• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy Blog

  • Home
  • Services
  • Events
  • Contacts

California Mandates COVID Exposure and Outbreak Reporting to Employees, Government Agencies

September 23, 2020 By Aaron Wasser and Daniel Felz

On Thursday, September 17, 2020, California Governor Gavin Newsom signed Assembly Bill 685 (“AB685”) into law.  AB685 amends a number of portions of California’s Labor Code to address the COVID-19 pandemic.  In addition to provisions that regulate reopening activities at California worksites, AB685 introduces two new COVID-related notification obligations for California employers: (1) a requirement to notify  employees in the event of a potential COVID exposure at a worksite, and (2) mandatory reporting to local California public health departments when COVID cases amount to a regulator-defined “outbreak.”  These obligations will go into effect on January 1, 2020.  Each is summarized below:

1. COVID Exposure Notice to Employees

  • Whenever a California employer receives notice of a “potential exposure to COVID-19” at one of its worksites, AB685 will now obligate the employer to notify all other employees who were at the “same worksite” as the COVID-positive employee “during the infectious period.”
  • The “potential exposure” triggering these new employee notifications can be triggered when an employee self-reports a COVID diagnosis; when the company’s testing program reports a COVID case to the company; or when a public health department or staffing agency informs the employer that a COVID-positive employee was at the worksite.
  • Companies will likely be relieved to learn that AB685 does not obligate them to disclose any more personal information about COVID-positive individuals than they currently do. AB685 instead merely requires companies to inform fellow employees “that they may have been exposed to COVID-19,” which is consistent with many companies’ existing practice.
  • However, these new AB685 notifications to fellow employees must be made in writing, i.e. “in a manner the employer normally uses to communicate employment-related information” – including email or text message if appropriate. Additionally, written notifications must be made within one business day of when the employer learned of the potential COVID exposure, and retained for at least 3 years.

2. COVID Reporting to Local Public Health Departments

  • AB685 also introduces a new obligation to report a COVID “outbreak” to California public health departments. If a California employer receives notice of enough COVID cases to constitute “COVID-19 outbreak,” it must report the ‘outbreak’ to the local California public health department.
  • Per guidance released by Cal/OSHA in connection with AB685, a “COVID outbreak” is currently defined as “three or more laboratory-confirmed cases of COVID-19 among employees who live in different households within a two-week period.” Thus, receiving notice of these types of laboratory testing results would presumably trigger AB685’s new reporting requirements.   The initial report must be made within 48 hours of when the employer is “notified” of “the number of cases that meet the definition of a COVID-19 outbreak.”
  • The company’s report to the local public health department must include the “names, number, occupation, and worksite” of employees. Note that more employees may need to be included in the report than the 3+ employees whose positive lab tests triggered the reporting requirement.  Potentially, all employees who constitute “qualifying individuals” under AB685 must be included.  This can include additional employees who a) have a positive COVID laboratory test, b) have a positive COVID diagnosis from a healthcare provider (with or without a supporting lab test), c) are subject to a COVID isolation order from a public health department, or d) have died from COVID (as determined by appropriate officials).
  • After making this initial report to the public health department, the employer must supplement it on an ongoing basis if it receives additional, laboratory-confirmed COVID cases.
  • Employers should know that information reported in this manner will be made available to the public on the California Department of Public Health’s website. While no PII of employees will be published, the information made public will “allow[] the public to track … the number and frequency of COVID-19 cases and outbreaks by industry reported by any workplace.”

Alston & Bird is closely following AB685 and COVID-reporting requirements across the United States.  For further information please contact your attorney on the Alston & Bird Privacy & Cybersecurity Team.

 

Filed Under: Advisories, California, Cybersecurity, Health Privacy, Online Privacy, Privacy, Regulation Tagged With: Behavioral Tracking, Big Data, cybersecurity, Health Information Security, Regulatory Enforcement

About Aaron Wasser

Aaron Wasser is an associate in Alston & Bird’s Privacy & Data Security Team. Aaron focuses his practice on helping clients develop tailored solutions to complex privacy and cybersecurity problems.

About Daniel Felz

Daniel Felz is a senior associate with Alston & Bird’s Privacy & Data Security Group. Dan leverages his extensive international experience to advise clients on global privacy, cybersecurity, technology, and adversarial matters.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy & Data Security team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • New Law Requires HHS to Consider Recognized Security Practices as Mitigating Factor When Determining Penalties
  • Federal Court Rules Cyber Forensic Report Is Not Protected Under Attorney-Client Privilege Or Work Product Doctrine
  • Financial Regulatory Agencies Announce Proposed Rule Requiring Notice of Computer Security Incidents
  • Brexit Trade Agreement Provides a Temporary Solution for Companies Transferring Personal Data from the EEA to the UK
  • UK ICO Publishes New Data Sharing Code
Copyright © 2021 · Alston & Bird · All Rights Reserved. Privacy.
This website uses cookies to improve functionality and performance. By continuing to browse this site, you are consenting to the use of cookies on this website. OkCookie policy