Image: L'Oreal

If you are an employee of L’Oreal USA, and want to work from home in light of the enduring spread of COVID-19, you might be in luck. L’Oreal is enabling certain, “high risk” employees to do just that, assuming that these employees sign waivers to enable the company to potentially review relevant medical records and determine if they are, in fact, at a higher risk of getting sick in connection with the pandemic. To be exact, employees requesting the ability to continue to work remotely even as offices open must sign off on a “COVID-19 High-Risk Accommodation Request Form” that authorizes the release of “medical information” to L’Oreal.

As CNN recently reported, the Paris-based cosmetics company – which generated $35.5 billion in revenue in 2019 by way of its arsenal of brands, such as L’Oreal, Lancome, Kiehl’s, Vichy, CeraVe, and many others, icluding the cosmetics businesses of Armani and Yves Saint Laurent – revealed in an email to employees last month that it “planned to increase its current maximum of 25 percent of employees at the office to 50 percent.” The email, which came from L’Oreal’s chief human resources officer Stephane Charbonnier, alerted employees that unless they have approved paid-time off or a reason approved by the company, they “will be expected to be onsite if assigned by [their] manager to be onsite.” One such potentially “approved reason”? A “COVID-19 High-Risk Accommodation.”

L’Oreal’s COVID-19 High-Risk Accommodation Request Form, which was first shared by beauty industry watchdog account @esteelaundry, specifically provides for the release of “information regarding [an employee’s] physical or mental limitation(s)” that may affect his/her ability to “safely perform work at L’Oreal during the COVID-19 pandemic.” A representative for the American arm of the cosmetics behemoth stated that L’Oreal is not asking for “any employee’s actual medical records or details of a medical diagnosis.” What the company is requesting from “any employee that is seeking a medical exemption from returning to in-office work” is “verification [of such limitation(s)] from their physician,” the L’Oreal representative says, noting that “in most instances, a doctor’s note is a sufficient verification.” 

In addition to clarifying what, exactly, L’Oreal needs in order to approve an employee’s accommodation request, the company’s rep stated that “any confidential information shared by employees is managed by a third-party provider in conjunction with HIPAA-trained HR professionals who determine eligibility for medical exemptions from returning to in-office work.”

While potentially striking in a COVID context, largely due to the novelty of the pandemic and the relatively uncharted roadmap of how companies will handle the large-scale return to offices following months of lockdowns and remote working across the U.S., employer requests for substantiation to justify an employee’s request for accommodation in connection with a disability (or in this case, a medical condition that may put them at a higher risk during COVID) are far from novel. Nonetheless, the situation at hand – medical information request forms, included – sheds light on just one of the many issues that employers now face as states lift stay-at-home orders and put an end to non-essential business closure mandates.

Many of those issues center on employee privacy and information security, which will inevitably prove to be among the most important concerns for employers in light of the COVID landscape. 

“Despite the pressing need to protect employees’ health, employers cannot forget their obligation to protect employees’ privacy,” according to Cohen & Gresser LLP’s Christian Everdell and Marvin J. Lowenthal, who say that three of the most common safety measures that many employers are considering and/or are already using to protect their employees – temperature screening, medical testing, and contact tracing – come with a variety of relevant privacy regulations that companies must consider. 

The Americans with Disabilities Act (“ADA”), for instance, requires that any mandatory medical test for employees, such as the temperature screenings be “job related and consistent with business necessity.” Everdell and Lowenthal note that the Equal Employment Opportunity Commission (“EEOC”) has issued guidance explaining that employers may take steps, such as requiring temperature checks, in order “to determine if employees entering the workplace have COVID-19 because an individual with the virus will pose a direct threat to the health of others.” Similarly, the EEOC permits ADA-covered employers to ask employees if they are experiencing COVID symptoms, such as fever, chills, cough, shortness of breath, or sore throat. 

All the while, employers are allowed to keep logs of such information, but must maintain the confidentiality of the results of any employee medical examinations “as a confidential medical record in compliance with the ADA,” including by storing such information “separately from the employee’s personnel file,” thereby, limiting access to this confidential information. 

For California-based companies, the California Consumer Privacy Act (“CCPA”) regulates the collection of a California resident’s personal information, but as Everdell and Lowenthal state, it contains a limited exemption for employers “when implementing [certain] safeguards against COVID-19,” but they must still “comply with the CCPA’s notice provisions (e.g. they must inform employees about the categories of personal information to be collected and the purposes for which that information will be used) and its data protection provisions, as well.”

Additionally, on a high level, employers – regardless of where they or their employees are located – need to carefully consider what data they are actually collecting, how the data will be used and stored, and who will be able to access it.

Ultimately, many employers are only just beginning to embark on what may prove to be a lengthy effort to protect employees from COVID. “As different employers apply these safety measures in a variety of situations, legal questions and concerns will no doubt arise that were not anticipated at the outset,” per Everdell and Lowenthal. More than that, it is likely that “legislatures and regulators [will] impose rules governing the use of certain safety measures,” as Senators Maria Cantwell and Bill Cassidy did in June when they introduced the Exposure Notification Privacy Act, which seeks to regulate contact tracing apps.

“Given how rapidly the applicable laws and regulations may change,” they say that “employers should work with their compliance teams and legal counsel to implement appropriate safety measure to protect their employees and to ensure those measures remain compliant as the law evolves.”