On 18 May 2021, Santa Clara County in California's Bay Area issued a new COVID-19 order and related directives addressing relatively mundane topics like workplace occupancy levels, face covering requirements, and workplace rules for unvaccinated personnel. The new Order also does something significantly less mundane; it requires covered employers to ask all employees, contractors and volunteers who work onsite to disclose if they have been vaccinated against COVID-19.

The Santa Clara Order may be the first government order in the U.S. to require employers to ask worksite personnel for their vaccine status. Just as the CDC’s unexpected relaxation of mask rules for vaccinated persons led to a mad dash by employers to adjust their policies, this new vaccination mandate undoubtedly will cause more than a few HR sleepless nights.

Details of the Order

• The new Order specifically requires employers to determine the vaccine status of all onsite personnel within 14 days (by 1 June 2021).
• The County posted a template that employers can use to have employees "self-certify" their vaccination status. Employers also can accept copies of vaccine cards (or other official documents confirming vaccination status) as proof. 
• Employees may decline to provide their vaccine information, but if they do so, they must be treated as if they are unvaccinated. Employers are not required to determine the vaccination status of offsite personnel, but they are “strongly encouraged” to do so.
• The County originally issued FAQs to assist employers with compliance with the new Order on May 17, 2021, and supplemented those FAQs soon thereafter. (The original FAQs are reprinted in our blog post here.) However, it is not as simple as having all employees fill out a template survey. Privacy concerns abound when it comes to collecting, storing, and accessing the employee vaccination information.

How to Navigate the Privacy Concerns

At the federal level and in some states, including California, employers can ask for proof of vaccination without running afoul of the ADA, Title VII, or state disability / religious discrimination statutes. This is because asking for proof of vaccination is neither a disability-related inquiry nor a medical exam under the ADA, Title VII or similar state laws. See Section K (“Vaccinations”) of the EEOC’s COVID-19 publication “What You Should Know About COVID-19 and the ADA, the Rehabilitation Act, and Other EEO Laws” and California’s Department of Fair Employment and Housing’s publication “DFEH Employment Information on COVID-19.”

However, vaccination records are medical records that are subject to ADA and state law confidentiality requirements. The ADA requires employers to treat any medical information obtained from employees, even if voluntarily disclosed, as a confidential medical record. Employers may share such information only in limited circumstances with supervisors, managers, first aid and safety personnel, and government officials investigating compliance with the ADA. 42 U.S.C. §§12112(d)(3)(B), (4)(C)(1994); 29 C.F.R. §1630.14(b)(1)(1998). Whether an employee is vaccinated or not constitutes health and medical information under federal and state data privacy laws, must be kept securely and separate from employee personnel files, and may be subject to additional notice and consent requirements.

Santa Clara County employers collecting completed self-certification forms or other proof of vaccination should exercise caution with regard to how and where the forms are stored, and who has access to them, to avoid potential privacy law. 

We recommend the following steps:

• Ensure only company medical or HR personnel receive and maintain completed self-certification forms and vaccination records. 
• Keep vaccination records out of personnel files and in a secured, confidential medical file created for each employee.
• Access should be only on a “need to know” basis. Medical records may be shared with supervisors when the records are necessary for the performance of the job, but as a general matter, supervisory access to medical records should be limited.
• Maintain vaccination records for at least a year, but check federal, state and local requirements. The FAQs for the Santa Clara Order require employers to maintain records to “demonstrate compliance” with the Order’s requirement, presumably while the Order remains in effect. That is likely to be less than the ADA recordkeeping requirement, however, which requires records to be kept one year from the date of making the record or the personnel action involved with the record, whichever occurs later.
• To comply with the California Confidentiality of Medical Information Act (CMIA), which prohibits employers from coercing employees to share medical information with others, obtain the employees’ written authorization (within statutory requirements for font size and content) before sharing the collected vaccination data, including with the County or other government agencies. The FAQs for the Order state that employers do not have to provide the collected vaccine information to the County, but then contradictorily state “Generally, employee vaccination information is treated as confidential, but can be shared in certain instances. For example, an employer may be asked to demonstrate compliance with the requirement related to employee vaccination status if the County receives information suggesting that the employer has not complied.  The State Occupational Safety and Health Administration (Cal/OSHA) may also request documentation from an employer demonstrating that they have complied with all of the requirements specific to employees who are vaccinated versus unvaccinated, and knowing which employees are vaccinated will allow employers to comply with those requirements.”

The Santa Clara County Order and self-certification template and FAQs confirm that employees may decline to reveal whether they are vaccinated. Therefore, any employee who discloses vaccination status arguably has consented to the employer’s use and disclosure of the medical information. Yet, the CMIA might prohibit employers from sharing vaccine information with the government or private parties without the employee’s written consent. Employees, however, might argue that if vaccination status is used to differentiate between employees in terms of job assignments, travel restrictions, career opportunities, or other “privileges” of employment, disclosure of the employees' vaccination status will effectively be coerced by the economic pressure to be vaccinated. 

Does HIPAA Apply? 

HIPAA medical information restrictions should not apply when an employer obtains vaccination information directly from employees outside the context of any healthcare or health insurance context. The Order’s FAQs confirm this general principle, stating “HIPAA applies to certain entities, such as healthcare providers and health plans, and what protected health information they can share about their patients or members under what circumstances.  HIPAA does not govern what information employers may request from their employees.”

Some employers are covered entities under HIPAA, however, and even non-covered entities theoretically could obtain vaccination information from in-house medical personnel, such as a company nurse who administers the vaccine to employees. If the employer is self-insured for HIPAA purposes or charges the employees' health insurance for the vaccine, HIPAA might apply and restrict the use and disclosure of vaccination information. If HIPAA applies, the employer may need an authorization from the employee to use vaccination information in order to comply with the Orders or disclose the vaccination information to third parties. 

However, if the employer is not involved in providing healthcare and obtains vaccination information directly from an employee on a voluntary basis, HIPAA should not apply.

Options for Complianceand Additional Privacy Concerns

Employers—especially those with many employees—undoubtedly will seek options to help ease the burden of collection. One option is for employers to send the certification form electronically in a manner similar to the way companies send out surveys to obtain data collected by the Office of Federal Contract Compliance Programs (OFCCP) (i.e. race, gender, veteran status), with the same language included on the template form. However, the survey results must be kept secure and separate from other data. 

Companies also could implement an automated collection system that reminds employees to complete the survey, and sends a reminder every two weeks thereafter to employees who were not fully vaccinated or who declined to disclose their vaccination status (such follow up is required in the Order). Interestingly, the Order and FAQs appear to require employers to repeatedly ask employees who decline to disclose their status to complete the template every two weeks until the Order is withdrawn.  Apparently, employees can decline to disclose their status each time they are asked, but employers must ask every two weeks.  This component of the Order may lead to significant employee morale issues, and companies may wish to make clear in their communications that the Order requires them to repeatedly ask the question every two weeks, even if employees repeatedly decline to disclose.

Despite these options, collecting and storing vaccination records electronically remains risky.  Any data breach would trigger notification obligations and potentially expose employers to significant penalties and statutory damages under the California Consumer Privacy Act (to the extent exceptions for HIPAA and CMIA do not apply). Therefore, employers should ensure that vaccination information is stored and transmitted securely in electronic form, with robust encryption in transit and at rest. Employers also should design their vaccination information repository with retention and deletion requirements in mind. Under data privacy laws, the vaccination information must be deleted as soon as it is no longer needed or required to be maintained by law. 

What's next for multijurisdictional employers?

For employers with employees working in multiple counties and states in the US, Santa Clara’s mandate will necessarily raise questions about what they do in other locations vis-à-vis tracking vaccination status. It also begs the question of whether other counties or even states will follow suit. And, when viewed through a global lens, might this be indicative of things to come, or is it just yet another addition to the patchwork of laws, regulations and obligations multinational employers must manage as employees return to work? For help determining how this order or other COVID-19 health and safety mandates affect your business, compliance requirements and best practices around the globe, contact your favorite Baker McKenzie employment attorney.