For those small businesses considering a return to their office or coworking space, screening employees for symptoms of COVID-19 is a valuable—but not mandatory—way of preventing the spread of infection and contact tracing.

Not only for health reasons, COVID-19 screening can also be a good way for small businesses to cover their backs in the event an employee decides to take COVID-related legal action against them, a concern 70% of all small businesses share. And rightly so, given that since March 2020, workers have filed over 1,500 COVID-19-related lawsuits against their employers.

Although it might not seem like it, screening your staff for COVID-19 is actually a lot simpler than you might think. For many small businesses, it’s just a matter of dedicating one or two team members to be in charge of the task. Before your employees even get to the office, health screening questionnaires on mobile apps allow them to self audit, and then once they arrive, you can back these up with a quick temperature check.

However, the data gathered from COVID-19 symptom screenings must be handled with an abundance of caution in order to minimize legal risk, which would be costly for any small business to handle. And given that there are a number of regulations in this area, small businesses must take care.

Privacy and Confidentiality Laws

Given that health information is regarded as sensitive information, small businesses must collect it with employees’ privacy and confidentiality in mind. Failing to comply with privacy laws could ultimately result in employee litigation.

So here are the key pieces of federal legislation that small businesses need to bear in mind:

Health Insurance Portability and Accountability Act (HIPAA)

The HIPAA ensures that if businesses collect protected health information from their employees, they will be using it only for purposes related to the COVID-19 pandemic, and not to transfer the data to other parties, sell it, or inappropriately store it. For more information on how the HIPAA allows businesses to disclose protected health information for the public health activities of a public health authority, consult the Office for Civil Rights (OCR) guidance.

The Americans With Disabilities Act (ADA)

This anti-discrimination act requires employees’ medical information to be stored separately, and confidentially, from their employee personnel file. While this does not prevent employers from using the information to take action according to the CDC guidance on suspected or confirmed cases of COVID-19 in the workplace, the medical information should be kept as confidential as possible. For more information about the ADA and COVID-19, consult the guidance from the U.S. Equal Employment Opportunity Commission.

When it comes to state level legislation, seek legal advice specific to your geographic location. However, one specific act for small businesses operating in Illinois to to be aware of is the following:

Illinois Biometric Information Privacy Act (BIPA)

If your small business is planning to conduct a COVID-19 temperature check using biometric facial recognition technology — which is a good, contactless option — be aware that in the state of Illinois, a law exists to protect employee privacy when it comes to this form of data collection.

According to the BIPA, if businesses plan to use biometric identifiers to collect information on employees, they must be informed about what’s being collected, where it will be stored, and what purpose it will be used for. This guidance must then be collected, put together in a policy, and then shared with employees. While it’s by no means a small business, Amazon recently faced class action in an Illinois state court for violating the BIPA.

Practical Steps Small Businesses Should Take when Handling and Storing This Data

Conduct a PIA

When it comes to COVID screening data collection, taking shortcuts is not recommended. Small businesses can avoid costly privacy mistakes in the long term by first carrying out a Privacy Impact Assessment (PIA) which determines how the data collection will affect employee privacy, and preventing all the potential risks before starting to screen employees. It might also be a good idea to seek legal advice if this is not something your business has the internal resources to do.

Establish a Data Governance Policy

If there’s one piece of advice for small businesses collecting personal data, it’s to be completely transparent about it. Let your employees know exactly what personal or medical information will be collected from them, for what purpose it’s being collected, for how long it will be retained, and with whom it will be shared. And in order to facilitate this open communication, it’s a good idea to put together a data governance policy and make sure it’s widely shared among employees.

Obtain Consent

Depending on the methods your small business intends to use to collect COVID-related information, you may need to obtain employees’ consent before screening them for the virus. Some contact tracing apps that use geo-tracking, for example, can require consent from the end-user to collect their data.

Collect as Little Data As Possible 

An employee COVID-19 screening questionnaire requires the collection of some specific personal information. Medically, you’ll need to know whether the employee is experiencing:

  • A fever
  • A new cough
  • Difficulty breathing
  • A sore throat
  • Body aches
  • Vomiting or diarrhea
  • A new loss of taste or smell

Beyond this, as a business, you should already have the other personal information you need about your employees, so there’s no need to ask for this again.

Safeguard Information

Ideally, the task should be delegated to one or two employees who have an appropriate level of seniority and the capacity to manage it, and no one else. This data should then be kept private, not stored on any shared drives, sheets, or docs, so that other employees cannot access the information, and protected by a password or two-factor authentication.

If your business doesn’t already have one, investing in a data privacy vault can be a good idea. While it’s less for a small business to be targeted by cyber criminals, you can also protect your business against data theft by encrypting the files.

In sum, given that widespread vaccine distribution remains a long way off and partial returns to workplaces are increasing, COVID symptom screening is a reality that small businesses will need to get used to. But the issue of data privacy, if not taken seriously, could end up becoming even more costly for a small business than the virus itself.

The key to working through these challenging conditions is building a trustful relationship with your employees, ensuring communication is constant and transparent, and giving them agency over their own data so that workers will not feel forced to resort to legal action, no matter how unfortunate the circumstances.

Written by Adam Day, President & CEO at Time Rack, a time and attendance and HR services company that provides COVID return-to-work-safely services for businesses across a broad range of industries and workplace settings.    

 Screening stock photo by Janon Stock/Shutterstock