VA Central Office November 24, 2021
OFFICE OF THE CHIEF HUMAN CAPITAL OFFICER (OCHCO) BULLETIN
SUBJECT: Protection of Confidential COVID-19 Information
This OCHCO Bulletin provides guidance to Human Resources (HR) offices on protection of confidential COVID-19 information, during this evolving COVID-19 pandemic, when everyone’s health and safety are paramount. All sensitive personal information (SPI), including health information protected under the Privacy Act, that is maintained by Department of Veterans Affairs (VA) personnel and affiliated individuals, should be collected, used, and disclosed only in accordance with relevant privacy laws, regulations, and policies, such as safeguarding public health and safety.
As a guiding principle, VA HR staff, supervisors, and other management officials should only collect and disclose the minimum amount of confidential COVID-19 information necessary to persons within the Department who have a need to know the information in the performance of their official VA duties. Management should actively seek to minimize the sharing such information by limiting access to those VA employees with a need to know. Further, the Equal Employment Opportunity Commission’s (EEOC) regulations require that medical information be kept confidential and separate from personnel files. EEOC regulations allow for sharing of work restrictions and necessary accommodations to those who need to know the information, such as supervisors and managers. However, aggregate, anonymous data on COVID vaccination, testing, or other related matters, which by definition does not contain SPI, is not confidential and may be shared with others.
Examples of confidential COVID-19 information are agency reports that identify employees by name and vaccination status or requests for medical or religious exceptions. Another example is information that identifies employees who have been infected with COVID-19, such as emails or notes with an employee’s name or other identifying information reported to leadership for contact tracing purposes, or an employee’s report of a positive test result for COVID-19 to their supervisor. Although employee health information maintained by HR, supervisors, and other management officials are not protected health information under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, they should be protected as SPI consistent with the Privacy Act and EEOC regulations.
As we respond to the COVID-19 pandemic, employ best practices to prevent the compromise of confidential COVID-19 information, including the following:
- Limit distribution of such information to those who have a valid need to know the information in the performance of their official VA duties. For example:
- Do not share such information with your chain of command unless they are directly involved in approving/denying an exception request, implementing a disciplinary action, or enforcing safety protocols.
- If a VA employee tests positive for COVID-19, they should inform their supervisor immediately. The supervisor will then notify the appropriate persons within the chain of command designated as having a need to know for the information, such as quarantine date(s), exposure date(s), duty status date(s), etc., to alert individuals who may have been in contact with the employee and take other steps recommended by public health officials to protect the health and safety of the workforce.
- If a VA employee self-identifies as being in a higher risk category susceptible to COVID-19, in accordance with Centers for Disease Control and Prevention guidelines, the information should be reported to the supervisor and reporting limited to only those who have a need to know as described above.
- Employ good data security practices, such as encrypting emails containing confidential COVID-19 information. For example, a supervisor should not transmit names, personal phone numbers, or health information via unencrypted email.
- Do not use personal email accounts to transmit confidential COVID-19 information.
- Do not post reports or spreadsheets containing confidential COVID-19 information to internal shared drives, Share Point, or similar sites (e.g. Microsoft PowerBI, VHA Health Operations Center Share Point) without proper safeguards and role-based access restrictions will be able to access the information.
If you have further questions or concerns about collecting, maintaining, processing, or disseminating confidential SPI, to include health information, please contact your Privacy Officer.
More information can be found on the VA Privacy Service website at: https://www.oprm.va.gov/default.aspx or by accessing the contact information for VA Privacy Service at https://www.oprm.va.gov/contacts.aspx.
Issued by: VA/OCHCO/Worklife and Benefits Service