As vaccination rates rise and local governments loosen Covid-19 restrictions on non-essential workers, companies are looking to implement their own strategies for bringing remote workforces back to the office. These return-to-work strategies, however, raise new concerns over issues like masks, physical distancing, and vaccination status. One of the most challenging aspect of returning to the office will be vaccination requirements.
These issues require companies to remain vigilant with rapidly changing federal, state, and local Covid-19 guidance or requirements to remain compliant with relevant employment, health and safety, and privacy laws.
Changing Guidance and Requirements
Federal, state, and local guidance or requirements are constantly changing and should be consulted prior to implementation of company policy changes.
For example, the Equal Employment Opportunity Commission (EEOC) has recently confirmed that employers may require employees to be vaccinated but must offer Title VII compliant religious exemptions in compliance with the Americans with Disabilities Act. Employees with sincerely held religious beliefs or that cannot be vaccinated because of a disability or pregnancy may be entitled to reasonable accommodations. This might include, for example, continued requirements to wear a mask, social distancing, continued remote working, or even requiring periodic Covid-19 testing.
The EEOC, however, has cautioned employers requiring vaccination that “some individuals or demographic groups may face greater barriers to receiving a COVID-19 vaccination,” and, as a result, may be negatively impacted by a vaccination requirement. If that barrier disproportionately impacts a protected class, otherwise lawful practices may give rise to allegations of discriminatory effects in violation of Title VII.
Employers should evaluate the goals of their vaccination programs and consider alternatives, such as a voluntary vaccination program that offers incentives to encourage vaccination. Such incentives are permissible provided that the incentive is not “so substantial as to be coercive.”
On the local level, Santa Clara County, Calif., recently issued a mandatory directive requiring all businesses and governmental entities to determine the vaccination status of all employees, contractors, and volunteers working on site. The order provides for disparate treatment of vaccinated and non-vaccinated personnel. Employees may refuse to provide their vaccination status, but employers are required to treat them as confirmed non-vaccinated personnel.
By contrast, Texas dropped all public masking requirements in March 2021 and recently prohibited local governments, including school districts, from imposing mask requirements. Private businesses, however, can still require customers and employees to wear masks but must provide reasonable accommodations for disabilities. This leaves local employers free to develop their own internal policies within the constraints of federal and state laws.
Privacy & Data Security Essentials
For companies that require proof of vaccination, whether to comply with local requirements or self-imposed company policy, they will—depending on certain jurisdictions—follow specific privacy requirements to protect the personal information disclosed. This includes disclosing the purpose of the collection; collecting only the essential information necessary for the disclosed purpose; and retaining the information for only as long as necessary.
Employers would also need to ensure limitations on disclosure of personal information. Within the organization, access to personal information should be limited to human resources, management, and possibly security. Disclosure to third parties should occur only when absolutely necessary or required by law.
Along with keeping personnel information secure, hybridized workforces will continue to require employers to be vigilant about their data security practices. Best practices—and sometimes legal obligations—require companies to maintain robust security protocols, including up-to-date and routinely-tested VPNs, leveraging multi-factor user authentication; implementing attack detection and logging; and even employing full disk encryption on end-user devices to prevent loss of sensitive data.
OSHA and Safe Workplace Considerations
Finally, employers have a general obligation to maintain a safe workplace in compliance with OSHA requirements (or state correlative requirements). Best practices suggest employers—especially those that do not require vaccination—implement and maintain contact tracing programs to track positive Covid-19 cases and limit outbreaks in the workplace.
Employers should be wary of third-party applications that may not comply with privacy requirements and only collect the minimum and least intrusive information needed to keep employees and customers safe.
Recommendations for Return to Work Strategies
Managing a hybrid workforce will pose new challenges. Companies should consider the following recommendations in developing guidelines:
- Normalize online communications where practical, even for those who are in the office, to help maintain social distance within the office.
- If social distancing policies require reduced numbers in the office, consider rotating workers in teams rather than as individual employees to reduce potential exposure to smaller groups of employees if there is a positive case within the office.
- Consider individual employees’ circumstances and individual reasons for the need to work from home while still ensuring that the policies are fair.
- Allow equal opportunity to work from home regardless of whether a worker has children or other compelling reasons to work from home.
- If following the CDC’s guidance that fully vaccinated individuals do not have to wear masks or social distance in the workplace, train managers and supervisors to avoid asking questions that might uncover information about disabilities or religious beliefs and to remind others that even fully vaccinated employees may feel more comfortable continuing to wear a mask around others.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Matthew R. Baker is a litigation partner at Baker Botts in San Francisco. He focuses his practice on white collar defense and internal investigations. He is well-versed in domestic and international data privacy and information security practices.
Cynthia Cole is deputy corporate department chair, California, located in Baker Botts’ Palo Alto office. Her practice focuses on data privacy and tech transactions for global companies.
Jennifer Trulock is a partner in the Dallas office of Baker Botts and counsels companies on how to manage workplace legal issues, conduct investigations into employee misconduct, and prevent employment lawsuits.
Christina Andersen is a special counsel in the New York office whose practice is focused on advising and representing employers in labor and employment matters, including in corporate transactions, litigation of disputes, and workplace investigations.