A New Privacy Headache: Virginia’s COVID-19 Workplace Safety Rule is Poised to Impact PrivacyOn July 15, 2020, the state of Virginia adopted the first of its kind COVID-19 workplace safety mandate. Propelled by months of inaction from a federal agency tasked with nationwide enforcement of workplace safety relating to COVID-19, Virginia’s Safety and Health Codes Board adopted an emergency regulation designed to establish requirements for employers to control, prevent and mitigate the spread of the virus. The new regulation applies to every employer, employee, and place of employment in the Commonwealth of Virginia within the jurisdiction of the Virginia Occupational Safety and Health program.

All employers are now required to:

  • Assess their workplace for hazards and job tasks that can potentially expose employees to COVID-19;
  • Classify employees according to the hazards they are potentially exposed to and the job tasks they undertake and ensure compliance with the “very high,” “high,” “medium,” or “lower” risk levels of exposure as designated in the regulation;
  • Inform employees of the methods of and encourage employees to self-monitor for signs and symptoms of COVID-19 if they suspect possible exposure or are experiencing signs of an oncoming illness;
  • Develop and implement policies and procedures to address a situation where the employer is notified that an employee has tested positive for COVID-19 antibodies or live virus;
  • Develop and implement policies and procedures for employees to report when they are experiencing symptoms consistent with COVID-19;
  • Prohibit known COVID-19 or suspected COVID-19 employees or other persons from reporting to work or allowing an employee to remain at the work or on a job site (however, teleworking is OK) for at least 10 days or until they receive two consecutive negative tests;
  • Ensure that sick leave policies are flexible and consistent with public health guidance and that employees are aware of these policies; and
  • Notify all coworkers of an employee who has (1) been in the office in the last 14 days and (2) tests positive – within 24 hours of discovery of their possible exposure – without revealing the identity of the positive employee. The employer must also notify other employers who work in the same building and the building/facility owner. Further, the employer must keep confidential the identity of the known COVID-19 person in accordance with the requirements of the Americans with Disabilities Act (ADA) and other applicable Virginia laws and regulations.

While each of these requirements will require changes to the workplace environment, along with updates to policies, procedures, and processes, the last bullet point creates an especially challenging privacy obligation, particularly for small businesses or small offices, but also for larger operations with multiple offices. For example, let’s say an employer is notified that John Doe tests positive in an office of 10 people. John Doe has also traveled to two other offices in the state within the 14-day window. The employer must now notify the employees of all three offices, other employers in those three offices, and each of the building/facility owners of those offices.

These disclosures must also be made without disclosing the identity of the individual who tested positive. It is easy to think of a scenario where implicitly revealing the identity of a person who tests positive will be unavoidable. Even in a larger office, if John Doe is normally at work every day, is suddenly absent, and within 24 hours the employer announces that an employee has tested positive, it will implicitly reveal that it was John Doe. This is particularly true given the duration that John Doe will have to remain out of the office even if asymptomatic after testing positive.

Given this regulation’s potential conflict with medical privacy laws, ADA regulations, and other applicable Virginia laws and regulations, businesses will need to implement these requirements while keeping these very complex privacy issues in mind. At a minimum, businesses should do their best to minimize these instances of implicitly revealing a diagnosis to the extent they can.

Photo of Erin Jane Illman Erin Jane Illman

Erin Illman is a dynamic problem solver with a strong understanding of U.S. and international private-sector privacy laws and regulations and the legal requirements for the transfer of sensitive personal data to/from the United States, the European Union and other jurisdictions. She regularly…

Erin Illman is a dynamic problem solver with a strong understanding of U.S. and international private-sector privacy laws and regulations and the legal requirements for the transfer of sensitive personal data to/from the United States, the European Union and other jurisdictions. She regularly advises clients on CCPA, GLBA, HIPAA, COPPA, CAN-SPAM, FCRA, security breach notification laws, and other U.S. state and federal privacy and data security requirements, and global data protection laws. In addition to providing proactive privacy and information security compliance and legal advice, Erin manages privacy-related enforcement actions and litigation. Her practice includes representing companies in reactive incident response situations, including insider cybersecurity threats, electronic and physical theft of trade secrets, and investigation, analysis, and notification efforts with respect to security incidents and breaches.