In connection with the recent surge in COVID-19 cases caused by the Delta variant, many businesses have begun to require that employees—and sometimes contractors, volunteers and patrons—provide proof of vaccination. This may come in the form of requests for voluntary disclosure, or in connection with employer vaccine policies, or pursuant to newly issued mandates from public health authorities.
Mandatory Disclosures:For example, on Aug. 12, 2021, the San Francisco California Department of Public Health issued sweeping revisions to its Order of the Health Officer No. C19-07y (“SF Order”), mandating that certain businesses, including restaurants and gyms, require staff and patrons to provide proof of full vaccination against COVID-19 (subject to limited exceptions). Such employers are required, by Oct. 13, 2021, to ensure that all staff who routinely work onsite provide proof of full vaccination. Similarly, with its “Key to NYC,” New York City has similarly mandated that certain businesses, including restaurants, gyms and other indoor entertainment and recreational businesses not permit patrons or employees to enter the premises without providing proof of at least one dose of a COVID-19 vaccine; inspections and enforcement will begin Sept. 3, 2021.
As another example, on Aug. 2, 2021, the City and County of Denver issued a public health order (“Denver Order”) requiring that private-sector businesses in certain “high-risk” settings, including but not limited to schools, childcare centers and some health care settings, ensure that all “personnel”—defined to include contractors and volunteers—are fully vaccinated by Sept. 30, 2021. The Denver Order does not specify how “personnel” are to prove vaccination status and does not address any exemptions to the vaccine requirement, however both issues are further addressed in the Vaccination Requirement FAQs. Entities subject to the Denver Order are also required to “maintain corresponding records” of vaccination verification, which the entity must make available to the public health authority upon request.
Voluntary Disclosures:Cal/OSHA’s Emergency Temporary Standards (“ETS”) define “fully vaccinated” to mean “the employer has documented that the person received, at least 14 days prior, either the second dose in a two-dose COVID-19 vaccine series or a single-dose COVID-19 vaccine.” The ETS prescribe varying protocols, exclusion requirements and other standards for fully vaccinated versus non-fully vaccinated employees. And some local public health agencies have conducted on-site visits to ensure that employers have such documentation in place and are applying appropriate protocol levels for fully vaccinated and non-fully vaccinated employees. Many employers are therefore asking employees to voluntarily provide proof of vaccination, with the alternative of being treated as unvaccinated and being subjected to more stringent protocols.
Employer Vaccine Mandates:Some employers already have issued vaccine mandates; many others have been waiting until the FDA issued full approval of one or more COVID-19 vaccines to issue such mandates, which it did with respect to the Pfizer vaccine on Aug. 23. Such policies will necessitate that employees provide evidence of vaccination status or their eligibility for a legally required exemption (i.e., due to a medical condition, disability or sincerely-held religious belief).
Civil Rights Laws: The Equal Employment Opportunity Commission and many state agencies have indicated that an employer merely asking about vaccination status does not, in and of itself, implicate federal such as the Americans with Disabilities Act and the Genetic Information Non-discrimination Act or state laws of similar effect. Those come into play only when, for instance, an employer asks why someone is not vaccinated. Once obtained, though, the vaccination status data is considered confidential medical information and must be handled accordingly.
HIPAA Implications:The good news for businesses requiring proof of vaccination from employees or patrons is that inquiries into vaccination status usually do not implicate the federal Health Insurance Portability and Accountability Act (“HIPAA”) because it does not broadly cover medical information in and of itself. Rather, HIPAA applies only to medical information held by “covered entities”—defined as certain health care providers, health insurance plans and health care clearing houses—and “business associates” that perform services for or on behalf of a covered entity. If a business does not meet the definitions of a “covered entity” or “business associate,” it is not subject to HIPAA.
Privacy Laws: HIPAA aside, businesses seeking to verify vaccination status of employees or patrons—whether voluntarily or pursuant to a government mandate—should consider whether they need to comply with applicable state or local privacy laws in doing so. As to privacy of employee information, for example, the California Confidentiality of Medical Information Act (“CMIA”) bars employers from using or disclosing medical information about employees without having first obtained a signed authorization from the employee. While there are limited exceptions to this law, arguably none of those exceptions directly permit an employer to collect and use vaccination status information for the purposes typically contemplated by, for example, the public health authority mandates. Likewise, employers seeking to use such information to, for instance, designate protocol levels applicable to particular employees (e.g., by differentiated ID cards) may run afoul of privacy laws if proper authorization is not obtained; such differentiation can essentially be considered a “proxy” for the confidential medical information regarding vaccination status. Notably, the CMIA provides for a private right of action, and aggrieved employees may sue for damages, as well as statutorily limited punitive damages and attorneys’ fees. This is a tricky situation that requires careful balancing of competing interests.
As to privacy of patron information, again, existing state or local privacy laws may apply. Whether and to what extent states impose privacy requirements with regard to patron medical information varies widely state to state. For example, Colorado’s current data privacy law—which will remain the governing law until the recently enacted Colorado Privacy Act takes effect in 2023—requires in certain circumstances that in the event “medical information” about Colorado residents is exposed as part of a security breach of computerized data, the affected persons be notified, as well as potentially the Colorado Attorney General. That is, a Colorado business which retains electronic copies of patron vaccine cards may be required to issue notifications to affected patrons if that business suffers a data breach.
On the other hand, businesses operating in states which have attempted to ban any inquiries into patron vaccine status, such as Florida, should stay up to date on the legal status of such bans and remain mindful of them.
Storage and Retention of Vaccination Data:Employers collecting vaccination information should also consider whether state privacy laws impose requirements on the storage and retention of medical information of employees. Indeed, the SF Order explicitly requires that employers maintain records of staff vaccination or exemption status and provide these records to public health authorities upon request, consistent with applicable privacy laws. The CMIA requires that employers establish appropriate procedures to ensure the confidentiality of employee medical information and to protect that information from unauthorized use and disclosure. The Denver Order similarly requires affected employers to maintain records of personnel vaccination, which employers must make available to the public health authority upon request. While current Colorado law does not impose storage or retention requirements specific to employee medical information, to the extent the vaccination status information is combined with one or more elements of “personal identifying information”—which is defined by Colorado statute to include individual identification numbers such as a social security number or employer identification number—Colorado laws governing storage and retention of personal identifying information may apply.
Takeaways:Verification of vaccination status, coupled with existing state privacy laws, may create a difficult landscape for employers. Businesses must walk a tightrope in obtaining enough employee or patron information to, for instance, satisfy public health agency mandates, while limiting the information obtained and the use of such information to minimize potential liability. Businesses should also, to the extent possible, consider notifying employees and patrons of the reasons any information is retained and with whom it may be shared, as well as limiting internal access to that information.
Businesses should work closely with their HR and legal team in developing their strategy for complying with privacy and other applicable laws in implementing vaccination inquiry policies.
In connection with the recent surge in COVID-19 cases caused by the Delta variant, many businesses have begun to require that employees—and sometimes contractors, volunteers and patrons—provide proof of vaccination. This may come in the form of requests for voluntary disclosure, or in connection with employer vaccine policies, or pursuant to newly issued mandates from […]
As you prepare for the upcoming season, checking each piece of equipment and training staff, your personal pre-season checklist needs to be updated: how will you handle an emergency? Each member of your staff must be prepared, trained in First Aid and CPR and know how to respond to a crisis. But are you prepared […]
Although most of us have most likely heard about the Consumer Protection Act (CPA), and may even know parts of it; most us don’t have the time or patience to read almost 100 pages of legislation. We tend to leave this up to our lawyers and the judiciary and, unfortunately, many businesses capitalise on this. Megan Whittingtonhas made a list of some consumer rights scenarios.
You know those annoying advertisement SMSes that you’ve done your best to get rid of? According to section 11 of the Act, they’re not allowed to pester you if you’ve told them to stop; nor are they allowed to contact you on public holidays, Sundays or before 8am/after 8pm. If you’ve asked them to take you of their list or replied with ‘stop’ and you’re still receiving messages; you can make an official complaint with the Provincial Consumer Affairs Office.
Perhaps as you’re shopping for a new fridge, you’re subjected to a particularly anxious-to-sell trainee who guarantees that it has all sorts of wonderful abilities. You cart your new fridge home and find that it’s below average. Luckily, the CPA says that if a product you buy doesn’t have the features that were promised; you’re entitled to a full refund. If the company refuses; they’re in violation of section 41 of the Act.
As you’re reading the Sunday paper, a pamphlet with a fantastic special grabs your attention. Thespecial price is only valid on that day so you leave for the mall immediately. When you arrive at the shop, you’re told that the items on special had sold out within an hour after opening. Good news – section 23 of the Act lets you insist on being able to purchase the item at the special price, or at the very least, have one of their other stores organise the item for you.
You found an old airtime voucher that you purchased over a year ago, but your network provider tells you it’s expired and you can’t use it. Section 63 of the CPA says that if you’ve purchased and not redeemed a prepaid or gift voucher within the last three years; you can insist on getting a new voucher (without paying anything more) or get your money back.
You’ve booked and paid for a transport service. When you arrive, you’re told that the service in question is full due to over-booking and they can no longer accommodate you. This is a huge convenience, but the consolation is that you can insist that they refund you with interest and that they pay for another means of transport, even if it’s with a different company. If they refuse; a threat with making a complaint based on section 47 of the CPA should ruffle their feathers.
If you buy a product that is faulty, use it correctly, and it causes damage to another one of your belongings; you have a claim. For example, you purchase a new cell phone charger, plug it in and connect it to your phone. It malfunctions and causes permanent damage to your phone. You can demand a full refund for the faulty charger and claim damages for the harm done to the phone. If they refuse, they will be in violation of section 55 of the Act.
These are just a few of the ways that the Consumer Protection Act can make a difference in the everyday lives of South African consumers. If you believe that your rights, as a consumer, have been breached then you can make a complaint to the National Consumer Commission here: http://www.nccsa.org.za/complaint/complaint-form.html/.