In addition to the issue of mandated COVID-19 vaccine policies, employers must also manage the related privacy risks. Below are some of the frequently asked questions surrounding the issues of employee privacy as it relates to the COVID-19 vaccine. We also have a downloadable version of our privacy FAQs.
Question: Does it matter what type of information the company asks employees to provide to confirm their vaccine status?
Answer: Absolutely. Asking employees to confirm yes/no information seeks different information than, for example, requesting a copy of the employee’s vaccination card or more detailed records (such as lab results confirming presence of antibodies from a medical provider). Companies should be mindful of what information they are requesting because the inquiry might trigger heightened data-privacy and document-retention requirements. Companies should request only the information they require to confirm the vaccination status of the employee and should not collect any other information that is not necessary for that purpose. Companies should also be mindful of the privacy, security and other legal requirements involved in communicating with employees about any requested exception to a mandatory vaccine program based on a medical condition. The interactive process would likely include asking employees disability-related questions—and potentially questions implicating genetic nondiscrimination and health-data privacy laws (such as GINA or HIPAA).
Question: Our company plans to require employees to provide proof of their vaccine status by emailing human resources a copy of their vaccine card. Does this present any data-privacy concerns?
Answer: There are several issues to consider. How secure is your company’s email system? Can employees access their work email on their phones? If so, are there password and other security measures in place to prevent unauthorized access to that information? What does HR plan to do with the information once it receives it? Will it be printed out and stored in a paper file? Does the company plan to insert that information into the employee’s personnel file and/or HR database? Who would have access to that information? If the company plans on storing the data electronically, does the company have sole possession, custody and control of the servers where the data will be stored? If so, the company may want to confirm where those servers are physically located, and whether any state or local laws of that jurisdiction impose additional data-privacy, data-security and breach-notification requirements.
It’s worth noting here that HIPAA does not typically apply to the relationship between an employer and its employees. That being said, employers should still follow best practices and remain sensitive to the fact that they requesting and maintaining potentially sensitive employee health data. Additionally, if an employer performs services that are regulated under HIPAA, employees could be due additional protections. In this set of circumstances, an employer could be maintaining different data sets about an employee – of which one is regulated under HIPAA, and the other is not.
Continue Reading FAQs on US employee privacy issues related to the COVID-19 vaccine