barriers such as locked files located in areas of limited access;
- Password protection, encryption and other electronic measures; and
- Administrative controls such as keeping the number of staffers with access to the information limited to the minimum necessary.
Finally, you must ensure that employees’ PHI is properly destroyed after it’s no longer needed.