With 2019 novel coronavirus (COVID-19) vaccines available throughout the U.S., many employers are eager to normalize operations. For business planning purposes, surveying employees regarding their vaccination status may be a helpful tool in understanding if employees are, or plan to become, vaccinated.
If your business is considering surveying employees about their vaccination status, consider these four key legal areas before you act:
Four legal considerations before sending a vaccination status survey
1. Federal guidance from the EEOC
In December 2020, the U.S. Equal Employment Opportunity Commission (EEOC) issued guidance addressing vaccination status surveys from a federal law, and specifically an Americans with Disabilities Act (ADA), perspective. The EEOC stated that employers may generally inquire whether employees are vaccinated and ask for proof of vaccination without running afoul of the ADA. However, the EEOC cautioned that inquiring why an employee chooses not to get a vaccine could uncover underlying medical conditions that require accommodations. Employer knowledge of underlying medical conditions could also increase the risk of a disability discrimination claim if the employee later experiences an adverse employment action.
2. State omnibus data privacy laws
Omnibus data privacy laws broadly govern the collection and disclosure of personal data. The California Consumer Privacy Act (CCPA) is the original and only effective example in the U.S. as of this writing, but these statutes are growing in popularity. In fact, Virginia has enacted a data privacy law that becomes effective on Jan. 1, 2023, and similar statutes sit on legislative dockets in other states.
While California is the only state with an omnibus data privacy law impacting vaccine data collecting procedures today, employers should be aware of pending legislation in states where they operate as future omnibus privacy laws are inevitable.
3. State data security and data breach laws
Some states have adopted data security laws, which govern the securitization of “personal information.” These laws generally come in one of two forms:
- Laws that require employers to “take reasonable steps” to secure “personal information”
- Laws that create a liability shield in the event of a data breach if the employer stores “personal information” in statutorily prescribed ways
Most states to adopt securitization laws follow the first pattern, while Ohio is the primary example of the second framework. Separately, all states have data breach notification laws. Under these statutes an employer must follow specified notification procedures if “personal information” is exposed by a data breach.
Whether these laws apply to the data employers collect on their employees’ vaccination status depends on how each state defines “personal information” in the applicable statutes. In many states any data containing a name plus health information is considered “personal information” and subject to state data security laws (if applicable) and breach notification laws (always applicable). In some states, however, the statutory definition of “personal information” is more restrictive, and likely does not include data on employees’ vaccination status. In all states, “personal information,” whether it includes or excludes vaccination status data, is defined the same for purposes of data security and data breach notification laws.
In those states where vaccination status data is considered “personal information,” it is crucial employers collecting vaccine data are compliant with storage securitization requirements and aware of their notification responsibilities.
4. New and existing state employment laws
State employment laws also may impose requirements on employers seeking their employees’ vaccination status. These types of laws fall into two categories:
- Pre-existing employment laws that happen to apply to vaccination status data collection or retention
- States considering legislation that restricts private businesses from asking their employees for proof of vaccination or about their vaccination status
In the latter category, Illinois has pending legislation (H.B. 3862) that would prohibit employers from requiring an employee to demonstrate that he or she has received a vaccine. The New York state legislature is also considering a bill (A.B. 4602), which provides “no person shall be required to have, carry or present evidence of having received immunization against COVID-19.”
Four strategies for a successful vaccination status survey
Before surveying employees regarding vaccination status, it is advisable to:
- Work with counsel to verify which, if any, state data privacy laws or data security/notification laws you must comply with. You should also check if vaccination status data constitutes “personal information” under any applicable laws and is therefore subject to them. If so, ensure you are fully compliant before collecting any vaccination status information.
- Prepare to store the vaccination status data as you would Social Security Numbers, driver’s license numbers or other personally identifying information, unless there is a compelling reason not to.
- Ensure your survey avoids inquiring further if an employee says they are not getting the vaccine. Doing so may trigger accommodation requirements under the ADA.
- Keep an eye on enacted and pending legislation, such as the bills in Illinois and New York.
Key takeaways for employers
The debates and legislation surrounding COVID-19 and COVID-19 vaccines are dynamic and fast-moving. Employers must therefore keep abreast of pending legislation in all the states in which they operate. It is best to contact experienced counsel before distributing a vaccination status questionnaire or similar survey to your employee base.
For more information on this topic, or to learn how Godfrey & Kahn can help, contact a member of our team.