With states opening back up after the seemingly endless COVID-19 pandemic, businesses are beginning to transition back from the home office to the work office. While the federal government’s Occupational Safety and Health Administration (OSHA) has not released guidance on whether and how employers should handle verifying their employee’s vaccination status (although the federal government requires on-duty employees to comply with Center for Disease Control guidelines), many states have enacted their own laws or executive orders related to requiring vaccinations and proof of vaccination. And, similar to breach notification laws and other privacy legislation, the obligations on businesses vary widely from state to state.
At the time of writing, 14 states had implemented COVID workplace safety standards, many of which include available options for employers to allow workers to return to the workplace without wearing masks. While some states require companies to have a vaccine verification process in place before allowing unmasked workers, other states, like Alabama and Florida, have gone the other way and explicitly told businesses that they cannot require proof of vaccination. For businesses operating in multiple states this can be a challenging line to walk.
To illustrate the challenges this varied guidance brings to businesses, we’ll look more closely at the guidance coming from neighboring states Washington and Oregon.
If employers in Washington choose to allow fully vaccinated employees to be unmasked in the workplace, they must have a process to verify vaccination status and be able to demonstrate that they have made this verification. The Washington State Department of Labor recently updated their “Stay Safe-Stay Healthy” Directive to include various examples that employers may look to when determining what verification process to use as well as what options they have to demonstrate this verification.
The verification process may consist of creating a log of the names of fully vaccinated employees; checking vaccination status each day as employees enter a jobsite; marking an employee’s badge or other individually identified item to indicate their fully vaccinated status; or documenting an employee’s attestation of vaccination. Acceptable forms that can be used to demonstrate verification of vaccination status include the CDC vaccination card; a photo of the CDC vaccination card as a separate document; a photo of the employee’s vaccination card stored on a phone or electronic device; document of vaccination from a health care provider or state immunization information system record; or a hard copy or electronically signed self-attestation from the employee.
If employers choose to retain a copy of the card, they must treat that card the same way as they would treat a medical record.
In Oregon, employers don’t have nearly as many options. Currently, people who are fully vaccinated can choose to not wear a mask or social distance, so long as they can prove their status. Under the interim guidance (last updated 5/18/2021), “proof of vaccination status” requires the name, date of birth, the type of vaccination and dates received, and where the vaccination was given. While a copy of the CDC vaccination card satisfies the requirements, the information must be provided. Employers still must make accommodations for employees who cannot get a vaccine (for example, in the case of allergies). However, employers and business owners can waive the current mask and social distancing guidance only if the business has a policy for checking for proof of vaccination status, requests such proof, and reviews the document before beginning work. In effect, employers will have to verify each employee’s vaccination status before allowing them to proceed unmasked and not enforce social distancing.
Importantly, this guidance doesn’t only apply to employees but to anyone coming into the business. This means that businesses could potentially collect personal information, notably, healthcare information, of any number of people. On the other hand, it seems that businesses may not be following this guidance anyway.
The Challenge for Businesses
A Rockefeller Foundation and Arizona State University survey of more than 1,300 medium and large companies in the United States and Britain found that more than half said they would require employees to show proof of vaccination. For these companies, new COVID standards create additional obligations in the way of privacy and data protection.
Businesses with operations in multiple states or countries will be especially impacted as they will need to pay close attention to each region’s workplace protection regulations. Though, even where there are no specific rules, the common principles of privacy and data protection should be applied. Here are a few things you should be thinking about:
- Notice: If you are collecting COVID vaccine verification, it’s important that you appropriately notify employees and others about the collection. Including information on how it will be used, who will have access to it and how long it will be retained.
- Internal policies: Adding a new processing activity to your business means you need to ensure that your policies and other privacy program documents are updated to account for this new information.
- Retention: It’s important to understand whether and for how long you should retain records on COVID vaccination status. First, look to the applicable standards for guidance and understand whether you need to collect and retain it at all — data minimization may be the way to go here where the only information retained is that a check was successfully completed.
- Information Security: As mentioned, Oregon has requirements on how to handle and protect vaccination documentation; however, even without stated rules, it is important businesses appropriately protect this information.