How Employers Can Handle Privacy and Confidentiality Issues Related to COVID-19 Vaccine Information Collection | Fisher phillips


With many current COVID-19 safety protocols dependent on vaccination status, verification and vaccination mandates continue to raise unique privacy and confidentiality considerations for employers. Here are some important points to keep in mind when tracking, collecting, or disclosing an employee’s immunization status in certain circumstances.

The vaccination survey

With the exception of a few jurisdictions that limit your ability to ask questions about vaccines or request proof of vaccination, employers are permitted to request an employee’s vaccination status or proof of vaccination under federal laws and states. And contrary to popular belief, employers are almost never blocked by HIPAA when looking for information about an employee’s immunization status.

However, employers requesting an employee’s vaccination status or proof of vaccination should be careful not to delve into other information about an employee’s health. For example, simply tracking whether an employee has been vaccinated or asking to produce a copy of the vaccination card or certificate with the date (s) of the vaccination would not be too deep. However, asking an employee why he or she was or was not vaccinated could be a disability-related investigation, triggering additional obligations.

Proof of vaccination status

There is no universal “proof” of vaccine status with the patchwork of federal, state and local directives, orders and mandates related to COVID-19 and vaccines. Acceptable evidence may vary depending on the vaccination mandate or jurisdiction. For example, in California, under Cal / OSHA Temporary Emergency Standards, a self-attestation is sufficient proof of vaccination status. However, under the federal contractor mandate and many other vaccine mandates, self-attestation is not an acceptable form of proof.

Vaccine information and medical records

Whether the documents are considered medical records and subject to privacy or confidentiality laws generally depends on which federal or state law contains the restrictions in question.

Federal Occupational Safety Officers

Under the law on occupational safety and health, medical records include any document concerning the state of health of an employee established or kept by a doctor, nurse or health professional. To the surprise of many employers, these records must be kept for the duration of the employee’s tenure – over 30 years. This includes medical history, results and opinions of medical examinations, diagnoses, progress notes and recommendations, first aid records, descriptions of treatments and prescriptions, and employee medical complaints.

Relevant state laws

Some state laws also define medical records. For example, in ohio, the definition includes any medical report resulting from a physical examination carried out by a health professional and the results of hospital or laboratory analyzes resulting from analyzes required as a condition of employment or following an industrial accident or disease.

Other jurisdictions have specifically addressed immunization records and record keeping. In California, Cal / OSHA provided advice that vaccination records created by the employer under Temporary Emergency Standards should be retained for as long as necessary to establish regulatory compliance, including during any Cal / OSHA investigation or appeal of a citation. And, to encourage documentation using immunization records, Cal / OSHA determined that it would be not achieve the objectives of the Labor Code to subject these records to the 30-year record retention requirements that apply to certain medical records.

What does the EEOC say?

Through Orientation of the EEOC, employers should treat vaccination records as confidential medical information, kept confidential and stored separately from an employee’s personal file. The EEOC also indicated that the investigation or request for proof of vaccination itself is not a disability-related investigation.. So, employers who track vaccinees or request proof of vaccination should be careful not to delve into an employee’s other health information when making that request or requesting proof.

For example, the simple fact of tracking whether the employee has been vaccinated, or asking for a copy of the vaccination card or other proof of vaccination record, or even simply asking for a certificate with the date (s) of vaccination would not in itself be considered a handicap. -related investigation. However, going one step further and asking an employee why they were or was not vaccinated, for example, could be considered a disability-related investigation.

Thus, it is recommended to have clear documentation limiting the investigation or specifically listing the acceptable forms of evidence with a clear reminder not to provide any other medical information. You should also keep the vaccine information and documentation in a secure and separate place. You should not put it in existing employee medical records, but keep it separate in the same way as I-9 documentation. Finally, you should specifically designate who will collect and enter the data, and review carefully to ensure that all data is entered accurately.

Confidentiality and disclosure of medical records and information

Several laws apply to employers’ handling of employee health information. With few exceptions, federal law requires employers to keep confidential any medical information they discover about a candidate or employee. Medical information includes not only a diagnosis or treatment, but also whether a person has requested or is receiving reasonable accommodation.

Generally, federal law requires that all medical information about a particular employee, including all medical information related to COVID-19, be stored separately from the employee’s personal file, thereby limiting access to that information. confidential.

Indeed, according to the EEOCAlthough EEO laws do not prevent employers from requiring employees to provide documents or other vaccination confirmation, this information should be kept confidential like all other medical information and stored separately from the personnel’s personal records. employed under the ADA. Additionally, several states have laws that deal specifically with the confidentiality and disclosure of medical records, including prohibiting employers from disclosing employee medical records to third parties without the employee’s written consent, with a font size specific and other requirements.

CCPA and CCPA type states

Additionally, if the California Consumer Privacy Act (CCPA) or similar law applies to your business, collecting information from employees about their immunization status / proof of vaccination may trigger the “notice on collection” requirement. “. This requirement does not mean that you must provide a different or new CCPA notice each time you request or receive this information. If the information is already reflected in the larger notice that you must provide to all employees (i.e. the notice that is supposed to inform the employee of all categories of personal information that the company collects about or from the employee as well as any business purposes for which the information is used), then additional or separate notice related to the vaccine information will not be required.

Refuse to disclose immunization status

Employees who refuse to disclose their status should be treated as unvaccinated. Even with a mandatory vaccination policy, you must make sure that there is a process in place to resolve accommodation issues for employees with protected objections to receive the vaccine. You should also make sure that you assess any state-specific limitations regarding the requirement to disclose immunization status before proceeding with discipline or any adverse action.

Leave A Reply

Your email address will not be published.