Companies beginning to reopen might consider contact tracing to mitigate risk. These organizations and their employees alike may have founded worries, however. Galvanize’s Dan Zitting addresses concerns with respect to HIPAA compliance and data privacy.
Cases of COVID-19 are continuing to rise in the U.S., but companies are eager to get back to work and are opening their doors despite the ongoing crisis. However, reopening creates a significant amount of risk. One way to handle this new risk is by implementing contact tracing.
Contact tracing has a reputation for being an expensive, laborious and time-intensive process that requires immense amounts of personal, potentially confidential information. This can be the case if organizations collect employee health information, but many companies already have the data needed to effectively put controls into place to mitigate reopening risk while maintaining data privacy and HIPAA compliance.
Take warehouses filled with sensors or offices that use badge access to enter rooms: With relatively simple analysis of the sensor or badge data, organizations can determine which employees have been in proximity with each other. Companies can get even more granular location data by having employees wear wristbands or adding code to company apps on employee phones.
From a risk perspective, companies may not know who has COVID-19, but they do have access to HR data regarding who has taken sick days. By combining HR data with physical location data from badges or wristbands, companies can make informed decisions about at-risk employees and take appropriate action, like asking potentially infected employees to not come into the office with pay.
When collecting data about employees, privacy is a critical consideration. Most of the information needed to create an effective contact tracing program is already readily available to organizations as part of a standard employee agreement. As seen in the badge and sick day example, neither of these data sets are covered by HIPAA and both are available for companies to use at will.
Compliance Collecting Health Data
When delving beyond standard employee data, companies need to be cautious of data privacy. Once employers ask for employees to self-report health information, HIPAA and additional privacy concerns come into play, creating a much more complex compliance and risk landscape. While these can be tricky and time consuming to navigate, the company is able to benefit from access to more robust data that can provide deeper insight into their risk.
Compliance for private health and employee data is a complicated matter, because a patchwork of differing laws protects employee privacy across the U.S. The rules, regulations and laws surrounding privacy create a complicated legal and compliance picture. State laws may vary, but HIPAA and OSHA regulations are uniform nationwide. OSHA offers resources specific to COVID-19 that cover employee rights and employer responsibility. Additionally, contact tracing that includes health data must also be compliant with privacy laws like the SHIELD Act and the CCPA. Employees must opt into any contact training program that requests health information and understand that sharing is not obligatory.
For any employer storing health information, it’s critical that they document and understand where it’s being stored, who has access, why it was collected and how it will be used. Because pandemic-related compliance laws are evolving, documentation is key. Companies must show that they’re putting their best effort into being as compliant as possible. Compliance software helps by automating risk controls and actively monitoring them. With these GRC software systems in place, companies gain the additional benefit of real-time compliance and risk insights to better manage sensitive data.
Cybersecurity Risk
Because sensitive information is stored, it’s also imperative that organizations maintain proper cybersecurity measures. The Word Health Organization reported a fivefold increase in cyberattacks since the outbreak of COVID-19. Companies are responsible for the employee health information they store, so test security systems and consider implementing additional measures. Furthermore, companies should put plans in place to destroy private employee data once it is no longer needed. Lastly, companies should closely evaluate the user agreements of any third-party apps used for contact tracing. Often these apps do not protect the company or the end user, which can leave the company vulnerable down the line.
Beyond concerns about collecting health data, some employees worry that companies are using the pandemic as a rationale for more granularly monitoring employees. However, by and large, these concerns are often unfounded. For organizations particularly worried about backlash, documentation of how the data is collected and used is key.
Making Contact Tracing a Reality
However, even with this access to data readily available, companies still shy away from contact tracing. One reason for this is a lack of desire to handle contract tracing; many companies are not prepared to go above and beyond what the government requires. But the challenge most companies have to overcome in order to implement contact tracing is in making sense of the data they already have.
Companies may not know what data they have available to them or how to make sense of it, but tech is now playing a crucial role in helping teams overcome this obstacle. Analysis that would have been time consuming or labor intensive for data or risk teams a few years ago is now readily available through risk assessment technology that automates the process of cleaning and correlating data for organizations. From here, it’s a matter of implementing, monitoring and following the controls put in place. With technological advances, there’s no reason why companies should be daunted by making sense of their data in order to keep employees safe.
Contact-tracing programs are not only beneficial for the health of your employees, but can be a critical part of business continuity plans. As a workforce, we’ve never gone through a crisis where returning to work requires managing risk with spatial confinement. This new type of scenario requires adding an updated set of controls to the business continuity plan for the use of physical space. That portion of the plan can be as simple as letting X number of people onto the floor measured by badges, or as complex as the approach that theme parks take in tracking every person in the park.
The final consideration for contact-tracing programs is who at the organization is responsible for them. For most mature corporations, the mandate should come from the enterprise risk management team. For midsize organizations, it may be the legal or internal audit teams. For most companies, HR will lead contact-tracing efforts. No matter the team involved, they should carefully understand compliance requirements and document all program details, especially if they collect health data.
The thought of contact tracing an entire office or organization can be intimidating, but it doesn’t have to be. With the right tech, you can get it off the ground quickly and seamlessly while keeping your strategy nimble and your employees safe.
Dan Zitting serves as Chief Product & Strategy Officer at 
