States and cities around the country, hopeful that the worst of COVID-19 will soon pass, are discussing reopening businesses, public spaces, and schools. While privacy issues may not be the first thing that comes to mind in considering restarting the economy, reopening businesses raises some privacy-related concerns we should think through in advance, as best we can.
A business that wants to reopen will naturally be concerned that workers, visitors, and customers can return without endangering anybody's health. Common sense would seem to suggest a business can do that if it knows who has already had the disease, and so can be safely let back in. From this perspective, while asking people about their medical history would normally be seen as an invasion of privacy, that invasion would seem to be justified if it lets economic activity restart while keeping everyone safe.
Unfortunately, common sense may be misguided in this case, in ways that call into question the justification for the potential privacy invasion. Understanding why depends on some medical science, and some counterintuitive statistical laws, with which lawyers should become at least a bit familiar in order to navigate these issues.
We need to start with some science. It seems natural to think that someone who's had COVID-19 cannot get it again – which would be great. That would mean that those people are "safe" in public and in the workplace – they cannot infect anybody else and they cannot get re-infected. According to this theory, all we need to do is get people tested for the virus antibodies, get their results, and let the people who have had the disease back into workplaces as employees, visitors, or customers.
Unfortunately, and putting aside testing issues (see below), immunity is much more complicated than this "folk medicine" – thinking that once you've had a disease you cannot get it again – would suggest. As of this writing, while it is generally assumed that having had and recovered from the disease will confer some immunity, according to the World Health Organization there is "no evidence that people who have recovered from COVID-19 and have antibodies are protected from a second infection."
In normal times we do not ask employees, visitors, or clients whether they've recovered from infectious diseases. While it would not be illegal in most contexts to ask, medical information is normally considered to be a private, confidential matter. The justification for making an exception now, and asking about who has had COVID-19, would be that knowing the answer will allow us to reopen our businesses without endangering public health or the health of our employees. If that is wrong – and the latest analyses suggests that it may be – then even though it is legal to do so, asking whether someone has had COVID-19 could be viewed as an invasion of privacy undertaken for no good reason.
Note that while asking employees or visitors about their COVID-19 infection status would not, in itself, directly implicate HIPAA or other privacy laws, collecting and retaining that information still raises potential privacy concerns.
For example, "medical information," or someone's "medical history," is often included within the definition of personal information under state data breach laws. So, if this information is to be collected and retained (whether for employees or visitors), businesses must take care to treat it as confidential and avoid its unauthorized disclosure.
Of course, medical research into all aspects of COVID-19 is ongoing, and it may well be that people who've had it cannot, in fact, get it again. If that turns out to be true, then at first glance it seems that we should feel free to ask our employees about their COVID-19 infection status so we can welcome them back to work, and ask visitors to our workplaces (including customers) to let us know their status so we can let them in.
But even if that's true, things aren't that simple – which brings us to a bit of statistics, called Bayes' Theorem.
No medical test is 100 percent accurate. Instead, any test will generate some "false positives" (a result saying they had disease when they have not), and some "false negatives" (a result saying they didn't have the disease when they did). The math is a little complicated, but it turns out that even with tests that sound really accurate – say, a false positive rate of only 5 percent, and a false negative rate of only 4 percent – you can still have a lot of people who did not have the disease show up with tests showing they did.
The chance that someone who tested positive (who we would therefore deem "safe" to come back to work) did not, in fact, have the disease depends on the portion of the overall population that actually has had the disease (which, of course, we don't really know). The way the math works out, the fewer the number of people in the overall population who have been infected, the less useful the test results.
For example, using the error rates noted above, if only 10 percent of the population has had the disease, there's a more than 30 percent chance that someone who has a test saying they had it, really didn't. (On the other hand, if 50 percent of the population has had the disease, then the chance someone with a positive test result didn't actually have it is less than 5 percent.) And that 30 percent chance can go way, way up if the testing error rates (the false positives and false negatives) go up – even to seemingly reasonable error rates.
So if (for example) the test "works" 90 percent of the time in this sense – which sounds pretty good – there would still be an even chance (a 50 percent likelihood) that someone whose test says they had the disease, really did not. Which brings us back to privacy concerns.
The counterintuitive statistical effects outlined above mean that requiring people (employees, customers) to take tests and disclose their test results – again, in normal times, very likely to be seen as a privacy invasion – does not make much sense unless the tests are widely performed and very accurate, which, at least as of now, they may well not be. So, we are in danger of intruding on people's medical privacy – doubtless with good intentions – without getting much in the way of improved public health as a result.
These statistical effects also undermine the justification for some of the more clever-sounding, but also potentially privacy-invasive, approaches to population monitoring as a basis for reopening the economy.
For example, it has been suggested that using drones or other means to monitor whether people have a fever, or are coughing or sneezing, will help identify people with COVID-19. The problem is that lots of people have fevers, and cough and sneeze, without having the disease (a high false positive rate), and lots of people who have the disease are asymptomatic (a high false negative rate). As just discussed, high false positive and negative rates can erode the value of knowing someone's test results.
COVID-19 presents us with a lot of uncertainty, and it is certainly true that improving our knowledge about the disease – including our knowledge about how many people have had it – will help us manage the process of reopening the economy. But we need to carefully examine the validity of our intuitions about immunity and about what we can learn from testing before we make decisions that would require the sacrifice of personal privacy to permit economic activity to resume without, supposedly, endangering public health.
The facts, laws, and regulations regarding COVID-19 are developing rapidly. Since the date of publication, there may be new or additional information not referenced in this advisory. Please consult with your legal counsel for guidance.
DWT will continue to provide up-to-date insights and virtual events regarding COVID-19 concerns. Our most recent insights, as well as information about recorded and upcoming virtual events, are available at www.dwt.com/COVID-19.