As attorneys and staff return to the office, law firms will be collecting sensitive health and personal information about employees, clients, vendors, and other visitors to detect coronavirus symptoms, prevent transmission of COVID-19, and track social interactions. Though federal and state law previously prohibited collection, use, and disclosure of employee health information, the pandemic has prompted regulators to permit such activities, as long as we comply with information privacy and security laws.
Because most law firms do not typically handle this type of sensitive information about these individuals, we are generally unfamiliar with the regulations that apply, and are unaware of and unprepared to implement the privacy and security controls necessary for these circumstances. The following are key steps for firms to take.
- Provide an appropriate written notice to individuals about the particular health and personal information collected, used, and disclosed, and the legally permissible purposes for which the firm will do so. Obtain written consent from individuals that complies with applicable privacy laws before engaging in such activities.
- Ensure that the collection, use, and disclosure of health and personal information is only for purposes specifically permitted by applicable privacy laws. Adopt a written policy governing these activities (or ensure the firm’s existing policy addresses this situation), and train all employees with access to such information about the policy and regulations.
- Notify individuals of their rights with respect to the collection, use, and disclosure of their health and personal information, such as limiting the use of the information, obtain copies of the information, and requesting that the firm destroy it. Honor and enforce those rights whenever exercised by individuals.
- Implement security controls appropriate to protect the sensitive nature of the information in both hard copy and electronic formats. If the firm plans to use an online application to collect and manage this information, conduct appropriate due diligence to ensure that the provider complies with privacy and security laws, and enter into an appropriate data processing agreement with the vendor.
As attorneys and staff return to the office, law firms need to take steps to protect both the safety of our employees, clients, and other visitors, as well as the privacy and security of the sensitive health and personal information we collect and use to do so. Working with an experienced information privacy professional to implement the foregoing steps will enable the firm to accomplish both of these important objectives.