Just as restaurants, offices and travel seemed to be on a path to some sort of normalcy, the COVID-19 delta variant emerged, leading to another rise in coronavirus cases around the U.S., forcing employers to take a stronger stance on pandemic recovery.

From technology companies like Google and Microsoft, to retailers like Walmart and Walgreens, a growing number of companies across the U.S. have announced vaccine requirements for employees in recent months. Seemingly forcing the hand of larger companies, the Biden administration directed the U.S. Department of Labor to require businesses with 100 employees or more to ensure employees are vaccinated or tested weekly. The administration is also requiring vaccinations for all federal employees and contractors who do business with the federal government.

“When systems move from voluntary to mandatory, that’s when you have to really sit up and pay extra attention, and that’s where we are right now. There are millions of people who just ended up with mandatory vaccination requirements, which means mandatory use of some kind of vaccine credentialing system,” said Pam Dixon, executive director of the World Privacy Forum, which has received a grant to study these systems globally. “When that is the case, we have to make sure the system itself doesn’t hurt people.”

Littler Mendelson Shareholder and Privacy and Background Checks Practice Group Co-Chair Philip Gordon, an expert in workplace privacy, said vaccine mandates in the U.S. are subject to exemptions for disabilities and “sincerely held” religious beliefs, as regulated in the Americans with Disabilities Act and Title VII of the Civil Rights Act. In Montana, state law prohibits discrimination based on vaccination status, so while employers can inquire about employees’ vaccination status, “treating unvaccinated and vaccinated workers differently in any material way could constitute discrimination,” Gordon said.

Some employers are implementing vaccine requirements or regular COVID-19 testing, with social distancing and mask wearing in the office, and a growing trend is requiring full vaccination as criteria to be hired, he said. Many are now struggling with how to manage the obtained data. Do they want to maintain it on their system? Do they have a system that can manage it well? Do they need to contract with a third-party provider? Who will have access to the data, as it may be analyzed to manage COVID-19 response and business activities?

“The key which is fundamental to good information security and data protection is access controls,” Gordon said. “From a matter of fair information principles and good data security, to reduce the risk of a security breach the fewer people who have access to the data, the better.”

While proof of vaccination or vaccination status is not likely to be covered by the Health Insurance Portability and Accountability Act for most employers, Gordon said those that collect and store employees’ vaccination cards could be subject to data breach notification laws in approximately 20 states, where he said, “health information is personal information which if compromised would trigger a breach notification obligation.”

“At least in theory, and arguably in practice, when an employer collects proof of vaccine it’s exposing itself to potential breach notification risk,” Gordon said. “So, at a minimum, the same types of procedures employers provide to other medical records, they should provide to proofs of vaccination.” 

Companies weighing privacy implications, public health

As a privacy lawyer, Uber’s Legal Director, Privacy & Cybersecurity Derek Care doesn’t love the idea of asking employees about their health information.

“On the other hand, this is obviously a pretty extraordinary situation, and we’re not just thinking about individual decisions, we’re having to make decisions with the group behavior and group health in mind,” he said. “It’s one of those situations where I do think you have to invest more on safety rather than on individual privacy and in that case that doesn’t mean you throw privacy out the window, but you figure out how to mitigate the privacy risks as best you can while trying to achieve that safety goal.”

Uber implemented a voluntary return to the office in early January with a self-certification process. Before coming into the office, employees fill out a questionnaire via an application that asks a series of questions directed by regional health authorities, like if they are experiencing COVID-19 symptoms or if they’ve come into contact with anyone diagnosed with the virus. Employees confirm they are aware of the requirements, and cannot access the office if they identify any risk factors.

The company has extended its official return to office to January 2022 and will require vaccinations or regular negative COVID-19 testing for employees.

This presents privacy and data-handling sensitivities, Care said, and the global company is exploring the best way to move forward. With offices around the world and more than 25,000 employees, Care said, “there’s a lot of moving pieces.” Local legal requirements, health conditions, availability of vaccines and testing, other factors like union requirements, as well as what works best for employees, will all be taken into consideration in decisions, he said.

“In all cases, it’s relatively sensitive data from whether it’s actual health data or test results, to even data that allows you to infer something about someone’s health. In all cases we treat it sensitively and we think that means having a safe place to put this data,” he said, adding plans will likely include different levels of access for those within the company who need to know the information and an appropriate time to maintain the data.

“From a data retention and deletion standpoint, it’s sensitive; we do need to collect this data to help prevent risk of COVID, but that doesn’t mean we’ll have any need for the data in seven years, or at one year or even six months from now,” Care said. “So, we have to figure out what is right given the sensitivity of the information, the legal requirements and what’s right by employees.”

While advertising and technology company Ampersand has not set an official return to office date, the company, which has offices throughout the U.S., is mandating vaccines. Employees can upload a copy of their COVID-19 vaccination card into an encrypted system, accessible only by human resources and separate from their personnel file, said Chief Privacy Officer and General Counsel Noga Rosenthal, CIPP/E, CIPP/US.

In weighing the decision over recent months, Rosenthal said she spoke with other general counsels about their course of action, learning of instances where individuals were not truthful about receiving the vaccine.

“If I found out somebody was lying, and we have people who are immunocompromised coming into the office, what do we do? Somebody lies, someone gets sick,” she said. “We had to balance the harm, the privacy harm of keeping the data, versus someone getting sick. The potential of getting sick, and keeping employees safe, won out.”

Studying ‘a significant issue’

The World Privacy Forum has received a grant to research vaccine credentialing systems being used globally, in an effort to understand how they work, identify similarities and differences, and what’s working and what’s not. From the research thus far, Founder and Executive Director Pam Dixon said what’s emerging is a globally “profound misunderstanding of public health data,” and in the U.S., an assumption that public health data is covered under HIPAA.

“The truth is that data that is covered under HIPAA is generally not the same kind of data as public health data. The protections aren’t usually the same,” Dixon said. “I think one of the most profound misunderstandings of our time is how public health data is protected.”

For that reason, Dixon said vaccine credentialing systems are a “significant issue,” because without significant protections restricting the use of public health data for only public health purposes, and only by public health authorities, “it’s really difficult to constrain it.”

“We really need some guardrails here and if we don’t have them it’s going to be a really big problem at the end of the day,” she said. “The end result will be that people will lose trust in the public health system.”

The federal government’s mandate on employers with 100 employees or more means “a very significant collection of data.” Dixon raised questions around how that data will be maintained and protected. Also, moving forward, the government, states and employers could be implementing different credentialing systems, leading to requirements that individuals utilize multiple systems, she said.

“If we have 1,000 vaccine credentialing systems that may or may not be operating the way all of us would like then that’s going to be a really hard thing,” Dixon said. “The thing we are going to have to grapple with is do we want a single system for vaccine credentialing? One that has privacy controls that have a legal apparatus connected to it. Or do we want to allow 1,000 flowers to bloom and allow all these systems to just grow and generate as they will.”

Dixon said it is vital that data collected for vaccine credentialing be used only for its intended purpose, and not advertising, marketing or research, for instance. Vaccine credentialing systems’ policies should state that vaccination status will be guarded as protected health information, she said.

“There is going to be an extraordinarily complex patchwork of all these various systems. It’s going to be very challenging for people to know what law is covering their system, if any,” Dixon said. “So, we’ve got to be really careful here and provide help for people and make it clear what are the guardrails and what can be done.”

As has been the case throughout the pandemic, there are still many unknowns around employer-mandated vaccines and credentialing systems. While much is left to unfold, Dixon said one positive is that privacy has not gone by the wayside in approaches to vaccine efforts.

“But I do think we’re moving into a new phase of this crisis where we just simply have to bargain with reality and in our bargain with reality we have to figure out how to live, that means going places, that means getting on planes again, going into public again, and in order to do that we have to trust the people who are in the same air space as us and that level of trust does not depend on an honor system. It’s going to depend on some kind of credentialing proof system,” she said. “That is what has finally landed us into the privacy soup.”