In connection with the recent surge in COVID-19 cases caused by the Delta variant, many businesses have begun to require that employees—and sometimes contractors, volunteers and patrons—provide proof of vaccination. This may come in the form of requests for voluntary disclosure, or in connection with employer vaccine policies, or pursuant to newly issued mandates from public health authorities.
Mandatory Disclosures: For example, on Aug. 12, 2021, the San Francisco California Department of Public Health issued sweeping revisions to its Order of the Health Officer No. C19-07y (“SF Order”), mandating that certain businesses, including restaurants and gyms, require staff and patrons to provide proof of full vaccination against COVID-19 (subject to limited exceptions). Such employers are required, by Oct. 13, 2021, to ensure that all staff who routinely work onsite provide proof of full vaccination. Similarly, with its “Key to NYC,” New York City has similarly mandated that certain businesses, including restaurants, gyms and other indoor entertainment and recreational businesses not permit patrons or employees to enter the premises without providing proof of at least one dose of a COVID-19 vaccine; inspections and enforcement will begin Sept. 3, 2021.
As another example, on Aug. 2, 2021, the City and County of Denver issued a public health order (“Denver Order”) requiring that private-sector businesses in certain “high-risk” settings, including but not limited to schools, childcare centers and some health care settings, ensure that all “personnel”—defined to include contractors and volunteers—are fully vaccinated by Sept. 30, 2021. The Denver Order does not specify how “personnel” are to prove vaccination status and does not address any exemptions to the vaccine requirement, however both issues are further addressed in the Vaccination Requirement FAQs. Entities subject to the Denver Order are also required to “maintain corresponding records” of vaccination verification, which the entity must make available to the public health authority upon request.
Voluntary Disclosures: Cal/OSHA’s Emergency Temporary Standards (“ETS”) define “fully vaccinated” to mean “the employer has documented that the person received, at least 14 days prior, either the second dose in a two-dose COVID-19 vaccine series or a single-dose COVID-19 vaccine.” The ETS prescribe varying protocols, exclusion requirements and other standards for fully vaccinated versus non-fully vaccinated employees. And some local public health agencies have conducted on-site visits to ensure that employers have such documentation in place and are applying appropriate protocol levels for fully vaccinated and non-fully vaccinated employees. Many employers are therefore asking employees to voluntarily provide proof of vaccination, with the alternative of being treated as unvaccinated and being subjected to more stringent protocols.
Employer Vaccine Mandates: Some employers already have issued vaccine mandates; many others have been waiting until the FDA issued full approval of one or more COVID-19 vaccines to issue such mandates, which it did with respect to the Pfizer vaccine on Aug. 23. Such policies will necessitate that employees provide evidence of vaccination status or their eligibility for a legally required exemption (i.e., due to a medical condition, disability or sincerely-held religious belief).
Civil Rights Laws: The Equal Employment Opportunity Commission and many state agencies have indicated that an employer merely asking about vaccination status does not, in and of itself, implicate federal such as the Americans with Disabilities Act and the Genetic Information Non-discrimination Act or state laws of similar effect. Those come into play only when, for instance, an employer asks why someone is not vaccinated. Once obtained, though, the vaccination status data is considered confidential medical information and must be handled accordingly.
HIPAA Implications: The good news for businesses requiring proof of vaccination from employees or patrons is that inquiries into vaccination status usually do not implicate the federal Health Insurance Portability and Accountability Act (“HIPAA”) because it does not broadly cover medical information in and of itself. Rather, HIPAA applies only to medical information held by “covered entities”—defined as certain health care providers, health insurance plans and health care clearing houses—and “business associates” that perform services for or on behalf of a covered entity. If a business does not meet the definitions of a “covered entity” or “business associate,” it is not subject to HIPAA.
Privacy Laws: HIPAA aside, businesses seeking to verify vaccination status of employees or patrons—whether voluntarily or pursuant to a government mandate—should consider whether they need to comply with applicable state or local privacy laws in doing so. As to privacy of employee information, for example, the California Confidentiality of Medical Information Act (“CMIA”) bars employers from using or disclosing medical information about employees without having first obtained a signed authorization from the employee. While there are limited exceptions to this law, arguably none of those exceptions directly permit an employer to collect and use vaccination status information for the purposes typically contemplated by, for example, the public health authority mandates. Likewise, employers seeking to use such information to, for instance, designate protocol levels applicable to particular employees (e.g., by differentiated ID cards) may run afoul of privacy laws if proper authorization is not obtained; such differentiation can essentially be considered a “proxy” for the confidential medical information regarding vaccination status. Notably, the CMIA provides for a private right of action, and aggrieved employees may sue for damages, as well as statutorily limited punitive damages and attorneys’ fees. This is a tricky situation that requires careful balancing of competing interests.
As to privacy of patron information, again, existing state or local privacy laws may apply. Whether and to what extent states impose privacy requirements with regard to patron medical information varies widely state to state. For example, Colorado’s current data privacy law—which will remain the governing law until the recently enacted Colorado Privacy Act takes effect in 2023—requires in certain circumstances that in the event “medical information” about Colorado residents is exposed as part of a security breach of computerized data, the affected persons be notified, as well as potentially the Colorado Attorney General. That is, a Colorado business which retains electronic copies of patron vaccine cards may be required to issue notifications to affected patrons if that business suffers a data breach.
On the other hand, businesses operating in states which have attempted to ban any inquiries into patron vaccine status, such as Florida, should stay up to date on the legal status of such bans and remain mindful of them.
Storage and Retention of Vaccination Data: Employers collecting vaccination information should also consider whether state privacy laws impose requirements on the storage and retention of medical information of employees. Indeed, the SF Order explicitly requires that employers maintain records of staff vaccination or exemption status and provide these records to public health authorities upon request, consistent with applicable privacy laws. The CMIA requires that employers establish appropriate procedures to ensure the confidentiality of employee medical information and to protect that information from unauthorized use and disclosure. The Denver Order similarly requires affected employers to maintain records of personnel vaccination, which employers must make available to the public health authority upon request. While current Colorado law does not impose storage or retention requirements specific to employee medical information, to the extent the vaccination status information is combined with one or more elements of “personal identifying information”—which is defined by Colorado statute to include individual identification numbers such as a social security number or employer identification number—Colorado laws governing storage and retention of personal identifying information may apply.
Takeaways: Verification of vaccination status, coupled with existing state privacy laws, may create a difficult landscape for employers. Businesses must walk a tightrope in obtaining enough employee or patron information to, for instance, satisfy public health agency mandates, while limiting the information obtained and the use of such information to minimize potential liability. Businesses should also, to the extent possible, consider notifying employees and patrons of the reasons any information is retained and with whom it may be shared, as well as limiting internal access to that information.
Businesses should work closely with their HR and legal team in developing their strategy for complying with privacy and other applicable laws in implementing vaccination inquiry policies.