As businesses and government offices ramp up their on-site operations, they are turning to smartphone applications to help keep track of the health status of persons entering their buildings. In this Part 1 of our two-part blog post on back-to-work apps, we provide a checklist of issues to consider for health questionnaires.  In Part 2, we will do the same for contact tracing apps.

The use of health questionnaires is now mandatory for many organizations with on-site operations. For example, in New York, the Interim Guidance for Office-Based Work During the COVID-19 Public Health Emergency (“The New York Guidance”) requires the owner/operator of office-based work activities to conduct mandatory daily health screenings for employees and, “where practicable,” visitors. Promulgated pursuant to the New York State Administrative Procedures Act, as well as multiple Executive Orders, the New York Interim Guidance requires that a questionnaire be used during the screenings to determine whether the employee has: (a) knowingly come in close contact in the past 14 days with anyone who has tested positive or has had symptoms of COVID-19; (b) tested positive for COVID-19 in the past 14 days; or (c) experienced any symptoms of COVID-19 in the past 14 days. The New York Department of Health has made a sample questionnaire available. The CDC’s screening questionnaire for entering its facilities outlines similar questions.

The New York Interim Guidance states that temperature checks may be conducted according to the U.S. Equal Employment Opportunity Commission and New York Department of Health (“DOH”) guidelines. If an employee answers in the affirmative to any of the screening questions, New York requires that they be instructed to stay home.

Other states have issued similar guidance. For example, California’s recent Playbook for Safe Reopening states that facilities must set up individual screenings and train workers on how to screen for symptoms. New Jersey’s guidance for businesses that do not have walk-in customers or products for sale strongly encourages such organizations to follow safety and sanitization protocols that includes the CDC’s recommendations for daily in-person or virtual health checks.

Although distributing and collecting the questionnaires by email is an option, most large organizations are turning to apps and web-based tools to help with the administration of the questionnaires once a significant number of people start coming back on site. The following checklist outlines some of the considerations employers may face when implementing these automated screening tools.

  1. Should the company require answers from visitors coming on-site?
      • Check local guidance to see whether questionnaires are required for visitors to the office. For example, the New York Guidance states that daily health screening practices are mandatory for employees and, where practicable, for visitors, but screening of delivery personnel is not mandated.
  2. Should the company create a record of individuals’ responses to each question or only make a record if an employee answered “Yes” to any question?
      • Most jurisdictions do not require companies to keep records of the responses to each question, but rather, only require a record of individuals who responded “Yes” to any question. In order to reduce privacy risks, many companies are only making records of the data they are required to maintain.
  3. What happens if an employee who answered “Yes” to any screening question (or did not answer one or more of the questions) attempts to enter the office?
      • Will employees be trusted to stay home if they answer “Yes” to any question?
      • Will building security be required to verify that people entering the building have answered “No” to all questions? How?
      • Will key-card access to the building be revoked for persons who answer “Yes” to any question?  How?
  4. Will answers be stored?  Where?  For how long?  Who has access to that information and under what circumstances can it be shared?
      • Maintaining this data consistent with applicable privacy and cybersecurity regulations, especially in EU countries, can be a challenge and should be given careful consideration.
  5. For answers about COVID test results, will employees be required to provide any documentation, and, if so, where will that data be stored, and who will have access to it?
      • Again, before deciding whether to collect sensitive health-related data, careful consideration should be given to applicable privacy and cybersecurity regulations, especially in EU countries.

To subscribe to the Data Blog, please click here.

The authors would like to thank Debevoise summer associate Jennifer Romero for her contribution to this article.


Avi Gesser is Co-Chair of the Debevoise Data Strategy & Security Group. His practice focuses on advising major companies on a wide range of cybersecurity, privacy and artificial intelligence matters. He can be reached at


Tricia Bozyk Sherno is a member of Debevoise's Litigation Department, concentrating in employment and general commercial litigation. She has a broad-gauged employment law practice, with experience representing clients in matters involving discrimination and harassment, contracts, corporate raiding and compensation across a broad range of industries. She can be reached at


Josh Pickar is an associate in Debevoise's Litigation Department. He can be reached at


Julia Wang is an associate in Debevoise's Litigation Department. She can be reached at