As the COVID-19 vaccine rollout is well under way and employers plan to begin reopening their physical office spaces, they are confronted with a number of questions regarding their employees' privacy protections. Unfortunately, the piecemeal nature of U.S. privacy law means that there is no all-encompassing answer to the questions that will arise. But employers are not completely out of luck: federal regulatory guidance, state laws, and long-established privacy best practices provide a valuable roadmap for navigating the privacy issues that arise in the context of employees' return to their traditional places of work. In that vein, below are answers to many common questions that Venable has received from employers beginning to plan for "the new normal" after the pandemic.
1. Can employers implement COVID-19 screening measures?
Generally, the Americans with Disabilities Act (ADA) prohibits employers from asking their employees disability-related questions or requiring them to undergo medical examinations unless they are job-related and consistent with business necessity. While guidance from the Equal Employment Opportunity Commission (EEOC) permits employers to ask employees if they are experiencing COVID-19 symptoms and to implement other screening measures, any and all information collected this way must be treated as a confidential medical record in compliance with the ADA. Where this information is collected, employers must also be careful to adhere to applicable data breach notification statutes. The information is not, however, “protected health information” under the Health Insurance Portability and Accountability Act as it is being collected by the employer (as opposed to being collected by the employer’s group health plan).
Before subjecting employees to any screening measure, employers should be aware of the measure's limitations, including its effectiveness, accuracy, reliance, and relevance.
Employers should also consider creating a privacy policy that addresses the collection, use, storage, and retention of any data collected from COVID-19 screening measures, in line with privacy and data protection best practices—transparency (including notice, choice, and consent), data minimization (collection and use), security and confidentiality, and limited retention. Employers should consult their attorneys about whether and how to design and implement such a privacy policy.
2. Can employers require employees to be vaccinated against COVID-19?
Employers may require employees to be vaccinated against COVID-19 once it is generally available to the employee population, subject to a few exceptions. Under the ADA, an employee with a disability must be given reasonable accommodations that enable them to perform the essential functions of their job, unless doing so would pose an undue hardship (significant difficulty or expense) to the employer. Some employees may have health conditions that prevent them from getting the COVID-19 vaccine. Examples of reasonable accommodations may be to exempt the employee from the vaccination requirement but to require them to wear personal protective equipment (PPE) while in the workplace or permit them to continue working remotely. In all cases where an employee's disability prevents them from being vaccinated, employers must engage with the employee in the "interactive process" to arrive at a reasonable accommodation.
Similarly, under Title VII of the Civil Rights Act of 1964, an employee whose sincerely held religious belief, practice, or observation prevents them from getting vaccinated must also be provided a reasonable accommodation, unless doing so would pose an undue hardship ("more than de minimis cost") to the employer.
If an employer's employees are represented by a union and accorded the right to collectively bargain under the National Labor Relations Act (NLRA), or analogous state or local ordinances in the case of public sector employers, the employer may have a duty to bargain with the union over the implementation of a mandatory vaccination policy in the absence of existing management rights provisions in the parties' collective bargaining agreement, which are arguably dispositive as to whether the employer can unilaterally implement a mandatory vaccination policy.
Employers may also be further limited by applicable state or local law. Accordingly, employers should consult their attorneys to determine the appropriate course of action.
3. Can employers ask employees for proof of COVID-19 vaccination?
Employers may ask employees for proof that they have received the COVID-19 vaccination, but there are several factors that should be considered if/when doing so.
First, as we have previously discussed, employers should be careful about how they request this information. The ADA, although an anti-discrimination statute, restricts employers from inquiring about employees' medical history and specific medical conditions, and specifies when employers may request medical examinations of their employees. Under EEOC guidance, asking or requiring an employee to show proof of receipt of the vaccine is not itself a disability-related inquiry that implicates the ADA, because it is not likely to elicit information about a disability. However, if an employee has not received the vaccine, follow-up questions, such as why they have not received the vaccine, may elicit disability-related information and must therefore be "job-related and consistent with business necessity." Employers should also warn employees not to provide any disability-related medical information as part of the requested proof to avoid implicating the ADA. Under the ADA, an employer who receives such medical information, regardless of whether it was requested or voluntarily disclosed by the employee, must treat the information as a confidential medical record.
Second, employers collecting employees' vaccination information should be aware of the implications of doing so under state laws regulating the collection, use, and disclosure of employee data. For example, the California Consumer Privacy Act (CCPA), Cal. Civ. Code §§ 1798.100-1798.199.100, requires employers to provide their California-resident employees with a privacy notice at or before the point of data collection. Id. § 1798.100. California's Confidentiality of Medical Information Act, Cal. Civ. Code §§ 56-56.37, limits the circumstances in which employers may use or disclose employees' "medical information," and further requires employers to "establish appropriate procedures to ensure the confidentiality and protection from unauthorized use and disclosure of that information." Id. § 56.20. Additionally, in many states, the unauthorized disclosure of information related to individuals' health triggers data breach notification requirements. See, e.g., Fla. State § 501.171; Tex. Bus. & Com. Code §§ 521.002, 521.053.
Last, even where a request for proof of vaccination does not implicate any specific laws or the law is otherwise silent, employers should look to privacy and data protection fundamentals to guide them as they collect, use, and retain this information.
4. Can employers track employees' locations within the workplace to enforce social distancing policies?
Employers have used a variety of tracking tools to monitor employees' whereabouts, including video monitoring, company-issued badges equipped with GPS or Bluetooth, and cell phone applications. But before implementing such measures, employers need to be aware that an employee's right to privacy in the workplace varies from state to state. For example, California law restricts an employer's ability to track employees' locations without their consent. Employers should also be aware that monitoring employees may implicate privacy tort claims like intrusion upon seclusion, depending on the applicable state law.
Employers who wish to monitor their employees will need to balance legitimate business interests with reasonable employee privacy concerns. Tracking employees outside the workplace is particularly invasive, because it reveals intimate details about the employee's life, such as the doctors they visit, who they eat lunch with, and their hobbies, the collection of which presents opportunities for misuse by other employees who have access to such data. Additionally, tracking employee whereabouts may implicate the NLRA by infringing on the ability to engage in protected concerted activity or by giving rise to an unfair labor practice claim. In planning a monitoring program, employers should consider what legitimate business purposes such monitoring serves, and determine whether there are less invasive ways to achieve similar results.
As discussed above, employers who choose to track employees' locations should ensure that their programs are designed and implemented in line with privacy law's fundamental principles and best practices: transparency, minimization, confidentiality, and limited retention.
Employers should consult their attorneys to ensure that the design and implementation of employee tracking systems comply with applicable law.