Amidst the shifting employment landscape created by COVID-19, employers requiring employees to disclose their vaccination status has become a hot — yet murky — topic rife with privacy-related risks. Vaccination requirements are expected to soon “become dominant in the workplace” due to President Joe Biden’s recent COVID-19 Action Plan. Some employers will be required to impose vaccine mandates for their employees; some will be required to ensure their employees are either vaccinated or tested weekly. Other employers may implement a vaccination or testing policy on their own initiative in response to the Food and Drug Administration’s approval of the Pfizer vaccine and the recent surge of the delta variant. Whether an employer is subject to legal requirements depends on various factors; notably, the type (private or public), size and jurisdiction(s) in which the employer operates.

The implementation of vaccine credential systems (sometimes referred to as “vaccine passports”) to verify, collect and retain employees’ vaccine status has been left, by and large, to the private sector. To navigate this unknown terrain, employers must understand the applicable federal and state laws as well as the inevitable privacy concerns raised by various vaccination credential systems.

Legal requirements for private employers at the federal level

OSHA’s rule for private employers with 100 or more employees

The Occupational Safety and Health Administration is expected to issue a rule via an Emergency Temporary Standard requiring “all employers with 100 or more employees to ensure their workforce is fully vaccinated or require any workers who remain unvaccinated to produce a (weekly) negative test result.”

Equal employment opportunity laws

The Equal Employment Opportunity Commission’s Guidance states that “federal EEO laws do not prevent an employer from requiring all employees physically entering the workplace to be vaccinated for COVID-19, subject to the reasonable accommodation provisions of Title VII and the ADA and other EEO considerations.”

Under the Americans with Disabilities Act, an employee’s vaccination status is considered confidential medical information, and such documentation must be maintained separately from personnel files. Although employers may lawfully require documentation concerning an employee’s vaccination status, requesting information pertaining to an employee’s health or medical condition may qualify as an unlawful disability-related inquiry under the ADA.

Legal requirements for private employers at the state and local level

State privacy laws

State laws and regulations that cover the maintenance of employee health information are often stricter than federal requirements. When implementing a vaccine verification system, employers need to keep in mind the applicable state laws that govern the maintenance, use and disclosure of health information, mandatory security procedures and data breach notifications, as well as staff training requirements.

For example, California employers must comply with Cal/OSHA in addition to the upcoming federal OSHA rule. Under Cal/OSHA’s COVID-19 ETS, employer-created vaccination records must “be maintained for the length of time necessary to establish compliance with the regulation.” 

State and local actions regarding employee vaccination requirements

Many states have attempted to restrict private employers from imposing vaccination requirements, with privacy concerns being used in part to rationalize the proposed bans. To date, most of these efforts have been unsuccessful. However, private employers in Georgia, Montana and Florida are more limited in their ability to implement a vaccine credential system because employers will not be able to directly access records from a state-maintained immunization registry to verify employee vaccination credentials.

• Georgia: Pursuant to Gov. Brian Kemp’s, R-Ga.,  executive order, “Georgia Registry of Immunization Transactions and Services ... data held by the State shall not ... be shared with any public or private entity for the purposes of a vaccine passport program.”
• Montana: Gov. Greg Gianforte, R-Mont., issued an executive order prohibiting state entities and officials from issuing or sharing “standardized documentation for the purpose of certifying an individual’s COVID-19 vaccination status to a third party.”
• Florida: Executive Order 21-81, issued by Gov. Ron DeSantis, R-Fla., prohibits state government entities from issuing “vaccine passports, vaccine passes or other standardized documentation for the purpose of certifying an individual's COVID-19 vaccination status to a third party.”

However, states like California and New York seem to be facilitating private employers’ ability to mandate vaccination requirements.

• California: In June, the California Department of Public Health and Technology launched the Digital COVID-19 Vaccination Record portal to allow Californians to obtain a digital copy of their vaccination record.
• New York: In March, the state launched its Excelsior Pass application, which uses a QR code to share vaccination credentials with third parties. At the local level, certain indoor New York City businesses (dining, fitness and entertainment) are required by the “Key to NYC” to confirm employee vaccination status. Employees are permitted to use the state’s app to prove they’re vaccinated.

Legal requirements for government employers at the federal level

Under EO 14043 and EO 14042, all federal employees and contractors must be fully vaccinated (limited exceptions apply for reasonable accommodations). On Sept. 16, 2021, the Safer Federal Workforce Task Force issued guidance regarding federal employees, requiring agencies to obtain employee-certified documentation to prove vaccination.

The guidance allows agencies to develop their own collection and maintenance processes, in compliance with federal laws and regulations. Under the Privacy Act of 1974, agencies “should only disseminate information to the appropriate agency officials who have a need to know.” Agencies subject to U.S. Office of Personnel Management regulations “must have written instructions for its (Employee Medical File) system with appropriate safeguards” and they must provide employees “with a Privacy Act statement at the point of collection.” Agencies not covered by OPM must provide employees with an alternative Privacy Act statement.

Under EO 14042, agencies are directed to include contract clauses (incorporating additional Task Force guidance regarding vaccination mandates for federal contractors) into federal contracts beginning or extended after Oct. 15, 2021.

Legal requirements for government employers at the state level

Through legislative and executive means, several states are responding to the idea of government employee vaccination requirements. At least 17 states have adopted state employee “vaccine-or-test” requirements and three states (Massachusetts, Oregon and Washington) require state employees to be fully vaccinated. In contrast, at least four states (Arizona, Arkansas, Georgia and Indiana) have prevented state employers from implementing vaccination requirements.

Broader privacy considerations

Understanding the privacy implications surrounding the verification, collection and retention of employee vaccination credentials will help prepare employers who are required — or choose — to implement vaccination credential systems to manage the associated privacy risks.

Verification

Finding the right balance between workplace safety and employee privacy is a necessary concern for employers. Limiting the amount of data collected when verifying employee vaccinations minimizes potential liability, but employers need enough information to satisfy legal mandates and promote a safe work environment. To date, there is no recognized standard for verifying employees’ vaccination status; rather, employers have generally been using one of the following approaches: 

Pure honor system: Employer issues a vaccination policy that does not individually ask employees about or require proof of vaccination status but rather relies on employees to be honest about whether they are vaccinated. This approach brings with it the fewest privacy considerations because it does not require employers to request, collect or record any information.

Signed attestation: Employee acknowledges employer’s vaccination policy and signs an attestation confirming vaccination status, but employer does not request documented proof. Employers utilizing this approach include Morgan Stanley and Goldman Sachs.

This approach is viewed as a “middle ground” between a pure honor system and requiring proof because a signed attestation gives a vaccination policy some teeth in case employees aren’t being truthful; yet it still lacks the assurance that an employee is vaccinated.

Physical or digital proof: Employee provides proof of vaccination status (e.g., a vaccination card) to employer. Some employers are going a step further and using third parties to verify vaccination credentials.

Google employees, for example, are sending their vaccination credentials to the company’s membership-based health-care provider app; each submission is then manually reviewed. Employees at Superhuman must upload their credentials to a third-party app that also uses human reviewers.

Some New York employers are using the state’s "Excelsior Pass" app, which generates “passes” for employers to accept as verification since an employee’s pass is based on data reported by their vaccine administrator to secure state and local immunization databases.

Employers obtaining hard evidence of employee vaccination data must ensure adequate measures are in place to comply with applicable privacy and security laws concerning employees’ confidential medical information. Employers should also instruct employees to not provide more information than necessary (e.g., if something other than a CDC card is provided, employees should be instructed to redact unnecessary information). Those requiring employees to verify their vaccine status through a third-party vendor should also ensure the vendor has in place appropriate privacy and security protections.

Employers with 100-plus employees may need to change their approach once OSHA issues its mandatory vaccine-or-test rule. Until further guidance is issued, it is unclear what approach will impact more than 80 million workers in the private sector.

Collection and retention

Employers are working to develop user-friendly and consistent collection notices to inform employees of their vaccination policies and procedures. As with verifying an employee’s vaccination status, employers should strive to collect and retain as little information as possible. Depending on the method(s) chosen, the level of detail needed in the notice to employees will likely vary, as will the level of attention employers should give to privacy and security requirements.    

Internal collection: Emailing human resources

Employers choosing to use internal means to collect vaccination credentials — such as having employees email credentials to HR — should consider whether adequate security measures are in place on the business’s email system to prevent unauthorized access. If physical files are retained, employers should make sure the files are kept confidential and separate from other employee records with proper security measures and limit accessibility to as few trained staff as possible. Employers choosing to electronically store files on servers within their sole control should consider the servers’ physical location(s) because, depending on the jurisdiction, additional security and breach-notification requirements may be imposed.

Third-party vendor collection: Using digital platforms and apps

Although the platforms and apps developed for vaccine credential systems promise privacy, the specifics on how this is accomplished is not always clear. Since January, the Ada Lovelace Institute has been reviewing how “private health data is used in the public domain and digitally linked to an identified individual.” Findings from the ALI concerning digital vaccine credential systems highlight the risks of “scope creep and information flows.” Specifically, there are concerns personal data intended for health and safety might be repurposed, even if privacy-preserving technology is used, because multiple actors with varying levels of trustworthiness and experience will be viewing and handling personal data. Imogen Parker, project lead on COVID status apps at the ALI, says the use of these apps and how they interact with the law requires further clarity, noting whether personal data could be used at protests or voting booths remains unclear. Parker indicates that personal data “could also pipe to ... insurance companies, unless such uses are specifically prohibited.”

Discussing New York’s Excelsior Pass app, security researcher Albert Fox Cahn states, “We don’t even have the most rudimentary information about what data it captures, how that data is stored, or what security measures are being used.” While Excelsior’s privacy policy states it doesn’t use location tracking, a separate app — which Cahn found could potentially track a user’s location — is required to scan the Passes.

Currently, there are no formal protections against using vaccination data that’s been given to credential systems for commercial marketing or other purposes. In August, however, the World Privacy Forum urged the CDC and its Advisory Committee on Immunization Practices to extend the same protections that apply to health care providers (a prohibition on using vaccine registration and administration data for commercial purposes) to personal data given to vaccine credential systems. The WPF’s Comments, authored by Executive Director Pam Dixon, state there are “significant potential risks for the commercial use of ... vaccination data due to the sheer number of credentialing systems in development across complex public-private pathways.” Included in the Comments was a push for the ACIP to exercise its unique situation to set an important standard — that “credentialing systems utilizing (vaccination) data are prohibited from utilizing that data for commercial marketing or other unauthorized purposes.”

Despite the current lack of specific U.S. legislation, placing restrictions on COVID-19 data collection by apps has been on Congress’s radar — as evidenced by last year’s introduction of the COVID-19 Consumer Data Protection Act of 2020. The IAPP continues to track these proposals here.

That being said, employers can be proactive by considering whether their vendors will adequately safeguard collected data and ensuring the vendor will not use or sell employee data for unauthorized purposes. Formal agreements between employers and third-party vendors should set forth a vendor’s specific obligations and limitations pertaining to the data obtained. As a general matter, employers should ensure the vendor has adequate privacy, security and retention policies in place. Employers who decide to use an existing vendor should consider whether it is necessary to perform an additional assessment of the vendor, especially if the vendor was initially vetted for data that requires less stringent security.

Conclusion

This analysis provides employers with a framework of legal requirements and privacy considerations for implementing vaccination credential systems. In addition to staying abreast of current federal and state laws concerning employee vaccine mandates, employee data protection should also be a top priority for employers implementing them.

Photo by CDC on Unsplash