How Employers Can Handle Confidentiality and Privacy Concerns Related to Collecting COVID-19 Vaccine Information

Originally published by Fisher Phillips. The GBS & Leavitt Group preferred partner for employment law. Republished with permission.

With many current COVID-19 safety protocols dependent on vaccination status, verification and vaccine mandates continue to raise unique confidentiality and privacy considerations for employers. Here are some important points to keep in mind when tracking, collecting, or disclosing an employee’s vaccination status in certain circumstances.

The Vaccination Inquiry

With the exception of a few jurisdictions that limit your ability to pose vaccine inquiries or seek proof of vaccination, employers are permitted to ask for an employee’s vaccination status or proof of vaccination under federal and state law. And contrary to a popular misconception, HIPAA does not prohibit employers from asking information about an employee’s vaccine status.

However, employers who ask about an employee’s vaccination status or proof must be careful about delving into an employee’s other health information. For example, simply tracking if an employee was vaccinated or asking to produce a copy of the vaccination card or an attestation with the date(s) the vaccination was administered would not dig too deep. However, asking an employee why they were or were not vaccinated could be a disability-related inquiry, triggering additional obligations.

Proof of Vaccination Status

There is no universal “proof” of vaccination status with the patchwork of federal, state and local COVID-19 and vaccine-related guidance, ordinances, and mandates. Acceptable proof may vary depending on the vaccine mandate or jurisdiction. For example, in California under the Cal/OSHA Emergency Temporary Standards, a self-attestation is sufficient proof of vaccination status (also see the Utah OSHA COVID-19 resources page for an example of a state with far less restrictive rules as California. In fact, Utah OSHA has been formally warned by federal OSHA that their COVID-19 state OSHA plan was not as effective as the federal OSHA COVID-19 policies and hence, face revocation of the state OSHA plan – see the GBS prior article on the topic of what to do if operating in a state with state-operated OSHA plan). However, under the federal contractor mandate and many other vaccine mandates, self-attestation is not an acceptable form of proof.

Vaccine-Related Information and Medical Records

Whether documents are considered medical records and subject to privacy or confidentiality laws generally depends on the federal or state law that contains the restrictions at issue.

Federal Workplace Safety Officials

Under the Occupational Safety and Health Act, medical records include any document regarding an employee’s health status made or maintained by a physician, nurse or health care professional. To many employers’ surprise, such records must be retained for the tenure of the employee – plus 30 years. This includes medical histories, medical examination results and opinions, diagnoses, progress notes and recommendations, first aid records, descriptions of treatments and prescriptions, and employee medical complaints.

Relevant State Laws

Some state laws also define medical records. For example, in Ohio, the definition includes any medical report arising from a physical examination by a health care professional and hospital or laboratory test results from tests required as a condition of employment or as a result of a work injury or illness.

Other jurisdictions have specifically addressed vaccination records and the maintenance of the records. In California, Cal/OSHA has provided guidance that vaccination records created by the employer under the Emergency Temporary Standards need to be maintained for the length of time necessary to establish compliance with the regulation, including during any Cal/OSHA investigation or appeal of a citation. And, to encourage documentation using vaccination records, Cal/OSHA has determined that it would not effectuate the purposes of the Labor Code to subject such records to the 30-year record retention requirements that apply to some medical records.

What Does the EEOC Say?

Per EEOC guidance, employers should treat vaccination records as confidential medical information, maintained confidentially and stored separately from an employee’s personnel file. The EEOC has also provided guidance that the inquiry or request for proof of vaccination itself is not a disability-related inquiry. So, employers who track who is vaccinated or request proof of vaccination must be careful not to delve deeper into an employee’s other health information when making this inquiry or asking for proof.

For example, merely tracking if employee was vaccinated, or asking to produce the copy of the vaccination card or other proof of vaccination record, or even simply requesting an attestation with the date(s) the vaccination was administered would not itself be considered a disability-related inquiry. However, taking it further and asking an employee why they were or were not vaccinated, for example, could be considered a disability-related inquiry.

Thus, it is recommended to have clear documentation limiting the inquiry or specifically listing the forms of acceptable proof with a clear reminder not to provide any other medical-related information. You should also maintain the vaccine-related information and documentation in a secure and separate location. You should not put it in employees’ existing medical files, instead keeping it separate similar to I-9 documentation. Finally, you should specifically designate who will collect and enter the data, and review carefully to make sure any data is entered accurately.

Confidentiality and Disclosure of Medical Records and Information

Several laws apply to employers’ handling of employee medical information. With limited exceptions, federal law requires employers to keep confidential any medical information they learn about any applicant or employee. Medical information includes not only a diagnosis or treatments, but also the fact that an individual has requested or is receiving a reasonable accommodation.

Generally, federal law requires that all medical information about a particular employee, including all medical information related to COVID-19, be stored separately from the employee’s personnel file, thus limiting access to this confidential information.

Indeed, according to the EEOC, although the EEO laws do not prevent employers from requiring employees to provide documentation or other confirmation of vaccination, this information must be kept confidential like all other medical information and stored separately from the employee’s personnel files under the ADA. Additionally, several states have laws that specifically address the confidentiality and disclosure of medical records, including prohibiting employers from disclosing employee medical records to third parties without the employee’s written consent, with specific font size and other requirements.

CCPA and CCPA-Like States

Additionally, if the California Consumer Privacy Act (CCPA) or similar law applies to your business, then collecting information from employees about their vaccination status/proof of vaccination may trigger the “notice at collection” requirement. This requirement does not mean you have to provide a different or new CCPA notice every time you ask for or receive this information. If the information is already reflected in the broader notice you must provide to all employees (i.e., the notice that is supposed to inform the employee of all categories of personal information the company collects about or from the employee along with all the business purposes for which the information is used), then an additional or separate notice related to vaccine information will not be needed.

Decline to Disclose Vaccination Status

Employees who refuse to disclose their status should be treated as unvaccinated. Even with a mandatory vaccination policy, you should ensure there is a process in place to address issues of accommodation for employees with protected objections to receiving the vaccination. You should also sure you are evaluating any state-specific limitations on requiring disclosure of vaccination status prior to moving to discipline or any adverse action.


GBS will continue to monitor vaccine issues, along with preferred partner for employment law, Fisher Phillips. Be sure you check out our Learning Center for additional articles and information. If needing additional attention by an employment attorney, reach out to your GBS representative and they can connect you with Fisher Phillips to receive our special arrangement.

Share this post
You may also like
Get CRITICAL employee benefits information delivered right to your inbox!
Featured Post
Recent posts