I wrote last week in this space about government’s longstanding tendency during dangerous outbreaks of contagious disease to assert control over public discussion of medical matters on the rationale of preventing the spread of misinformation. (Some members of Congress are currently trying to browbeat platforms into taking down social media posts that promote erroneous notions about vaccines.) Citing the flu pandemic of 1918–19, I pointed out that “rather than quieting the rumor mill and the popular spread of false ideas about the virus, the tight control of information [often does] the reverse.”

There’s a less visible and more politically sacrosanct way in which modern government also tries to curb discussion of disease outbreaks, namely privacy law. If a co-worker you see regularly at your workplace comes down with the illness, for example, there’s a good chance you’ll receive a cryptically worded message from management that awkwardly half-anonymizes, rather than names, the colleague (“someone on the fourth floor”) in line with guidance from the federal Equal Employment Opportunity Commission or its state counterparts. “Oh, must be HIPAA,” people chuckle, which is not strictly accurate, since that health privacy law (the Health Insurance Portability and Accountability Act of 1996) covers only those in the health business. The practical difference doesn’t matter that much, however, since broad privacy rules in other federal laws such as the Americans With Disabilities Act (ADA) do apply to workplace settings.

Note that these laws will not in fact necessarily shut down the rumor mill among your co-workers, if only because people want to know where to send get-well cards; some will also be anxious to know whether the person who just fell ill was someone they’d spent a lot of time with lately. It can, however, work to prevent managers from speaking up to correct a rumor mill that has gone astray.

Things can be worse in workplaces that are subject to additional layers of privacy regulation. Universities, for example, are governed by the Family Educational Rights and Privacy Act of 1974 (FERPA), a federal law that sharply limits disclosure of information about students, even to people with some plausible interest in knowing, such as family members. In a provost’s letter last year, Boston University stirred controversy when it announced that “Faculty will not be notified if a student in their class has tested positive unless they are deemed to be a close contact through the contact tracing effort.” That’s one of many issues I discuss in my new paper for Cato’s “Pandemics and Policy” series on how regulation can make it harder to follow prudent safety practice against COVID-19 spread in the workplace. You can read the full paper here.