Is Your Covid-19 Vaccination Status Private Anymore?

The world has been dealing with the COVID-19 pandemic for two years now, and its effects have impacted us widely. Economics, health, relationships—almost every aspect of our lives has changed. We have seen lockdowns, business closures, hospitalizations and deaths, mask mandates, work-from-home, and—most anticipated, at least for most people—the stunningly rapid development of the vaccines that have provided some relief.

There have also been many instances of resistance and protests against mandates to wear masks in public places. Anti-vaccine ideologies long predate COVID, so unsurprisingly, we have also seen campaigns against taking coronavirus vaccines. In many democracies, defined rights mean people have freedom to choose what is best for them, and can thus decline to get vaccinated because of sincerely held religious beliefs, or because of health reasons such as pregnancy or a disability. Without getting into or attempting to trigger any sort of discussion on that divisive topic, I want to draw attention to something a derivative issue making headlines: vaccination status disclosure.

As of January 2022, about 60% of the world’s population has been vaccinated. While that represents a huge number of people—over 4.7 billion—it is insufficient to provide the desired “herd immunity”, especially with variants like Omicron evolving. As the corporate world looks toward reopening, many companies want to prioritize the health and well-being of their employees, and are thus encouraging vaccination; however, such steps are not always well received.

For example, while most major Wall Street firms and other corporations have told some unvaccinated employees to work from home, allowing only vaccinated employees to enter office premises, none has yet gone as far as sacking staff.

But CNN has reported that Citigroup staff in the United States who were not vaccinated against Covid-19 by January 14, 2022 would be placed on unpaid leave, and then fired at the end of the month unless granted an exemption.

These decisions are coming as the industry grapples with how to bring workers back to offices safely and get back to business as usual at a time when the highly infectious Omicron coronavirus variant is spreading like wildfire.

On the other side, companies like Cisco require COVID-19 shots for all U.S. staff—even remote workers. Unvaccinated employees must take unpaid leave, during which they may be fired or their jobs eliminated, says The Register.

Cisco representatives have explained that the policy is prompted by President Biden’s executive order “ensuring adequate COVID safety protocols for federal contractors.” It requires suppliers to the U.S. government, such as Cisco, to ensure staff are vaccinated against COVID-19. While various court challenges could alter or reverse this directive, many businesses have embraced it as an opportunity to implement their own mandate on the grounds that their customers include the U.S. government.

A handful of other major U.S. companies have introduced “no-jab, no-job” policies, including Google and United Airlines, with varying degrees of stringency.

We are all aware and have witnessed how vaccination reports are mandatory to board a plane, entering a restaurant, check into a hotel, or enter a stadium to watch an event. Those requirements have stirred the pot; but when extended to affecting employability, we can expect even more pushback.

Even when vaccination is not an employability criterion, some companies have vaccine mandates for employees who work in an office location. Remote or virtual employees are typically exempted, although vaccination is still required if they travel for business, attend conferences, or meet customers or coworkers face-to-face.

It is clear that vaccination status is increasingly becoming a data element that must be shared, verified, scrutinized, processed, and updated on a recurring basis, and stored broadly and beyond the perimeters and realms of Protected Health Information (PHI).

Per the U.S. Department of Health & Human Services, HIPAA does not prohibit or prevent:

• businesses or individuals from asking whether customers or clients have received COVID-19 vaccines
• customers or clients from disclosing whether they have received COVID-19 vaccines
• employers from requiring their workforce to disclose whether they have received COVID-19 vaccines—whether to the employer, clients, or other parties
• covered entities or business associates from requiring workforce members to disclose to their employers or other parties whether they have received COVID-19 vaccines

Vaccination status is not a protected category under federal or most state anti-discrimination laws. However, Montana recently became the first state to ban workplace discrimination based on immunization status, and some other states are considering legislation that would do the same. GovDocs reports that Montana’s law means employers may not discriminate against, refuse to employ, or bar an individual from employment based on whether the individual has been vaccinated or holds an immunity passport. Specifically, it prohibits employers from requiring employees to receive “any vaccine whose use is allowed under an emergency use authorization” “Vaccination status” is defined under their law as “an indication of whether a person has received one or more doses of a vaccine.” It is unclear how the full approval—removing the “emergency use authorization” status—of both the Moderna and Pfizer vaccines will affect the Montana law.

If these moves turn into federal or state laws—if vaccination status, and its proof, becomes a pre-requisite for someone to get hired or retain their employment—then not only will it become challenging for someone to hold on to ideologies against vaccination, but employers will also face discrimination lawsuits from such employees.

PHI (protected health information) is any health information that can be tied to an individual. This is only important for organizations in industries covered by HIPAA privacy and security rules.

HIPAA (The Health Insurance Portability and Accountability Act) requires covered entities to implement safeguards to ensure the confidentiality, integrity, and availability of protected health information.

PII (personally identifiable information) is any data that could potentially identify a specific individual—regardless of whether it is used for healthcare purposes. Privacy laws and regulations that deal with personal information typically do not distinguish PHI from PII, but will most likely have to start to do so if businesses are going to use vaccination status of an individual as a pre-requisite for getting or retaining employment. Obtaining consent from the data subjects—one of the rights of the data subjects under various privacy regulations—to collect their vaccination status, and subsequently how it’s stored, protected, processed shared, etc., will most likely no longer be a necessary for employers.

Until the dust settles around legislation around soliciting, collecting, assessing, and making business decisions involving individuals, employees, customers, associates, et al, vaccination status stands out as an outlier in the human resources policy matrix of privacy, discrimination, health and well-being.

So, is vaccine status a new crown jewel of sensitive information (whether in the PHI or PII bucket) that cannot be concealed, given that it will be involved in so many aspects of our lives? This remains to be seen! Thoughts, viewpoints, and opinions are welcomed.