COVID-19 Data Collection: Potential Policy Coverage Issues

June 01, 2020

There are differing opinions concerning returning to work and reopening the economy during the COVID-19 pandemic, which has resulted in strong opposition and division. As governments and the private sector move forward, data will be key – not only to understand the persistency and resilience of the virus but to also determine who is currently infected, who was exposed, who possesses anti-bodies or potential immunity, and who is more susceptible to the virus as we return to the workplace. This may involve testing, temperature screening, immunity certification, and contact tracing to keep workplaces, employees, customers, and vendors safe.

Determining how this data is collected and used will be central to a consistent and methodical return to work; however, as we have seen in the partisan divide over reopening, we will likely see controversy arise when interpreting existing laws and Fair Information Practice Principals. For example, the California Consumer Privacy Act requires businesses that collect personal data (whether employees or customers) to disclose how the data is used and shared, but other United States regulatory authorities have said they will limit enforcement of privacy legislation. Further, the US Department of Health and Human Services announced that it is waiving the enforcement of certain provisions of HIPPA, and the Office of Civil Rights (OCR) stated that it would not impose penalties for noncompliance with HIPAA in connection with good faith provisions of telehealth services during the pandemic.

Additionally, software developers are creating technology to track and label people according to their virus status. Whether processing of COVID-19-related personal data will be  covered by existing privacy notices and current policies  remains to be seen.

The scope of the governmental response in the United States is not yet known,  but pressures to reopen and return to work will require businesses to adopt best practices and adjust for ongoing privacy compliance. Moreover, how data for public health is used and what decisions are garnered may be left to interpretation. Will businesses use this data for assessing performance? Will the collection of biometrics be permitted without consent? What limitations of purpose are companies adopting? How will they balance who returns, who does not, and what is vital versus inessential?

There are insurance implications with each of these decisions and how they are carried out and interpreted. Companies that share information in good faith on request by one government entity may find later that they are subject to regulatory penalties by another government body or subject to private litigation.

Careful legal scrutiny of any situation when healthcare or health-related information is being disclosed should precede any action taken by a business. Insurance coverage that addresses both privacy, discrimination, and the regulatory risk surrounding it is not entirely clear. Covered losses under a cyber insurance policy may be jeopardized if action to disclose personal health information is taken knowingly and disregarding government regulations. Some policies contain governmental action exclusions that may affect the extent to which cover for regulatory fines and penalties, private litigation, and costs arising from a breach of health information can be provided under a cyber policy. Many policies will not cover what may be deemed as non-breach regulatory action. (Such as actions by the employer, not a nefarious hacker.)

The basis of employment decisions, particularly as new work from home environments continue, will also create questions as to whether an employment practices liability policy will fully respond. Discrimination based on race, gender, religion, and sexual orientation are typically covered; however, will data through this crisis reveal other discriminatory aspects? Questions such as who will return, who will not, who is allowed to work from home, who may feel isolated and singled out, and what emotional and mental anguish they may incur will all have to be answered and measured.

Beecher Carlson has been watching these developments closely and they will be part of the conversation when negotiating cyber, employment practices liability, and general liability policies, as well as other aspects  of our clients’ insurance programs. For any insurance questions or if you wish to discuss these topics in further detail, please contact your Beecher Carlson insurance professional. Protecting your employees’ health and privacy and your organization’s financial health are not necessarily incompatible.


The foregoing is not intended as legal advice and Beecher Carlson recommends that you speak to your legal counsel with any questions regarding the application and interpretation of laws, rules and statutes which may be applicable to your business or situation.  This is not intended to be coverage advice, or a statement as to whether coverage may or may not exist under your specific policy and the circumstances of your situation.  This is informational only.

Please be advised that any and all information, comments, analysis, and/or recommendations set forth above relative to the possible impact of COVID-19 on potential insurance coverage or other policy implications are intended solely for informational purposes and should not be relied upon as legal advice. As an insurance broker, we have no authority to make coverage decisions as that ability rests solely with the issuing carrier. Therefore, all claims should be submitted to the carrier for evaluation. The positions expressed herein are opinions only and are not to be construed as any form of guarantee or warranty. Finally, given the extremely dynamic and rapidly evolving COVID-19 situation, comments above do not take into account any applicable pending or future legislation introduced with the intent to override, alter or amend current policy language.