Though the vaccination mandate by the Occupational Safety and Health Administration (OSHA) that would’ve required some 80 million workers across the U.S. to be vaccinated or tested weekly was blocked by the Supreme Court, it left the door open for states to pass their own policies. This means states could potentially fall into one of three categories: no restrictions, mandates blocked or mandates enforced.

For companies with employees in multiple states, this will create a new set of challenges to navigate, not to mention privacy risks that most may not be aware of or prepared for. On top of state-imposed policies, a number of companies have already opted to enforce their own vaccine or testing mandates, which means they could be in violation if they operate in a state that has blocked mandates.

Aside from navigating various state regulations, collection of vaccination status and testing results are considered highly sensitive and confidential medical information. This is held to a different privacy standard than other types of employee-related information. Collecting exemption-related personal information could be just as troublesome, as it could disclose things like religious beliefs, disabilities, etc. Companies need to be prepared to securely handle this employee data.

Safeguarding against privacy risk

“OSHA allows states to develop their own workplace health and safety plans, as long as those plans are ‘at least as effective’ as the federal program,” said Michael Hellbusch, Partner at Rutan & Tucker, LLP. “Since the federal rule is stayed, states are free to regulate in this area.”

This has the potential to create a lot of ambiguity for companies with multi-state operations. For instance, the Friday before the oral arguments, the Illinois State Department of Labor issued an emergency rule that would have enforced vaccine mandates for the state’s larger public sector employers. Less than a week later, it was determined Illinois OSHA would stay enforcement of the rule as it monitors federal action. Many predict a number of states will follow a similar “wait-and-see” approach, but it is very difficult to ascertain.

Regardless of what may come at the state level, legal consultants are urging organizations to start preparing now. This will be especially important for those that haven’t previously had to collect this type of information about their employees or that have employees in multiple states.

“As soon as systems move from voluntary to mandatory, it means mandatory use of some kind of vaccine credentialing system will be required, and that is something most organizations don’t have in place and maybe haven’t even thought about yet,” Hellbusch said.

Employers, whether they’re required or choosing to implement a vaccination credential system, must understand the privacy implications and risks of verifying and storing that information, as well as the policies and requirements of each state. Though there has yet to be a recognized standard for verifying status, collecting as little information as possible is always a good practice. But this can still leave organizations vulnerable to break notification risks.

Since this is new territory for most companies, many are simply treating the data as they do other employee information — collecting and storing this information internally or outsourcing to a third-party digital platform. But this data has to be managed differently.

Having employees email their credentials and other information to HR could significantly expose organizations. From a privacy perspective, there are other considerations that must be made:

• Is all of the information collected necessary?
• Does your organization have a data collection alternative to email? 
• If files are retained, who has access to those files?
• If files are stored electronically, where are those servers located?
• Is this documentation maintained separately from other personnel files?
• Is your organization collecting information from an employee in a state that has blocked mandates?

Even for companies using third-party digital platforms and apps, there are some precautions to consider. For example: 

• Who is reviewing this employee information? 
• Who within the company has access to the system?
• How does that platform or app maintain privacy and security? With many of the vaccine credential systems out there, it’s not always clear how privacy is achieved.
• Can the system automatically be activated or deactivated based on the employee’s locale?

Understanding the lifecycle of this data

Companies must have insight into who is on the other end viewing and handling their employees’ personal information. Currently, in most states, there is no formal protection against using vaccination data provided to credentialing systems for the use of commercial marketing or other unauthorized purposes. In August 2021, the World Privacy Forum raised a red flag urging the Centers for Disease Control and Prevention (CDC) to extend the protections that apply to healthcare providers to these systems.

This has yet to be enforced. Thus, it’s mission critical that employers do their due diligence. Understand how this information is being collected, what type of information is being collected, who has access to it and if access can be restricted. Finally, where will this data be stored and for how long? Consider the entire journey of that sensitive information — from the point of collection to where it lives and how it will be removed when it’s no longer needed.

“This is extremely sensitive information, and storing it is going to become a major challenge for most companies, especially since most are not equipped to collect and maintain the data,” said Jeff Sizemore, Chief Governance Officer at Egnyte. “Most haven’t had to deal with this type of medically sensitive information in the history of their operations. There’s a lot more to consider beyond simply collecting this information from a submission form or email.”