I work for a University that requires you to talk about your personal health with a chatbot. That data is then stored in a SQL database without knowing who has access to it, where it is, or how long it will exist.
Employer is in NY state.
HIPAA does not prevent your employer from collecting this data, it only states (to a certain degree) how that data can be used, shared and what company policies & procedures are needed etc. In general right now though, the FDA, CMS and other enforcement agencies have suspended many of the penalties/rules around data collection, sharing, device usage etc. I am not aware of any laws that would prevent your employer from asking these questions or storing the data, but I would say it will make them subject to the rules of medical record storage as technically that data can identify you and is related to your health. If they shared this data without getting a release from you or had a database compromised then they could be subject to fines and other penalties, but I doubt any of that would be enforced over the next 6 months or so.
Many states are requiring employers to monitor/check employees that are on-site, but most are not storing the data as far as I know, so I doubt they are doing anything illegal or improper, maybe creepy but nothing technically wrong.
Employers aren’t generally in the scope of HIPPA, only medical providers and related business entities.
You’re not going to win this one, unless you can semipermanently work remotely.
I am amused by the chatbot idea here. Kinda Ad Astra like:
I would probably match the categories against HIPAA [0] as a starting point and then ask the university legal team if this was reviewed by them. If not, consider letting them handle it so that there is no retaliation against you if that project is neutralized.
[0] - https://www.hipaajournal.com/what-is-considered-protected-he...
Or even taking your temperature makes more sense than this.