As businesses re-open and take cautionary measures to prevent spread of COVID-19, many organizations have incorporated thermal scanner policies onsite.
Since fever is a major symptom of coronavirus, these scanners check people for elevated temperatures which could result in self-quarantine or further testing. It is a proactive approach to protect the greater population, but how does this impact the company’s security and the privacy concerns of those tested?
HIPAA applies only to covered entities and business associates, but that scope should identify what information is collected and how it is used.
Regarding HIPAA, if a covered entity or business associate uses a device that gathers specific personal information related to health, then the regulation applies. For example, if a covered entity or a business associate scans a person’s temperature and records or communicates that person’s temperature with identifying information about them (name, employee ID, photo, video, fingerprint, etc.), then this is likely HIPAA-relevant data.
If personal information is never captured then HIPAA would not apply. For example, if a company used a thermal scanner to scan people as they came in the door and told people – without gathering any information about them – whether they are allowed in or not, then the scans are likely not in scope for HIPAA.
For any new technologies, review how it is applied to personally identifiable information (PII) and protected health information (PHI) to determine whether it is relevant to known regulations.
Let us know how we can help.