As more state and local governments give businesses the green light to reopen, employers are exploring all available options for keeping coronavirus out of their facilities. Safe and reliable testing and screening procedures will play a key role in those efforts.

“Many United States businesses are finding themselves in a bit of do-it-yourself role when it comes to public health and the COVID-19 response,” said Cecily Barclay during “COVID-19 Testing in the Workplace: What You Need to Know Before Testing Begins,” a cross-practice webinar presented by law firm Perkins Coie.

“But this is a potentially positive and significant role as businesses are perhaps best suited to catch the disease early, in the very environments in which it is otherwise most likely to spread,” said Barclay, partner in Perkins Coie’s San Francisco office.

With tests costing around $100 each and often a waiting period up to 3 days, daily testing isn’t feasible for most operations. But weekly testing is something that many employers are considering. Companies such as Tyson Foods and Ford Motor Company have publicly discussed the details of their testing programs.

A testing program that is effective without exposing the organization to unintended risk must involve a cross-functional approach involving risk management, safety, HR, facilities and legal departments working collaboratively. Here are three key questions each organization must address.

1) What are the land use, real estate and leasing issues you might face in developing and operating an onsite testing facility?

Organizations must assess their available spaces and consider first what their goals are, such as testing alone or testing plus screening. The key is to ensure that these procedures can be completed before a worker interacts with other workers.

For the sake of efficiency, cleanliness and the ability to retain a sense of “normalcy,” many experts recommended using facilities that are onsite, but outside the usual workspaces, either indoors or outside.

If an indoor site is available and appropriate for the purpose, the primary concerns would involve whether leasing contract restrictions that might apply.

“If you are in a landlord-tenant relationship, the main message here is to review your lease, review your lease and review your lease,” Barclay said.

However, as for any planning or regulatory issues, indoor onsite testing would be seen on a par with a flu shot program, assuming the testing does not involve on-site lab work or diagnoses.

Some organization are opting for outdoor testing and/or screening, utilizing outdoor canopies or well ventilated tent enclosures.

“Once you are venturing outside, there are really three areas of consideration for local agencies,” said Barclay. “Look at the individual planning, building and fire department regulations that apply to the area in which you’re going to be locating the facility. There are great variations across the cities, counties and states in which you may be considering locating one of your testing facilities.”

Barclay said that as with indoors, testing and screening would be considered incidental to the business and unlikely to run afoul of zoning regulations. Building and fire codes, however, may require a dedicated ingress/egress plan or dictate what kind of set-backs may be required from nearby streets or buildings.

The regulations will vary depending greatly upon location, with organizations located in urban areas potentially facing added hoops to jump through, such as conditional permitting.

In areas that are highly developed, the planning code requirements for locating one of these facilities outside a building may be lengthy and confusing and really didn’t contemplate the type of use that a testing facility would involve.

2) What are the labor and employment concerns that will arise as you begin to test your workers?

Employers are understandably concerned about whether requiring medical testing and screening is allowed by law.

The short answer, said Perkins Coie’s Ann Marie Painter, is yes.

Both testing and screening are considered medical exams under the ADA, which may be permissible under certain circumstances – one of which is whether the employee will pose a direct threat to others due to a medical condition.

Fortunately, said Painter, partner in the law firm’s Dallas office, the EEOC has been very direct in clarifying that the presence of COVID-19 in the workplace absolutely satisfies the direct threat test.

“The EEOC gives some additional guidance that employers should make sure that whatever tests are administered are accurate and reliable, and gives suggestions about where to find [information] about safe and accurate testing.

“But it’s important to note that the accurate testing that’s out there only reveals if a virus is present, and that a negative test doesn’t mean that the employee will not acquire the virus later. So it’s very important to keep in mind that the actual testing — if you choose to go this direction — is only one route that you will want to pursue to make sure that your workplace is safe for your employees.”

For employers that opt use medical screening or questionnaires, the EEOC has also provided some clarity.

The EEOC has said that in a severe influenza pandemic, an employer can ask employees to identify themselves as potentially being at higher risk of contracting the virus.

“In addition,” Painter said “you’re also able to ask employees about symptoms that they may be experiencing that are related to COVID-19 There’s a fair amount of latitude that employers can apply when making these inquiries.”

Painter stressed that COVID-19 testing is not required: “Currently, we’re unaware of any state or regulation that actually mandates testing by employers,” Painter said.

Many employers have been looking to OSHA’s general duty clause to understand what their obligations are, she said, as the clause requires employers to provide a workplace that is free from recognized hazards that are causing or could cause death or serious physical harm.

Thus far, however, OSHA has not entered or applied any emergency standard or order related to COVID-19, and does not require testing for the virus.

Painter said that many employers have been asking if they’re required to report a positive COVID-19 test on their OSHA 300 log. And the answer is yes, in certain cases. Reporting may be required if there is a lab-confirmed case of COVID-19, if the employee is infected as a result of performing their work-related duties. For some employers, that may be a gray area.

“It’s very possible that employees have contracted the virus in some other environment other than the workplace. And it will require some investigation to determine if in fact a positive test is work related and needs to be reported on your OSHA log.

“This would be a case where you may have to conduct some contact tracing and also you may want to consult with counsel before you decide that this has to be reported,” she said.

The ADA requires all medical information of employees is kept separate from other personnel related information and is kept confidential. While that sounds easy, but it may be a little bit more challenging to ensure that this information is, in fact, kept and maintained on a confidential basis, because there may be multiple points at which the data is being collected and gathered.

“It will require some training on the part of the employer to ensure that this kind of information, if you’re gathering it, is being kept properly,” Painter said.

Lastly, employers who do opt for testing or screening will need to ensure they’re in compliance with all wage and hour regulations. For hourly workers who are being required to submit to testing before entering the workplace, employers must assess the amount of time the procedures are going to take.

“If the time is not de minimus, it will need to be recorded and counted as compensable time for those employees. This is going to be a particularly difficult issue to work through — it’s going to be a big one.”

3) What privacy and data security issues will come up as a result of the information that you will collect?

Physical privacy sounds straightforward to maintain, but issues can arise. With new tests expected that can show the presence of antibodies in as little as 15 minutes, employers must exercise caution in how they deliver results.

The same applies if you have an employee who does test positive for the virus and is sent home. While it might be a necessity to take additional sanitizing measures in the person’s workstation, it could be argued that doing so in full view of coworkers amounts to a public disclosure of a positive test result.

Data security should also be top of mind for employers who test or screen.

With the proliferation of various testing and screening methods and types of data being collected, employers must be certain that the data they collect remains private.

Where one manufacturer might choose to test every employee weekly, others might opt for remote at home testing or mail-in health screening questionnaires. Some grocery stores have set up on-site antibody testing, and Massachusetts has launched a mobile testing program geared toward long-term care facilities. Communication through mobile apps and other health technology is becoming part of the equation.

“Notwithstanding the fact that we are in a pandemic, there is still a fair amount of attention being focused by regulators on privacy and data security with respect to this data,” said Dominique Shelton Leipzig, partner in Perkins Coie’s Los Angeles office.

Because most employers will need to utilize one or more outside vendors for screening, vendor management is a top concern. In the event of a breach, said Shelton Leipzig, regulators will often look to see whether an appropriate vendor management plan was in place beforehand.

In particular, she said, it’s important that companies who work with testing or screening vendors know:

• Who in the vendor’s organization has the lead privacy and data security issues?
• Is the data that they are collecting being inventoried and is there a proper understanding of data flows and where the data will be stored?
• Has the vendor has conducted a legal privacy and data security risk assessment?
• Is the vendor is going to be using a cloud environment or sub-vendors that will assist with the management of the of the tests?
• Have those vendors have taken steps to mitigate any other specific risks associated with processing sensitive health data?
• Does the vendor have privacy and data security protocols in place to protect the data?

There are about 134 different data protection laws around the globe, she said, and while many of them on focused on consumer privacy, some will also apply to the collection of employee information.

The California Consumer Privacy Act, for example, can apply to employee data to a certain degree. That entitles anyone covered under the Act to know what specific data is being collected, the purpose of the collection and if the data was shared with any third parties.

“So you want to ensure that you’re working with your HR teams and others to ensure that there is a personnel privacy policy that exists, because this portion of the statute does apply to employee data,” said Shelton Leipzig.

The CCCP also provides a right to access to all data collected, delivered in a portable format, and a right of deletion. These are all considerations that employers affected by the Act will need to consider.

Employers beyond the scope of California’s law should be looking at these issues as well, she said, because there are currently 17 other states with laws similar to California’s under consideration.

The most important privacy and security questions for your team to answer before you begin a testing program, according to Shelton Leipzig, are “How are we going to make sure that the testing and the data collection process is private and secure?” “Are our privacy notices up to date?” and “What vendors are we using and have they been vetted for their security protocols?”

Vetting vendors may sound onerous, Shelton Leipzig said, but it need not be.

“You can get certifications from vendors, like ISO 27001 certifications or others that are proxies, to give you a sense that there’s been a proper security protocols in place,” she said. &