Insights

Under US law, can an employer share with public health authorities the names of employees infected with a contagious disease?

Under US law, can an employer share with public health authorities the names of employees infected with a contagious disease?

Mar 26, 2020
Download PDFDownload PDF
Print
Share

Nothing within the CCPA inherently prohibits an employer from sharing with public health authorities the names and contact information of employees that have been infected with a contagious disease.  To the extent that a federal, state, or municipal law requires the disclosure, the CCPA itself would not apply.1  If the disclosure is not required, but made at the request or recommendation of a public health authority, the CCPA arguably requires only that the business take the following steps:

  • The CCPA requires that a business include within its notice of collection and/or privacy notice a general disclosure that informs employees of the business purposes for which their information was collected.  While it is not certain whether disclosure to a public health authority would be considered a “business purpose,” businesses should consider stating within their privacy notices that information may be shared with federal, state, or local government agencies for the purpose of protecting employees, protecting the public, or protecting other individuals.2
  • In the event that an employee submits an access request upon the business, the CCPA requires (beginning on January 1, 2021) that the business state what information was “disclosed for a business purpose.”3While it is not certain whether disclosure to a public health authority would be considered a “business purpose,” businesses should consider stating in response to an access request that information was shared with a government agency and identifying the categories of information that were shared.4

It is important to note that other federal or state labor and employment laws likely preclude a business from sharing information about potentially contagious employees with public health authorities.  For example, the federal Americans with Disabilities Act requires that any information which is obtained as part of a voluntary medical examination, or as part of voluntarily collecting medical information from an employee, be kept “confidential.”5  Although this confidentiality requirement is subject to certain exceptions, the only government-related exception permits disclosure upon request to “government official investigating compliance with [the ADA].”6  Thus the ADA may prohibit a business from voluntarily disclosing information about an infected employee to state or local public health agencies.  As a practical matter, most infectious diseases are identified by medical providers who may have an independent obligation to report the infection to public health authorities (e.g., the Center for Disease Control).  As a result, public health authorities should not be reliant upon a company to provide information about infected individuals.


This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide.


1. Section 1798.145(a)(1) of the CCPA states that the  Act shall not restrict a business’s ability to comply with a federal, state, or local law.

2. CCPA, § 1798.100(b) (requiring a business to provide information concerning the “purposes” for which information collected will be used).

3. CCPA, § 1798.130(a)(4)(C)

4. CCPA, § 1798.130(a)(4)(C) (requiring that in response to an access request a business disclose the categories of information shared for a business purpose in the preceding 12 months and the categories of third parties to whom it was shared).

5. 29 C.F.R. 1630.14(d)(4).

6. 42 USC § 12112(d)(4)(B), (C).

Related Practice Areas

  • Data Privacy & Security

  • California Consumer Privacy Act

Meet The Team

Christy E. Phanthavong
+1 312 602 5185

Meet The Team

Christy E. Phanthavong
+1 312 602 5185

Meet The Team

Christy E. Phanthavong
+1 312 602 5185
This material is not comprehensive, is for informational purposes only, and is not legal advice. Your use or receipt of this material does not create an attorney-client relationship between us. If you require legal advice, you should consult an attorney regarding your particular circumstances. The choice of a lawyer is an important decision and should not be based solely upon advertisements. This material may be “Attorney Advertising” under the ethics and professional rules of certain jurisdictions. For advertising purposes, St. Louis, Missouri, is designated BCLP’s principal office and Kathrine Dixon (kathrine.dixon@bclplaw.com) as the responsible attorney.