Sign Up for Our Newsletter
Health Information & Attendee Privacy: Getting Back to Meetings and Incentives Safely
DownloadsHealth Information & Attendee Privacy
Acknowledgements: Brenda Rivers, Safe LLC™ and Jonathan Spero, M.D., CEO, InHouse Physicians
The information presented herein is not meant to constitute legal advice. Consult your attorney for advice on a specific situation.
The health and safety of event attendees has always been an important consideration for meeting professionals. However, the COVID-19 outbreak brought health and safety into focus like never before. As many organizations consider resuming incentive group travel programs, health and safety is the most talked about element and an area of uncertainty as COVID protocols rapidly evolve and organizations work to understand the lines between privacy and duty of care. Questions regarding policies, privacy, and onsite procedures all need to be addressed to help set incentive travel programs up for success.
With the increased focus on health and safety, attendees are being asked to provide more information than before, including daily health screenings, vaccine status or COVID test results, and more. Managing that data in a way that protects the privacy of the individual is critical for meeting professionals, and an area of sensitivity for many attendees.
Getting back to events safely requires knowledge and best practice sharing across all areas of health and privacy, as well as significant advanced planning and strong attendee communication regarding expectations and protocols. This paper shares insights into approaches to health and safety, as well as managing the privacy of information gathered in the pursuit of a safe event. With guidelines for corporations, venues, countries, and states changing regularly, it will be important for meeting owners and meeting planners to keep up-to-date and in close contact with their supplier base.
Pre-COVID-19 Practices for Medical Data Collection & Privacy for Meetings
Before COVID-19, meeting professionals collected a minimal amount of the attendee’s personal health information (PHI). Common information collected included a list of allergies, dietary restrictions, underlying health issues in case of emergency, any special needs such as a wheelchair, and emergency contact information.
The typical privacy standards for health-related data have included:
- Advise & Consent: How the data is being used, shared, and stored. Must make it clear to the attendee when they’re giving PHI
- HIPAA Compliance: Specific PHI must be secured under HIPAA laws for organizations and clients that include “covered entities”: health plans, health care clearinghouses, and health care providers who conduct certain financial and administrative transactions electronically
- Data Storage: The majority of the event organizer’s attendee data is collected, stored and transmitted inside the registration technology process and touched by limited, authorized employees of the meeting organization
Elements of a Health Security Plan
Fast forward to today, and there is now an intensified focus on PHI. Post COVID-19 meeting professionals, as part of their Duty of Care, must work to reduce the risk of COVID-19 transmission and outbreaks at their events. As such, when implementing health security measures, the collection of additional PHI is necessary, however it creates a new set of considerations for meeting professionals. Though meeting professionals are not a covered entity under HIPAA, they must still abide by local and federal privacy regulations.
An effective Health Security Plan will now be expected for all meetings and events. It will require the collection of PHI from attendees. Before beginning the process of collecting the PHI of prospective attendees, meeting organizers should have a published health and safety policy. This policy should be written by the organization, stating that the main purpose of the policy is “to promote the health, well-being, and safety” of all attendees. The policy should refer to the current national health state of recovery and clarify the reason for instituting specific pre-event and onsite practices is to prevent the transmission of COVID-19 and other infectious diseases. The requested health data must be strongly connected with the purpose of making health and safety of all meeting attendees a priority.
NOTE: Although a meeting organizer may not technically be a “covered entity” under HIPAA, certain states have broader coverage than HIPAA. Therefore, it is recommended to treat the circumstances as if the meeting organizer is a “covered entity.” Consult a health care attorney for advice.
The following inquiries include, but are not limited to, practices which may be included in a health security plan at any type of event, based on the demographics, location, and agenda:
Pre-event collection of personal health information:
- Health questions related directly to the exposure, testing or contracting of COVID-19
- The attendee’s current health condition which could put attendee at risk
- Recent travel out of country
- Frequency and type of contact with possible asymptomatic persons
- Request for a negative COVID-19 test within a certain time frame before arriving at the event
- Attendee vaccination status
Daily Temperature Checks – These can be in the form of staff taking temperatures with a no contact infrared thermometer or a thermal scanner automatically measuring attendees’ temperatures.
Daily Self-Reported Health Screening – Automated, secure online health questionnaires that can be pushed via text to the attendees’ phone offer another line of defense in detecting attendees with COVID-19.
Onsite COVID-19 Testing – This strategy allows for the screening testing of asymptomatic attendees arriving at the meeting, testing of attendees with symptoms, or attendees who have been in close contact with a COVID-19 case. Rapid COVID-19 testing can determine if someone is currently infected with the virus. Turnaround time for results is fifteen minutes and can be either antigen or molecular (most accurate).
Contact Tracing – To ensure efficient communications and mitigation in case of exposure, attendees may be asked to wear a device that tracks contact or to self-report individuals with whom they have had close contact. Privacy needs to be maintained related to this reporting. Attendees need to fully understand how these devices work and how information is collected, stored, and used.
Onsite Medical Care – Many meeting professionals will be engaging the services of healthcare professionals to support their attendees’ health needs with a focus on COVID-19 related symptoms.
Onsite Event Health Practices – The following onsite procedures related specifically to COVID-19 should be considered and do not require significant data collection.
- Touchless check in
- Social distancing (must be clearly defined)
- Directional people flow
- Mask policy and requirements
- Limited food and beverage fulfillment (use of pre-packaged food, bottled beverages, etc.) or options to take food and beverage in guest room or alternate setting
- Hybrid educational sessions
- Spaced networking
- For attendees who fall ill, policies such as policies regarding releases, refunds, quarantine requirements and facilities
Vaccination Status – For maximum attendee health & safety, all elements of the onsite health security plan should apply to all attendees regardless of vaccination status.
Collecting Protected Information
To properly manage the responsibility and liability associated with collecting attendee PHI, planners will need to put the following into place. Clear, consistent, and frequent communication with attendees at every step of the process is of the utmost importance.
Clear and Well-Communicated Health Policy – This health and safety policy must explain:
- The specific use of the data
- How the data be collected
- When data will be collected
- How and where it will be stored
- What privacy guarantees will be provided
- How long the data will be kept
- How the attendee can access their data
- How the attendee can correct their data
- What the options are if the attendee refuses to provide the data
- Whether the questions mandatory to register for the event
Attendee Consent – It is important to obtain consent from all attendees in order to collect data and perform any of these health security measures.
Privacy Notice - A statement made to attendees that describes how the organization collects, uses, retains and discloses personal information. Though meeting professionals are not covered entities under HIPAA, they still must adhere to state and federal privacy regulations.
Release of Information – In general, when hiring a third party for data collection, it is a good idea to limit the amount of PHI that is shared by the vendor with the meeting professional. However, certain general information such as whether an attendee has a “Health Entry Pass” to enter the meeting is necessary. As such, having each attendee sign a “limited” release of information document allowing the third party to share specific information with the meeting professional is helpful. The construction of such a document can get tricky, as there are no standard, uniform state privacy law in use by all 50 states and the territories. The complexity increases when considering the laws of other countries. Seek the advice of an attorney familiar with the location where the event is taking place.
Onsite Collection – Any information carried on site must be stored securely with very limited access. Printed information is not recommended.
Standard Risk Assessment: What Questions Do Meeting Planners Have a Right to Ask? - Meeting organizers may ask any questions that are narrowly tailored to the purpose of keeping the event safe from transmission of COVID-19 or other infectious diseases, such as:
- Have you had a positive COVID-19 test in the past two weeks?
- Have you been in close contact with someone who has tested positive for COVID-19 test in the past two weeks?
- Have you had these symptoms in the last two weeks?
- Fever or chills
- Shortness of breath or difficulty breathing
- Muscle or body aches
- New loss of taste or smell
- Sore throat
- Congestion or runny nose
- Nausea or vomiting
- Do you live with a first responder or healthcare front line employee?
- Do you have any immunocompromised disorder that would make you more vulnerable?
- Have you traveled out of the country in the last two weeks? If so, where?
- Will you consent to participate in contact tracing?
- Will you agree to social distancing and wearing masks?
- Have you been fully vaccinated for COVID-19 (defined as received second or only shot (depending on required regimen) two weeks prior to the event travel date? Date of last shot? Please provide proof of vaccination
- Proof of negative COVID-19 test (rapid antigen, rapid molecular, or PCR) within 72 hours of event kick-off
What Questions Can Attendees Refuse to Answer?
Meeting attendees can refuse to answer any question. Your organization must have a policy on whether to deny registration for refusal to answer and then offer virtual or other options.
Generally speaking, an organization has the right to set parameters for attendance at private events. However, it is important to consider the ramifications of asking questions or denying attendance. Consider whether the questions open the organization up for discrimination concerns. If the meeting planner does not allow a participant to attend, they need to have the support of upper management.
Note on Outsourcing: Contracting with a qualified third party vendor to collect and protect attendee PHI makes good sense. The meeting industry is not experienced in this area, and the consequences of not doing this right are significant. Prior to entering into an agreement with a vendor that will have access to attendee PHI, a meeting professional must perform proper due diligence to ensure that the vendor is in fact able to protect the data. In addition, specific contracting language including a business associate agreement and verification that the vendor has adequate cyber insurance is crucial.
Data Privacy Standards and Implications for Meeting Owners
The meeting organizer is charged to not only open meetings and events that are as safe as reasonably possible, but also to create an engaging environment that makes attendees feel safe. One increasingly viable solution for business events is to have participants tracked, traced, and vetted before they attend the event. While this practice will certainly give attendees confidence, it also raises the conflict between maintaining a COVID-19 transmission-free event and impinging on attendee’s right to keep their personal health information protected. Whether or not the organizer falls under HIPAA as a covered entity is one driving factor, but the big picture focus is more about an organizer’s duty to safeguard both the privacy and the risk of exposure for the attendee.
The first step is to determine if HIPAA applies is to ascertain whether or not an event organizer fits into the definition of a covered entity, business associate of a covered entity, or subcontractor of the business associate. If yes, then HIPAA applies. There are other health information privacy laws under some state laws such as Texas. If an event organizer is creating, receiving, maintaining or transmitting PHI in Texas, the organizer would be considered a “covered entity” as it is defined under state law.
The Federal Trade Commission fills the gap of the Federal definitions for anyone who creates, receives, maintains and transmits PHI. The FTC has its own breach notification rule for handling PHI.” 
Compliance with GDPR Law / California Law
The majority of the event organizer’s attendee data is collected, stored and transmitted inside the registration technology process and touched by limited, authorized employees of the meeting organization. Most event technology systems are programmed to collect, store and transmit personal identifiable information of EU participants under the European Union’s General Data Protection Regulation (GDPR). California residents are protected under the California Privacy Protection Act of 2019 (CCPA), covering similar personal identifiable information. Other states are expected to follow the CCPA. Because of the potential for breach of international, federal and state laws, it is safest to assume that the meeting organizer is a covered entity, in dealing with protected health information.
Therefore, it would be logical to develop a similar model which parallels the collection of personal health information with the GDPR data collection and HIPAA confidential information. See the following chart of HIPAA and GDPR standards.
NOTE: Both are important if you have any European nationals attending your event.
HIPAA: Changes and New Norms for HIPAA Resulting from COVID-19
HHS issued a policy in February 2020 reiterating exceptions to HIPAA that only applied to telecommuting and dealing with PHI. These are circumstances where a provider interacts directly with a patient. All other safeguards required by the HIPAA Security Rule remain in place. Also emphasized: an entity cannot post the names of people with COVID-19 on its website without an individual’s permission.
Duty of Care
As we return to meetings, there is also much discussion around duty of care. Duty of care is the legal obligation which is imposed on an individual or group requiring adherence to a standard of reasonable care while performing any acts that could foreseeably harm others.
It is important to note that duty of care is a responsibility of the meeting planner, the individual, and the venues / entities used during the event. Below we explore the responsibility of each.
What is the Meeting Planner’s Responsibility?
The meeting planner has a legal, moral, and ethical duty to open meetings and events when they are safe. To ensure the health, well-being, and safety of all participants, they must act towards participants with watchfulness, attention, caution, and prudence to ensure that the highest health and safety standards are instituted. In doing so, the meeting planner has the following responsibilities:
- Thoroughly investigate risk in the targeted destinations.
- Before the event, collaborate with hotel security, DMCs, and other partners in consulting with local officials, responders, and public health providers about their crisis response plans.
- Document emergency and contingency plans not only for the event, but also for hotel and other venues.
- Communicate health and safety procedures and expectations of attendee’s responsibilities regarding their individual duty of care well in advance of the event.
- Mitigate risks as possible. Regarding COVID, this includes offering health security measures that address prevention of transmission, identification of attendees with COVID, and responses to ill attendees with COVID and those that may have been exposed.
What is the Individual’s Responsibility?
Duty of care is everyone’s responsibility, not only the meeting planner. The individual is responsible to be informed, cooperative, and responsive, following all health and safety policies and procedures as directed. Specifically, they should observe all precautions and protocols, stay home if ill, report any illness onsite, practice social distancing, and opt out for virtual if they are immunocompromised. These expectations should be communicated both in advance and during the event.
What are Other Providers’ Responsibilities? (Air, Ground, Host Hotel, Venues)
All other providers in the meeting and event supply chain have an identical duty of care to act towards customers and the public with watchfulness, attention, caution, and prudence in a matter that a reasonable professional in the same or similar circumstances would. Creating safe and secure travel and group event experiences is paramount for airlines, hotels, venues and other suppliers.
Safety is the number one priority. Venues must implement intensified health and hygiene protocols, including deeper cleaning, fresh air circulation and purification, cleanliness supplies (hand washing stations, sanitizer, gloves, masks), temperature checkpoints, and social distancing. Limit food and beverage service and offer a more packaged experience. Offer touchless digitization where possible: registration, check-in, service requests. Most importantly, communicate all protocols prominently, including mask requirements, temperature checks, contract tracing, and health reminder tools.
What “Assurances” Could be Requested by Attendees? How Can Meeting Planners Manage Those in a Legal/Responsible Way?
The meeting and event industry should excite and attract participants in addition to reassuring them, so that attendees have confidence in the end-to-end event experience rather than feeling anxious about separate pieces of their engagement. Attendees want to feel safe and in control. They now expect greater authenticity and personalization from the event.
Fundamental shifts in food and beverage options, increased environmental impact considerations, enhanced use of mobile / touchless technology, and flexible purchase/refund options will all serve to give the attendees peace of mind and confidence to return to face-to-face meetings in a post-pandemic world.
Planners can manage these needs and expectations of attendees legally and responsibly by advising them of:
- Standardization of cleanliness and hygiene procedures for hotel and all vendors which meet or exceed the government and local health guidelines. Begin with the WHO published guidelines as a reference point.
- The risks of the destination, the venues, and the program activities, as well as the procedures in place to mitigate or eliminate the risks. Include an opt out feature that includes virtual, on-demand, or hybrid alternatives and have a refund policy in case of last-minute illness.
- The personal health information that will be asked of the attendee and their consent to onsite testing, social distancing, contact tracing. Advise of medical services that will be onsite and the requirement to leave the event or quarantine if ill.
- The meeting organizers’ emergency protocol for attendees to follow in case of a disease outbreak or other foreseeable crisis during the event. Show that there is a medical, security, and event team in place prepared to act to protect the safety of all attendees.
Getting back to meetings, events and incentives is important for our economy, our industry, and for businesses across the globe. Doing so in a way that makes health and safety a top priority will serve to bring meetings back faster and will instill confidence in attendees. Health and safety policies need to be clear, well communicated, and jointly agreed upon by the meeting professional and all venues and service providers. Employing onsite medical providers and COVID testing can help reduce anxiety attendees might feel and provide a clear set of processes onsite should someone become ill.
Meeting professionals should be prepared to address questions, concerns, and objections from attendees who may disagree with policies and have a clear path for managing individuals who choose not to comply onsite. Additionally, meeting professionals need to be prepared and appropriately staffed to ensure health & safety protocols are followed onsite. That may mean bringing extra staff specifically designated for monitoring and providing reminders to attendees.
Incorporate daily health screenings, an approach to contact tracing, and onsite best practices such as room sets that allow for social distancing, alternative meal set-ups, clear mask policies, and traffic patterns that create a safe environment for attendees. Communicate the expectations clearly in advance to attendees so they can determine whether they want to attend an event where they will be expected to wear a mask and stay distanced. If attendees are surprised onsite there is less of a chance they will comply with policy. Provide frequent visual and vocal reminders throughout the event and remind attendees that policies are for the health and safety of all in attendance.
Stay informed as vaccine distribution increases globally and information about vaccine efficacy is uncovered. There will likely be continued shifts in guidance from the CDC and other global health entities. You may choose to employ more or less stringent guidelines at your event, making it even more important to communicate what you’re doing and why you are doing it.
Ask for the information you need from your attendees to deliver a safe event, but consider the data collected and how it is stored, used, and managed. Minimizing both the data you collect and access to that data is always the best approach. Ensure all attendees are clear on the collection, management, storage and use of their personal data.
Remember that duty of care is a shared responsibility. Do your research, inform of your findings, set a plan and clearly communicate with attendees. Remember that attendees and the venues and suppliers you are working with also have a duty of care. Communicate to attendees what you expect and share information such as health and safety guidelines from local authorities, “what to expect” documents and more so they can prepare in advance.
The pent-up demand for in-person meetings, events, and incentives is a positive indicator for the recovery of the industry. By carefully considering event design and onsite practices with health and safety at the center, meeting professionals will help the industry return strong and thrive.
1. Rachel V. Rose – Attorney at Law, PLLC (Houston, Texas) – advises clients on health care, cybersecurity and qui tam matters. She also teaches bioethics at Baylor College of Medicine. See: https://www.americanhealthlaw.org/content-library/health-law-weekly/article/
5. For legal analysis of duty of care and the event industry, see whitepaper, “The Four Horsemen of the Apocalypse”, Brenda Rivers, Esq. & Judge William Meyer; https://www.safellc.com/wp-content/uploads/2020/02/Four-Horseman-of-the-Apocalypse_Meeting-Managers-Duty-of-Care.pdf