With many current COVID-19 safety protocols dependent on vaccination status, verification and vaccine mandates continue to raise unique confidentiality and privacy considerations for employers.
Here are some important points to keep in mind when tracking, collecting, or disclosing an employee’s vaccination status in certain circumstances.
The Vaccination Inquiry
With the exception of a few jurisdictions that limit your ability to pose vaccine inquiries or seek proof of vaccination, employers are permitted to ask for an employee’s vaccination status or proof of vaccination under federal and state law. And contrary to a popular misconception, employers are almost always never blocked by HIPAA as you seek information about an employee’s vaccine status.
However, employers who ask about an employee’s vaccination status or proof must be careful about delving into an employee’s other health information. For example, simply tracking if an employee was vaccinated or asking to produce a copy of the vaccination card or an attestation with the date(s) the vaccination was administered would not dig too deep. However, asking an employee why they were or were not vaccinated could be a disability-related inquiry, triggering additional obligations.
Proof of Vaccination Status
There is no universal “proof” of vaccination status with the patchwork of federal, state and local COVID-19 and vaccine-related guidance, ordinances, and mandates. Acceptable proof may vary depending on the vaccine mandate or jurisdiction. For example, in California under the Cal/OSHA Emergency Temporary Standards, a self-attestation is sufficient proof of vaccination status. However, under the federal contractor mandate and many other vaccine mandates, self-attestation is not an acceptable form of proof.
Vaccine-Related Information and Medical Records
Whether documents are considered medical records and subject to privacy or confidentiality laws generally depends on the federal or state law that contains the restrictions at issue.
Federal Workplace Safety Officials
Under the Occupational Safety and Health Act, medical records include any document regarding an employee’s health status made or maintained by a physician, nurse or health care professional. To many employers’ surprise, such records must be retained for the tenure of the employee – plus 30 years. This includes medical histories, medical examination results and opinions, diagnoses, progress notes and recommendations, first aid records, descriptions of treatments and prescriptions, and employee medical complaints.
Relevant State Laws
Some state laws also define medical records. For example, in Ohio, the definition includes any medical report arising from a physical examination by a health care professional and hospital or laboratory test results from tests required as a condition of employment or as a result of a work injury or illness.
Other jurisdictions have specifically addressed vaccination records and the maintenance of the records. In California, Cal/OSHA has provided guidance that vaccination records created by the employer under the Emergency Temporary Standards need to be maintained for the length of time necessary to establish compliance with the regulation, including during any Cal/OSHA investigation or appeal of a citation. And, to encourage documentation using vaccination records, Cal/OSHA has determined that it would not effectuate the purposes of the Labor Code to subject such records to the 30-year record retention requirements that apply to some medical records.
What Does the EEOC Say?
Per EEOC guidance, employers should treat vaccination records as confidential medical information, maintained confidentially and stored separately from an employee’s personnel file. The EEOC has also provided guidance that the inquiry or request for proof of vaccination itself is not a disability-related inquiry. So, employers who track who is vaccinated or request proof of vaccination must be careful not to delve deeper into an employee’s other health information when making this inquiry or asking for proof.
For example, merely tracking if employee was vaccinated, or asking to produce the copy of the vaccination card or other proof of vaccination record, or even simply requesting an attestation with the date(s) the vaccination was administered would not itself be considered a disability-related inquiry. However, taking it further and asking an employee why they were or were not vaccinated, for example, could be considered a disability-related inquiry.
Thus, it is recommended to have clear documentation limiting the inquiry or specifically listing the forms of acceptable proof with a clear reminder not to provide any other medical-related information. You should also maintain the vaccine-related information and documentation in a secure and separate location. You should not put it in employees’ existing medical files, instead keeping it separate similar to I-9 documentation. Finally, you should specifically designate who will collect and enter the data, and review carefully to make sure any data is entered accurately.
Confidentiality and Disclosure of Medical Records and Information
Several laws apply to employers’ handling of employee medical information. With limited exceptions, federal law requires employers to keep confidential any medical information they learn about any applicant or employee. Medical information includes not only a diagnosis or treatments, but also the fact that an individual has requested or is receiving a reasonable accommodation.
Generally, federal law requires that all medical information about a particular employee, including all medical information related to COVID-19, be stored separately from the employee’s personnel file, thus limiting access to this confidential information.
Indeed, according to the EEOC, although the EEO laws do not prevent employers from requiring employees to provide documentation or other confirmation of vaccination, this information must be kept confidential like all other medical information and stored separately from the employee’s personnel files under the ADA. Additionally, several states have laws that specifically address the confidentiality and disclosure of medical records, including prohibiting employers from disclosing employee medical records to third parties without the employee’s written consent, with specific font size and other requirements.
CCPA and CCPA-Like States
Additionally, if the California Consumer Privacy Act (CCPA) or similar law applies to your business, then collecting information from employees about their vaccination status/proof of vaccination may trigger the “notice at collection” requirement. This requirement does not mean you have to provide a different or new CCPA notice every time you ask for or receive this information. If the information is already reflected in the broader notice you must provide to all employees (i.e., the notice that is supposed to inform the employee of all categories of personal information the company collects about or from the employee along with all the business purposes for which the information is used), then an additional or separate notice related to vaccine information will not be needed.
Decline to Disclose Vaccination Status
Employees who refuse to disclose their status should be treated as unvaccinated. Even with a mandatory vaccination policy, you should ensure there is a process in place to address issues of accommodation for employees with protected objections to receiving the vaccination. You should also sure you are evaluating any state-specific limitations on requiring disclosure of vaccination status prior to moving to discipline or any adverse action.
We will continue to monitor vaccine issues so make sure you are subscribed to Fisher Phillips’ Insight system to get the most up-to-date information.
If you have questions about how to ensure that your vaccine policies comply with workplace and other applicable laws, visit our Vaccine Resource Center for Employers or contact the authors of this Insight, your Fisher Phillips attorney, or any attorney on our FP Vaccine Subcommittee.
Hannah Sweiss represents a broad range of clients, from small businesses to national companies, in a variety of industries including trucking, hospitality, travel, manufacturing, and healthcare. Hannah’s practice is focused on representing and defending employers in class action wage and hour lawsuits as well as representative lawsuits brought under California’s Private Attorneys General Act (PAGA). Hannah has been lead counsel on numerous complex wage and hour/PAGA lawsuits achieving great results in cases with less than twenty members to cases with thousands of members.
Todd Logsdon is a partner in the firm’s Louisville office and co-chair of the firm's Workplace Safety and Catastrophe Practice Group. His practice is devoted to advising and representing employers regarding labor and employment law matters. Todd is a key contributor to Fisher Phillips’ COVID-19 Task Force and has assisted employers with successfully navigating workplace employment and safety issues throughout the pandemic.
Patrick Dennison is a partner in the Pittsburgh office and is a member of the Workplace Safety and Catastrophe Management Practice Group. Patrick defends companies throughout the country in various regulatory enforcement and compliance actions in federal, state, and administrative venues. Patrick’s experience is diverse, and he stays abreast to emerging legal developments. Whether counseling clients regarding Mine Safety and Health Administration (MSHA) and Occupational Safety and Health Administration (OSHA) compliance or helping businesses navigate complex and novel legal issues such as vaccinations or cryptocurrencies and blockchain technologies, Patrick remains thorough and responsive, which he values as a core tenant of service to clients.