As organizations work feverishly to return to business in many areas of the country, they are mobilizing to meet the myriad of challenges for providing safe environments for their workers, customers, students, patients, and visitors. Chief among these challenges are screening for COVID19 symptoms, observing social distancing, contact tracing, and wearing masks. Fortunately, innovators are rising to meet this need, developing a range of technologies – wearables, apps, devices, kiosks, AI, etc. – all designed to support these efforts. But, for many organizations, the question is what technologies are out there and what should they be thinking about in deciding to adopt one or more of them.

Wading through the wide variety of COVID19-related technologies can be like scrolling through your cable provider’s movie guide – lots of time spent, not sure what to choose. So, to help you get a quick, bird’s eye view of some of the kinds of technologies being developed and which may be available, please see our table of “Selected COVID19 Distancing, Screening, Contact Tracing, and Other Technologies” (Table)*

Needless to say, compiling, implementing, enforcing, and documenting extensive and sometimes conflicting federal, state, and local mandates and recommendations for screening, distancing, contact tracing, and mask wearing requires a significant and on-going effort. Technologies, such as those listed in the Table, can help.  Some of the features of these technologies include:

  • Wearables that alert the wearer that he or she is getting too close to a colleague may boost an organization’s efforts to adhere to distancing requirements.
  • Kiosks with thermal scanning capabilities may facilitate temperature screening in a faster more efficient way while minimizing contact that might further spread of COVID19.
  • Apps that track the locations of individuals could automate otherwise laborious manual contact tracing activities.

The advantages of these technologies can be substantial, quickening the path to compliance and opening the organization’s doors to business. However, organizations should proceed carefully to examine not only whether the particular solution will have the desired effect, but whether it can be implemented in a compliant manner with minimal legal risk. Below are some questions organizations should be considering:

  • What is the organization’s goal for the technology? If the goals of the organization is keep workers who may have COVID19 from entering its facility, then screening technologies are something the organization may consider.  However, if the goal is the identify other workers who may have been exposed to a COVID19 positive co-worker, the contact tracing technologies may be more appropriate.  To this end, it is important to consider the organizations goals prior to selecting technologies for implementation.
  • Does the technology work? For temperature taking/scanning technology, this may mean validation of the accuracy of the device.  When looking at contact tracing, accuracy will similarly be key in your efforts to identify co-workers who may be potentially impacted by COVID19.
  • Will the technology require employees to incur expenses that must be reimbursed? In some states, the implementation of this technology may require reimbursement if workers must incur costs or expenses as part of the implementation. For example, if an app requires an employee to have a mobile device for work purposes, expense reimbursement obligations with respect to that device may exist.
  • Is bargaining with the union required? As organizations look to these technologies, there may be numerous instances where the organization will need to consult, and possibly engage in bargaining with, the applicable union(s).  Depending on which technology is being contemplated may dictate whether the organization’s efforts are supported or challenged.
  • Is notice/consent required? This may be a difficult question to answer without having an understanding of the data that the technology is collecting. For example, collecting the geolocation of employees as well as their COVID status, and interactions with others all are likely elements of personal information under the California Consumer Privacy Act (CCPA) which applies to employees that reside in California if the organization is subject to the law.   Similarly, electronic tracking of workers or the collection of worker’s biometric information (facial scans, etc.) may require notice and/or consent depending on the state of implementation.  If the technology requires access to an employee’s personally-owned device, notice and consent are likely required, but most certainly a best-practice.  While many think HIPAA is implicated in the collection of workers’ temperature or responses to screening questions, this is often not the case unless a third-party provider or lab (i.e., a covered entity) is performing the screening, in which case an authorization is needed to share the results with the employer.
  • Will workers participate? Determining whether technology implementation may require notice or consent is discussed above.  However, if implementation and/or usage is voluntary the effectiveness of the technology in meeting the organizations goals may be substantially impacted. Regardless of whether implementation is voluntary or required, it is important for organizations to communicate with their workers to explain the goals of the technology, answer questions regarding same, and address concerns over privacy and relates issues in order to ensure buy-in and effectiveness.
  • How is data collected, shared, secured, returned? Understanding the answers to these questions are imperative in order to help ensure compliance. This is especially true as there are numerous laws which may be implicated when data is collected from workers.  These include the Americans with Disabilities Act (ADA), the Genetic Information Nondiscrimination Act (GINA), state laws, CCPA, and the General Data Protection Regulation (GDPR).  In addition to statutory or regulatory mandates, organization will also need to consider existing contracts or services agreements which may provide for or limit the collection, sharing, storage, or return of data.  Finally, whether mandated by law or contract, organizations should still consider best practices to help ensure the privacy and security of the data it is responsible for.
  • Are employees implementing the technology capable, trained? Should “managers” be viewing dashboards which provide extensive information about many of the organization’s workers? In these uncertain times an organization may be left with no choice other than to expand the list of individuals who may have access to workers’ personal information. However, when doing so organizations still need to be mindful of the ADA’s confidentiality requirements, discrimination, as well as state laws protecting against discrimination for lawful off-duty conduct (that may be discovered during the monitoring process). Addressing privacy and security obligations through a confidentiality agreement may be one way to help address these concerns.
  • What is the relationship with the vendor? The organization’s relationship with the vendor is established way of contract or service agreement. It is important for these contracts/agreements to include confidentiality, data security, and similar provisions.   This is most important if the vendor will be maintaining, storing, accessing, or utilizing the information collected about the organization’s workers.
  • When should we stop using the technology? The Equal Employment Opportunity Commission (EEOC) has said that currently COVID19 meets the ADA’s direct threat standard and thus organizations may screen, take the temperatures of, and test workers prior to permitting those workers onsite. The EEOC has not yet expressly addressed contact tracing.  As organizations look to the future, and the hopeful end to the COVID19 pandemic, they will need to consider when the state of the pandemic no longer supports the use of these technologies.  The EEOC may provide that guidance, however, organizations may still have reasons to continue utilizing some of these technologies.  For example, contract tracing may continue to help slow/limit spread within an organization.  Similarly, organizations may face contractual demands from customers or clients who are looking to limit future risks or outbreaks related to COVID19.  At points during this process, organizations also will need to consider whether and how long to retain the data collected.

In short, in 2020 we have extensive technology at our disposal and/or in development which may play a crucial role in helping organizations address COVID19, ensuring a safe and health workplace and workforce, and preventing future pandemics.  Nevertheless, organizations must consider the legal risks, challenges, and requirements with any such technology prior to implementation.

 

*As noted, the Table is for general information purposes only. We have sampled none of these products or services. Neither the selection of these products and services nor the exclusion of others is in any way intended as an endorsement of, or opposition to, any type of product, service, application, or any manufacturer. The listing is intended solely to provide readers with a general, high-level overview of the kinds of products being developed to address certain aspects of COVID19 remediation. This is by no means an exhaustive list. All readers must carefully evaluate their own specific needs for COVID19 mitigation and compliance, review the specific features and specifications of any technology being considered, configure and install same with qualified information systems specialists, and obtain experienced and informed legal counsel concerning the applicable legal and compliance requirements concerning the selection and implementation of any technology solution.  

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Joseph J. Lazzarotti Joseph J. Lazzarotti

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP)…

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and management of data, as well as the impact and regulation of social media. He also counsels companies on compliance, fiduciary, taxation, and administrative matters with respect to employee benefit plans.

Privacy and cybersecurity experience – Joe counsels multinational, national and regional companies in all industries on the broad array of laws, regulations, best practices, and preventive safeguards. The following are examples of areas of focus in his practice:

  • Advising health care providers, business associates, and group health plan sponsors concerning HIPAA/HITECH compliance, including risk assessments, policies and procedures, incident response plan development, vendor assessment and management programs, and training.
  • Coached hundreds of companies through the investigation, remediation, notification, and overall response to data breaches of all kinds – PHI, PII, payment card, etc.
  • Helping organizations address questions about the application, implementation, and overall compliance with European Union’s General Data Protection Regulation (GDPR) and, in particular, its implications in the U.S., together with preparing for the California Consumer Privacy Act.
  • Working with organizations to develop and implement video, audio, and data-driven monitoring and surveillance programs. For instance, in the transportation and related industries, Joe has worked with numerous clients on fleet management programs involving the use of telematics, dash-cams, event data recorders (EDR), and related technologies. He also has advised many clients in the use of biometrics including with regard to consent, data security, and retention issues under BIPA and other laws.
  • Assisting clients with growing state data security mandates to safeguard personal information, including steering clients through detailed risk assessments and converting those assessments into practical “best practice” risk management solutions, including written information security programs (WISPs). Related work includes compliance advice concerning FTC Act, Regulation S-P, GLBA, and New York Reg. 500.
  • Advising clients about best practices for electronic communications, including in social media, as well as when communicating under a “bring your own device” (BYOD) or “company owned personally enabled device” (COPE) environment.
  • Conducting various levels of privacy and data security training for executives and employees
  • Supports organizations through mergers, acquisitions, and reorganizations with regard to the handling of employee and customer data, and the safeguarding of that data during the transaction.
  • Representing organizations in matters involving inquiries into privacy and data security compliance before federal and state agencies including the HHS Office of Civil Rights, Federal Trade Commission, and various state Attorneys General.

Benefits counseling experience – Joe’s work in the benefits counseling area covers many areas of employee benefits law. Below are some examples of that work:

  • As part of the Firm’s Health Care Reform Team, he advises employers and plan sponsors regarding the establishment, administration and operation of fully insured and self-funded health and welfare plans to comply with ERISA, IRC, ACA/PPACA, HIPAA, COBRA, ADA, GINA, and other related laws.
  • Guiding clients through the selection of plan service providers, along with negotiating service agreements with vendors to address plan compliance and operations, while leveraging data security experience to ensure plan data is safeguarded.
  • Counsels plan sponsors on day-to-day compliance and administrative issues affecting plans.
  • Assists in the design and drafting of benefit plan documents, including severance and fringe benefit plans.
  • Advises plan sponsors concerning employee benefit plan operation, administration and correcting errors in operation.

Joe speaks and writes regularly on current employee benefits and data privacy and cybersecurity topics and his work has been published in leading business and legal journals and media outlets, such as The Washington Post, Inside Counsel, Bloomberg, The National Law Journal, Financial Times, Business Insurance, HR Magazine and NPR, as well as the ABA Journal, The American Lawyer, Law360, Bender’s Labor and Employment Bulletin, the Australian Privacy Law Bulletin and the Privacy, and Data Security Law Journal.

Joe served as a judicial law clerk for the Honorable Laura Denvir Stith on the Missouri Court of Appeals.

Photo of Jason C. Gavejian Jason C. Gavejian

Jason C. Gavejian is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. and co-leader of the firm’s Privacy, Data and Cybersecurity practice group. Jason is also a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy…

Jason C. Gavejian is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. and co-leader of the firm’s Privacy, Data and Cybersecurity practice group. Jason is also a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy Professionals.

As a Certified Information Privacy Professional (CIPP/US), Jason focuses on the matrix of laws governing privacy, security, and management of data. Jason is co-editor of, and a regular contributor to, the firm’s Workplace Privacy, Data Management & Security Report blog.

Jason’s work in the area of privacy and data security includes counseling international, national, and regional companies on the vast array of privacy and security mandates, preventive measures, policies, procedures, and best practices. This includes, but is not limited to, the privacy and security requirements under state, federal, and international law (e.g., HIPAA/HITECH, GDPR, California Consumer Privacy Act (CCPA), FTC Act, ECPA, SCA, GLBA etc.). Jason helps companies in all industries to assess information risk and security as part of the development and implementation of comprehensive data security safeguards including written information security programs (WISP). Additionally, Jason assists companies in analyzing issues related to: electronic communications, social media, electronic signatures (ESIGN/UETA), monitoring and recording (GPS, video, audio, etc.), biometrics, and bring your own device (BYOD) and company owned personally enabled device (COPE) programs, including policies and procedures to address same. He regularly advises clients on compliance issues under the Telephone Consumer Protection Act (TCPA) and has represented clients in suits, including class actions, brought in various jurisdictions throughout the country under the TCPA.

Jason represents companies with respect to inquiries from the HHS/OCR, state attorneys general, and other agencies alleging wrongful disclosure of personal/protected information. He negotiates vendor agreements and other data privacy and security agreements, including business associate agreements. His work in the area of privacy and data security includes counseling and coaching clients through the process of investigating and responding to breaches of the personally identifiable information (PII) or protected health information (PHI) they maintain about consumers, customers, employees, patients, and others, while also assisting clients in implementing policies, practices, and procedures to prevent future data incidents.

Jason represents management exclusively in all aspects of employment litigation, including restrictive covenants, class-actions, harassment, retaliation, discrimination, and wage and hour claims in both federal and state courts. He regularly appears before administrative agencies, including the Equal Employment Opportunity Commission (EEOC), the Office for Civil Rights (OCR), the New Jersey Division of Civil Rights, and the New Jersey Department of Labor. Jason’s practice also focuses on advising/counseling employers regarding daily workplace issues.

Jason’s litigation experience, coupled with his privacy practice, provides him with a unique view of many workplace issues and the impact privacy, data security, and social media may play in actual or threatened lawsuits.

Jason regularly provides training to both executives and employees and regularly speaks on current privacy, data security, monitoring, recording, BYOD/COPE, biometrics (BIPA), social media, TCPA, and information management issues. His views on these topics have been discussed in multiple publications, including the Washington Post, Chicago Tribune, San Francisco Chronicle (SFGATE), National Law Review, Bloomberg BNA, Inc.com, @Law Magazine, Risk and Insurance Magazine, LXBN TV, Business Insurance Magazine, and HR.BLR.com.

Jason is the co-leader of Jackson Lewis’ Hispanic Attorney resource group, a group committed to increasing the firm’s visibility among Hispanic-American and other minority attorneys, as well as mentoring the firm’s attorneys to assist in their training and development. He also previously served on the National Leadership Committee of the Hispanic National Bar Association (HNBA) and regularly volunteers his time for pro bono matters.

Prior to joining Jackson Lewis, Jason served as a judicial law clerk for the Honorable Richard J. Donohue on the Superior Court of New Jersey, Bergen County.