In addition to the issue of mandated COVID-19 vaccine policies, employers must also manage the related privacy risks. Below are some of the frequently asked questions surrounding the issues of employee privacy as it relates to the COVID-19 vaccine. We also have a downloadable version of our privacy FAQs.
Question: Does it matter what type of information the company asks employees to provide to confirm their vaccine status?
Answer: Absolutely. Asking employees to confirm yes/no information seeks different information than, for example, requesting a copy of the employee’s vaccination card or more detailed records (such as lab results confirming presence of antibodies from a medical provider). Companies should be mindful of what information they are requesting because the inquiry might trigger heightened data-privacy and document-retention requirements. Companies should request only the information they require to confirm the vaccination status of the employee and should not collect any other information that is not necessary for that purpose. Companies should also be mindful of the privacy, security and other legal requirements involved in communicating with employees about any requested exception to a mandatory vaccine program based on a medical condition. The interactive process would likely include asking employees disability-related questions—and potentially questions implicating genetic nondiscrimination and health-data privacy laws (such as GINA or HIPAA).
Question: Our company plans to require employees to provide proof of their vaccine status by emailing human resources a copy of their vaccine card. Does this present any data-privacy concerns?
Answer: There are several issues to consider. How secure is your company’s email system? Can employees access their work email on their phones? If so, are there password and other security measures in place to prevent unauthorized access to that information? What does HR plan to do with the information once it receives it? Will it be printed out and stored in a paper file? Does the company plan to insert that information into the employee’s personnel file and/or HR database? Who would have access to that information? If the company plans on storing the data electronically, does the company have sole possession, custody and control of the servers where the data will be stored? If so, the company may want to confirm where those servers are physically located, and whether any state or local laws of that jurisdiction impose additional data-privacy, data-security and breach-notification requirements.
It’s worth noting here that HIPAA does not typically apply to the relationship between an employer and its employees. That being said, employers should still follow best practices and remain sensitive to the fact that they requesting and maintaining potentially sensitive employee health data. Additionally, if an employer performs services that are regulated under HIPAA, employees could be due additional protections. In this set of circumstances, an employer could be maintaining different data sets about an employee – of which one is regulated under HIPAA, and the other is not.
Question: Our company plans to hire a third-party vendor to create a portal where information about vaccine status can be uploaded and stored. Does that present any additional data-privacy concerns?
Answer: Potentially. The company should confirm where the vendor’s servers are located, and in which jurisdiction(s) the information may be transferred or stored. The company will also want to make sure the vendor has sufficient data-privacy, data-security and document-retention protocols in place. At a minimum, the company should enter into a formal agreement with the vendor that delineates the vendor’s obligations and limitations regarding the personal information that is exchanged, and that will prescribe liability and have the appropriate provisions to comply with applicable laws in the jurisdictions at issue. Also, double-check if the company or any of its employees are located in jurisdictions that would require an employee’s consent before such information can be transmitted to a third party. The agreement should also address what happens to the information if the business relationship ends; namely, would the data be returned to the company, or would the vendor have to help migrate the data to another vendor?
Question: What if an employee lost their vaccine card, and asks their medical provider to send the vaccine-status information to HR directly?
Answer: That might implicate HIPAA. To that end, the employee should sign a HIPAA authorization permitting the employee’s medical provider to directly communicate with HR. This can be circumvented, however, by requiring the employee to directly transmit the vaccine card (once received from the medical provider).
Question: Our company’s normal practice is to retain employee email accounts for 60 days after an individual’s employment ends. Will the company need to revise its data-retention policies if the company plans on having employees email HR copies of their vaccine cards?
Answer: Probably. The duration depends on the jurisdiction. Emails regarding vaccine status contain personal and sensitive information, which ordinarily would not be contained in run-of-the-mill work emails. Some states, like California, generally require employers to maintain personnel files and similar employee information for a period of three years.