By Brett Cook and Oliver Kiefer
Disclaimer: This article reflects the thoughts and opinion of the authors and not their law firms and/or employers.
With the rise of the highly contagious Delta variant, employers across the United States are increasingly concerned with collecting and recording COVID-19 vaccination information from their employees. In the United States, vaccine information may be legally collected for several reasons, including where required pursuant to state law. For example, California currently requires employers to document the vaccination status of fully vaccinated employees if the employees do not wear face coverings indoors. Differing federal and state employment laws and regulations require a carefully tailored approach to vaccination data collection.
Varying state laws have injected uncertainty into the collection of vaccination information as employers seek to reopen traditional workplaces and comply with applicable public health and privacy laws. Nonetheless, foundational privacy principles can be used to mitigate risk. In general, employers should (1) define the purpose of collection, (2) define how data will be used, (3) determine how long data will be retained in accordance with retention policies/laws, (4) determine who will have access to the data, and (5) implement appropriate security measures to safeguard information.
In the United States, the Equal Employment Opportunity Commission has provided guidance regarding the collection of an employee’s COVID-19 vaccination status by their employer. Businesses who collect this information should consider whether it is required to be treated as confidential medical information under the Americans with Disabilities Act, which would require the data to be kept confidential and stored separately from the employee’s personnel files. Thus, broadly speaking, federal law does not prohibit employers from reasonably and responsibly collecting vaccination information from their employees.
In California, employers should consult the California Department of Industrial Relations Division of Occupational Safety & Health’s (CAL OSHA’s) Model COVID-19 Prevention Program, which provides a framework for compliance with the most current Emergency Temporary Standards in place for COVID-19. The Model COVID-19 Prevention Program contains a template that can be used to track employee vaccination status. It also provides guidance regarding how employers should document employee vaccination status.
However, not all states have adopted the same approach as California. In Florida, for example, Governor Ron DeSantis signed an executive order on April 2, 2021, that prohibited businesses in Florida from requiring so-called “vaccine passports.” These “passports” are shorthand for any piece of documentation that would allow businesses to determine whether a customer was fully vaccinated against COVID-19. Left unclear, however, was how the executive order regulates vaccine data that businesses collect from employees. Florida also has not addressed how employers should treat that data, once collected. Despite this lack of guidance, at least one Florida county has determined the executive order does not prohibit it from mandating that county employees show proof of vaccination. The executive order is also currently facing a challenge in the courts.
As outlined above, this area of privacy law is rapidly changing, and regulations vary substantially across the states. Compliance is critical for all employers given the high stakes at issues. Risk can be limited by working with regional attorneys and privacy leaders to identify legitimate reasons for vaccine data collection before collecting employee vaccine data and collecting the minimum amount of data necessary.