Letting People Know an Employee Has COVID-19 without Violating the Victim’s Privacy Quiz
You’ve gone to heroic lengths to prevent COVID-19 infection in your workplace. So, the call notifying you that one of your employees, Ann Feckted, has tested positive for the virus comes like a kick in the gut. You immediately activate response mode by ordering Ann to go into isolation as required by public health guidelines and initiating the following communication actions:
- Reporting the case to local health authorities
- Posting signs and notices in entryways, break rooms and other gathering areas warning that somebody in the facility was recently confirmed as having COVID-19
- Emailing each member of Ann’s crew to let them know about the situation and advising them to stay away from Ann until she safely reemerges from self-isolation
- Telling outside contract workers and visitors with whom Ann had close contact in the past 48 hours that a worker they recently encountered has COVID-19 and advising them to get tested
What did you do wrong?
- All your actions were legal except for the emails disclosing Ann’s illness to crew members.
The fact that Ann has COVID-19 is what PIPEDA and other privacy laws refer to as protected health information (PHI). General Rule: You can’t disclose PHI without the person’s consent. Exception: You don’t need consent if the disclosure:
- Serves a legitimate COVID-19 infection control purpose;
- Includes only the PHI necessary to accomplish that infection control purpose; and
- Doesn’t cast a stigma or subject the person to discrimination.
All of your disclosures served a legitimate COVID-19-related purpose; and 3 of the 4 also satisfied criteria ii. and iii. But your email to crew members crossed the line because it identified Ann by name. You could have put the crew members on notice by just revealing that somebody they work closely with has COVID-19, without naming names. You can also get into trouble even without naming names to the extent the crew members can piece together the information you do provide to identify Ann as the unnamed person to which your email refers, e.g., that a “crew member” has COVID-19 when there are only 2 persons in the crew.
One more thing: Warning the crew members to keep away from Ann, while well intentioned, can also be interpreted as exposing her to stigma and discrimination. So, C is the action that crossed the line.
WHY ALL THE OTHER COMMUNICATIONS WERE LEGAL
A is okay because notifying public health officials of confirmed COVID-19 cases in your workplace isn’t only permitted but legally required, even without the person’s consent.
B is okay because under current public health guidelines, employers are supposed to notify those that had recent (i.e., within 48 hours) close contact with a person confirmed as having COVID-19 because it alerts them to their own potential exposure, just as long as the disclosure doesn’t name names or provide other information enabling the recipients to identify the person referred to in the notification.
D is okay because public health guidelines advise employers who become aware of an infection in the workplace to post signs and notices warning workers and other people in the premises, but without disclosing names, positions or other information that could be used to identify the person with COVID-19. (Click here for a Model COVID-19 Workplace Notification that you can adapt.)