Sunday, May 24, 2020

Employee Health Screening Apps are Coming - Proceed with Caution

COVID-19 and the resultant business and economic freeze may very well prove to be the largest global event occurring in any of our lifetimes.  The loss of lives, livelihoods, businesses and long term effects on mental health and culture are far from complete, yet already devastating.  Now, employers grapple with the most significant decision they are likely to ever make: when to come back to work and how.

Many employers will be lured into the siren song of safety above all else and succumb to a balancing act that tips heavily in favor of control and surveillance over individual liberty.  I fully understand the impetus.  Employers find themselves in a tricky Catch-22.  They must do that which is reasonable to protect the health and safety of their workers without trampling on employee privacy, health or liberty. 

As the attorneys at Ropes & Gray LLP point out, "[e]mployers looking to introduce these apps may point to their duty under the Occupational Safety and Health Act (“OSHA”) to furnish to workers 'employment and a place of employment, which are free from recognized hazards that are causing or are likely to cause death or serious physical harm.'"  But as Americans, we have far more individual liberty protection than people in the Asian countries that are months ahead of us and have already implemented sever state, local and employer controls.  For example, "China has already introduced virtual health checks, contact tracing and digital QR codes to limit the movement of people. Antibody test results could easily be integrated into this system."

Beyond any employer's legal analysis (which is undoubtedly important) the cultural differences in the United States should oblige employers to proceed with more than a modicum of caution.  We have a vast network of federal, state, local and employment laws and regulations protecting our individual liberties.  What's more is that inherent and deep love for liberty embedded in our Constitution and our core as a people.  American was founded on the concept that liberty outweighs security.  As Benjamin Franklin wrote famously in the Pennsylvania Assembly's 1755 reply to the Governor
Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.
Ropes & Gray nicely summarized these points as such:  
Because of contact-tracing apps’ intrusive nature and the laws discussed above, employer-required or employer-implemented electronic contact tracing could be viewed as overreaching. These concerns would be heightened for an employer seeking to implement a blanket requirement that all employees must install and use the app, or seeking to gather and use COVID-19 data of employees when they are off duty. As such, any employer-implemented program should be carefully designed, reviewed, and vetted. In general, consent-based approaches will be easier to implement, particularly if the consent, even if opt-out, is prominent and comprehensive notice of how the information will be used is provided. ...

Finally, public fear of government and corporate mass surveillance is well established. As such, employers may encounter considerable resistance if they require (or even strongly encourage) installation of these apps on employees’ personal smart phones, which have large amounts of personal data and are already subject to heightened legal protections.
Behemoth corporations are now lining up to create such apps.  Google, Apple, Microsoft and UnitedHealth are all working on projects to gather up as much as possible about your employees' health and report some of that data back to you.  And while none of these companies have discussed going quite this far, Natalie Kofler & Françoise Baylis writing at Nature asked us to:  
Imagine a world where your ability to get a job, housing or a loan depends on passing a blood test. You are confined to your home and locked out of society if you lack certain antibodies.

It has happened before. For most of the nineteenth century, immunity to yellow fever divided people in New Orleans, Louisiana, between the ‘acclimated’ who had survived yellow fever and the ‘unacclimated’, who had not had the disease1. Lack of immunity dictated whom people could marry, where they could work, and, for those forced into slavery, how much they were worth. Presumed immunity concentrated political and economic power in the hands of the wealthy elite, and was weaponized to justify white supremacy.

Something similar could be our dystopian future if governments introduce ‘immunity passports’ in efforts to reverse the economic catastrophe of the COVID-19 pandemic. The idea is that such certificates would be issued to those who have recovered and tested positive for antibodies to SARS-CoV-2 — the coronavirus that causes the disease. Authorities would lift restrictions on those who are presumed to have immunity, allowing them to return to work, to socialize and to travel. This idea has so many flaws that it is hard to know where to begin.
Kofler and Baylis went on to list ten reasons they think immunity passports are a bad idea.  And while they are looking at a different legal and moral question (government immunity passports vs. employer health tracking apps) note how many of these reasons apply to employers as well: 
  1. COVID-19 immunity is a mystery
  2. Serological tests are unreliable
  3. The volume of testing needed is unfeasible
  4. Too few survivors to boost the economy
  5. Monitoring erodes privacy
  6. Marginalized groups will face more scrutiny
  7. Unfair access
  8. Societal stratification
  9. New forms of discrimination
  10. Threats to public health
On the purely legal front, here is how Ropes & Gray came down on the most prevalent question I've heard from employers:  
Can I require my employees to download a contact-tracing app as a condition of continued employment?

In general, private employers likely could lawfully mandate that employees utilize a contact-tracing app, provided that the mandatory program is administered in a manner that is no more intrusive than necessary to meet the legitimate business concern. The permissibility of a contact-tracing app may vary based on differing employment settings, the employer’s business necessity for employee proximity, and whether the employer can implement less intrusive measures to provide a safe environment. For instance, a professional services firm, where the vast majority of employees can (or do) work remotely and thus present no immediate danger to anyone else in the workplace, may have difficulty showing the app is a business necessity and not more intrusive than necessary. On the other hand, an industrial meat-processing plant that requires in-person presence and where the nature of the work prevents social distancing within the plant may readily make the required showing, but note that the app may not be effective if these employees do not keep their smart phones on their person during the work day and, instead, store them in a locker off the factory floor.

Further, employers must ensure that the app is used in a non-discriminatory manner and that any medical or other personal information the employer obtains is stored confidentially and separate from employees’ personnel files. Employers would likely be required to cover the costs associated with the apps or the acquisition of smart phones to run the apps for employees who do not already own smart phones. Employers should seek to obtain consent from employees that authorizes the employer to obtain, use, and disclose to public health officials employee health information and geolocation data, as well as installation of the software for contact assessment and tracing.

Public employers may also mandate use of a contact-tracing app. However, in addition to satisfying the requirements noted above, they must consider the equal protection and due process implications. In particular, with respect to due process, public employers likely must ensure that there is a post-determination appeal process for anyone who has been denied access to the workplace as a result of being identified as COVID-19 positive or at risk based on his/her geolocation contacts. Voluntary employee participation programs may be more defensible from a privacy law perspective, but will require widespread adoption for public health effectiveness.
What about an app that relies solely on an individual's own self-reported COVID-19 diagnosis or symptoms?  This approach definitely helps to alleviate the legal and ethical burdens an employer will face in the process, but the application can only operate as reliable as the integrity of the individual inputting the data.  So while this may help an employer feel that it is doing that which is reasonable to protect other employees, it really might just be engaging in a form or modern-day, corona-security virtue signaling.   

Employers must also consider the inevitable data leaks and hacks that will arise from these third party apps.  The resultant HIPAA violations, credit monitoring, cleanup and public relations nightmare that will follow will be no small matter.  It never is after any sort of employer or third-party leak or hack.  In fact, many employers are surprised to learn that an employee's medical record is worth more to hackers than their credit card
Security experts say cyber criminals are increasingly targeting the $3 trillion U.S. healthcare industry, which has many companies still reliant on aging computer systems that do not use the latest security features.

“As attackers discover new methods to make money, the healthcare industry is becoming a much riper target because of the ability to sell large batches of personal data for profit,” said Dave Kennedy, an expert on healthcare security and CEO of TrustedSEC LLC. “Hospitals have low security, so it’s relatively easy for these hackers to get a large amount of personal data for medical fraud.” ...

The data for sale includes names, birth dates, policy numbers, diagnosis codes and billing information. Fraudsters use this data to create fake IDs to buy medical equipment or drugs that can be resold, or they combine a patient number with a false provider number and file made-up claims with insurers, according to experts who have investigated cyber attacks on healthcare organizations.  
Medical identity theft is often not immediately identified by a patient or their provider, giving criminals years to milk such credentials. That makes medical data more valuable than credit cards, which tend to be quickly canceled by banks once fraud is detected.
Stolen health credentials can go for $10 each, about 10 or 20 times the value of a U.S. credit card number, according to Don Jackson, director of threat intelligence at PhishLabs, a cyber crime protection company. He obtained the data by monitoring underground exchanges where hackers sell the information.
What about the strategic storage and use of your data?  Did you happen to notice that one of the giant corporations listed earlier in this post is also a massive, nationwide health insurer?  For that entity, every bit of granular data it can extract about your employees allows it to increase your premium as well as its shareholders' profits.  Employer health plans should always follow one simple rule in health data management - never, under any circumstance, disclose more about employee health status than absolutely necessary under the law.  I generally take this rule one step further as a broker and attorney working in the field.  I never, under any circumstances, want to obtain or possess any health or private information than is absolutely necessary under the law.  Possessing or knowing that data, or, allowing it to be held in more places than necessary simply open up the employer to more liability and headaches than necessary.  

Employers will be presented with countless advertisements and arguments for installing some form of health-tracking application as we consider how to return to the workplace.  And I know that many of these arguments will be good ones.  I just fear that the counterbalancing arguments in favor of liberty, privacy and lawful data protection will be outweighed in this process as there won't be any gigantic multinational corporations lined up to profit from the sale of common sense, individual liberty and employee privacy.