Many employers have been reluctant to impose workplace vaccination mandates while the Covid-19 shots cleared in the U.S. retain emergency use status.
But that could change in the coming months once the vaccines get full regulatory approval. Pfizer Inc. applied to the Food and Drug Administration in early May, and Moderna Inc. announced on June 1 that it’s begun the submission process. Some lawyers predict an uptick in employer mandates if and when the FDA grants their requests.
Employers generally have the legal authority to mandate vaccination, yet that free hand comes with obligations related to protecting the records of worker inoculations.
1. How should employers store vaccine records?
Documentation of an employee’s vaccination status is subject to the confidentiality requirements of the Americans with Disabilities Act, according to the Equal Employment Opportunity Commission, which enforces civil rights laws. That means vaccination status must be kept apart from a worker’s personnel file and held in a separate medical file with other confidential information, such as doctors’ notes and health test results.
Private employers are required to keep personnel and other employment records for at least one year after they’re created and, in the case of a termination, at least a year after the firing. That mandate may also apply to medical records.
2. Do they need to document side effects?
Not for the time being. The Occupational Safety and Health Administration said last month that employers don’t have to record adverse reactions from Covid-19 vaccines on their logs for workplace injuries and illnesses through May 2022, when it will re-evaluate the issue.
OSHA had previously said adverse reactions from employer-mandated jabs must be recorded under its injury record-keeping rule if they met the other criteria of that rule. But the agency said it shifted positions because it didn’t want to discourage employer efforts to get their workers vaccinated.
VIDEO: We answer the question on the minds of CEOs, in-house lawyers, and rank and file employees - can employers make their employees take the vaccine?
3. What happens if the records are breached?
An employer could face ADA confidentiality claims, depending on the nature of the breach. Workers alleging unlawful disclosure of ADA-protected information can seek compensatory and punitive damages, which are capped according to the size of the company and max out at $300,000 for the largest firms.
All 50 states have data breach notification laws, but the definition of protected information—which triggers the notice requirements—varies by jurisdiction. Some states explicitly include medical information, such as history and diagnosis. It’s not entirely clear whether vaccine-related information qualifies under each statute.
Many states require reporting to individuals, such as via letter, between 30 and 60 days after identifying a breach, and some also require notification to the attorney general.
4. What should companies keep in mind?
Minimizing the amount of employee information they retain can help reduce potential legal exposure in the event of a breach. They should ask themselves: Is it really necessary for the company’s purposes to collect or maintain the data?
Businesses could alternatively use less demanding vaccine policies, such as an honor code, to get a sense of whether employees have been vaccinated. The longer a company maintains a record, even if there are no statutory retention restrictions, the longer it’s exposed to potential liability in the event that data is lost or stolen.
To Learn More:
—From Bloomberg Law:
—From Bloomberg News: