Is Your Organization Thinking of Either Administering or Mandating Vaccines? Consider Employee Privacy and Information Security Risks.
Communicators and leaders must address vaccines in the workplace in a way that considers both the range of concerns and viewpoints among employees, as well as the legal and regulatory requirements concerning employee privacy.
The Equal Employment Opportunity Commission (EEOC) confirmed employers can mandate vaccines for their workers, and now organizations face a multitude of decisions, including whether they will issue such a mandate and – if so – how to handle vaccination information. In addition to adhering to guidance from the EEOC, Occupational Safety and Health Administration and local jurisdictions, the following considerations can help you avoid some of the pitfalls of requiring and tracking employee vaccinations, including risks related to privacy, verification, technology and third-party relationships. For most employers, expert guidance across domains will be necessary.
Understand the legal landscape across geographies
Even with affirmative EEOC guidance, the reality of mandating and tracking employee vaccination is more nuanced. Depending on their geographical footprint, employers must comply with a range of regulations, including the U.S. Health Insurance Portability and Accountability Act, the California Consumer Privacy Act and the European Union’s General Data Protection Regulation. Religious protection adds another layer of complexity. Moreover, mandating or administering vaccines may require the disclosure of information protected under the Americans with Disabilities Act. With so many regulations in play, navigating vaccine-mandate decisions will not be a simple activity for employers with a broad geographic footprint.
Utilize authorized third-party vaccination partners
All vaccine providers must follow numerous data reporting directives as well as provide documentation to established medical record systems and immunization registries, such as Immunization Information Systems and the Vaccine Adverse Event Reporting System at the U.S. Department of Health and Human Services. Outside the U.S., provider and data reporting requirements stand to be just as complex, if not more so.
U.S. employers may avoid some of the above-mentioned challenges by using a federally authorized third party, such as a healthcare provider or pharmacy, to administer vaccinations. Doing so, employers can still receive proof employees received the vaccine … without being responsible for handling additional medical information. Employers may also wish to enlist nongovernmental organizations to aid in educating employees about the vaccination process, such as the Immunization Action Coalition or the Institute for Safe Medication Practices in the United States.
Limit what you ask employees
To facilitate verification of vaccination, the Centers for Disease Control and Prevention set out to issue COVID-19 Vaccination Record Cards to be completed by the party administering the vaccine. Although intended to record the type, date and location of vaccination, as well as create a reminder for when to receive additional doses, this documentation is optional. Because providers can document proof of vaccination however they wish, there is a risk this information may be incomplete, or more than the employer should see. Specifically, employers must not ask for any information beyond simple proof of vaccination, as well as ensure that employees do not voluntarily offer such information to their employer. This includes, but is not limited to, why a particular employee may not – or could not – receive the vaccination, or any other personal or health-related information. Whatever information employers do collect should be carefully managed.
Enlisting experts is recommended
If your organization is considering mandating vaccines for employees or administering the doses itself, it’s a good idea to consult with outside counsel including specialized legal, HR and information security (or, as needed, labor relations) to help you navigate the process.
