New Federal COVID-19 Vaccination Policies Trigger Data Privacy Considerations

New Federal COVID-19 Vaccination Policies Trigger Data Privacy Considerations

UPDATE:  On November 6th, the U.S. Court of Appeals for the Fifth Circuit issued a temporary stay of OSHA’s latest vaccine rules in BST Holdings, L.L.C., et al. v. OSHA, noting that “there are grave statutory and constitutional issues with the Mandate.” On November 12th, the Fifth Circuit issued an order in continuance of its November 6th stay, stating that enforcement of OSHA’s latest vaccine rules “remains STAYED pending adequate judicial review of the petitioners’ underlying motions for a permanent injunction.” The Fifth Circuit further ordered “that OSHA take no steps to implement or enforce the Mandate until further court order.”

However, with several other similar lawsuits pending in other federal circuits, the Judicial Panel on Multidistrict Litigation has selected, by lottery on November 16th, the U.S. Court of Appeals for the Sixth Circuit to be the tribunal to hear the consolidated cases. The Sixth Circuit will thus have the authority to issue the controlling opinion on OSHA’s latest vaccine rules, though many expect litigation to continue up to the Supreme Court of the United States for a final decision.

Businesses should stay up to date with current developments regarding OSHA’s latest vaccine rules and related lawsuits and should understand existing and intended data collections practices within their organizations.  Evaluating what is being collected, how it is being retained, how this information can be accessed and by whom remains a very important part of an organization’s data security and privacy infrastructure in light of this climate. The Compliance Team at Beckage is experienced in navigating such changes and can assist businesses with their data security and privacy programs as the landscape continues to evolve within the next couple of months.

Email Beckage Privacy Compliance Team Lead Kara L. Hilburger, Esq., (CIPP/US)  at khilburger@beckage.com or call 716.898.2102 for assistance in analyzing this and other regulatory and legislative matters in this space.

Continue reading initial post regarding The OSHA Rule below.


On Thursday, November 4, 2021, the Occupational Safety and Health Administration (OSHA) published an Interim Final Rules (OSHA Rule) requiring employers with 100 or more employees to implement plans to confirm employees are vaccinated, and if not to test their employees weekly and require face masks. The OSHA Rule, published in the Federal Register on November 5, 2021, requires employers subject to the OSHA Rule to implement testing protocols for unvaccinated employees starting January 5, 2022.

Although the Fifth Circuit Federal Court of Appeals temporarily blocked the OSHA Rule on November 6, 2021, employers should still prepare a plan in the event the OSHA Rule is not permanently blocked given the pending compliance deadlines. This may require employers to revise existing procedures or create new policies and procedures. As employers develop and implement these policies, it’s important to carefully consider data privacy and security implications of maintaining this sensitive information about employees.

Below are just a few questions employers should ask as they develop these new policies.

Does the OSHA rule apply to me?

The answer depends on your company’s size, operation, and industry. Importantly, the new OSHA Rule does not apply to health care providers, which have even more stringent rules announced by the Centers for Medicare and Medicaid (CMS) on the same day.  The OSHA Rule applies to businesses with 100 or more employees.  To determine whether an employer meets this 100-person threshold, companies should count all full- and part-time employees at all locations and worksites. Employers do not have to count employees who are contractors, employees from a staffing agency, or franchisee employees if the employer is the franchisor.

What does the OSHA Rule require?

Employers that are subject to the OSHA Rule must:

  • Determine vaccination status. Determine the vaccination status of each employee, accept proof of vaccination, and maintain records of each employee’s vaccination status. The OSHA Rule outlines forms of acceptable proof of vaccination, which includes COVID-19 Vaccination Record Cards, a copy of medical records documenting vaccination, and employee attestations in limited circumstances.
  • Test unvaccinated employees and require masks. If an employer elects to not mandate COVID-19 vaccinations, the company must test each employee who is not fully vaccinated at least once every 7 days. If an employee has not been tested within a 7-day period, the employee must telework for two weeks before reporting back to a location with other employees and be tested within 7 or fewer days before returning. Employees will have to provide documentation of their test results and employers must maintain these test result records. Unvaccinated employees must wear face masks at the workplace.
  • Require employees to notify the employer of a positive COVID test or diagnosis. Companies must require employees to provide prompt notice of positive COVID-19 tests and diagnoses and take steps to remove them from the workplace until they meet the criteria for returning.

Are there any exceptions?

Yes. The OSHA Rule does recognize certain exceptions and exemptions to these requirements.

  • Employees who work exclusively remotely or at outside locations are not subject to the requirements.
  • The OSHA Rule also does not apply to workplaces covered by the Safer Federal Workforce Task Force COVID-19 Workplace Safety: Guidance for Federal Contractors and Subcontractors.
  • The OSHA Rule does not apply to health care providers, which are covered by the CMS interim final rule.
  • The OSHA Rule has exceptions for employees who cannot receive the vaccine for medical reasons, or who are legally entitled to a reasonable accommodation under federal civil rights laws because of disability or sincerely held religious beliefs that conflict with the vaccination requirement.

Do I need to provide paid leave for vaccinations?

Yes. Companies subject to this rule must provide employees with up to four hours of paid time to receive their vaccination. They must also allow for reasonable time and paid sick leave for the employee to recover from vaccine side effects.

Do I need to pay for the cost of testing if an employee isn’t vaccinated?

No, the OSHA Rule does not require covered employers to cover the costs of testing. However, other laws, regulations, collective bargaining agreements, or collective negotiation agreements may require the employer to pay for testing.

How does the OSHA rule impact state vaccination and testing laws?

The OSHA Rule pre-empts any state law that has less restrictive standards regarding vaccination and testing for COVID-19 in the workplace. States can impose greater vaccination requirements; for example, some employers may be subject to state laws that do not include medical or religious exceptions.

What needs to be addressed in the vaccination policy?

Companies must develop, implement, and enforce mandatory policies that address COVID-19 vaccination procedures or mandatory testing if the company does not mandate vaccinations.  These policies must be provided to employees in a language and literacy level that employees understand.

Are there any additional documentation and reporting requirements?

Yes. Companies must provide employees and their designated representatives with their vaccination and testing records by the end of the next business day following the request for such records. Companies must also be able to provide policies and procedures to OSHA within four business hours and must provide an aggregate number of total vaccinated employees upon request by the next business day.  Finally, companies must report work-related COVID-19 fatalities to OSHA within 8 hours of learning about them. Covered employers must report a COVID-19 related in-patient hospitalization within 24 hours of learning about it.

Are there penalties for non-compliance?

OSHA Officials have stated they will use OSHA’s authority to inspect workplaces and investigate complaints received from employees. Failure to comply with OSHA regulations can lead to a $13,653 penalty per violation for serious or failure to abate violations and a $13,532 per violation for willful or repeated violations.

How should companies prepare?

Companies subject to the OSHA Rule should review the new requirements and develop a strategy on how to document and implement the mandatory procedures most effectively and efficiently. The new rule requires employers to collect and maintain sensitive employee data. Policies and procedures addressing how these records will be maintained and protected will be necessary, and in tandem with developing procedures, companies may want to evaluate whether they need to update record retention procedures and determine whether existing data security and privacy protocols are sufficient.  It is also recommended that companies work with legal counsel to review whether and how state laws interplay with the new OSHA requirements.  Many state laws have statutes and regulations requiring companies to safeguard medical information held on behalf of clients and employees. This is particularly important for employers that have not previously held sensitive employee information such as health records and may not have proper procedures in place for safeguarding such records.

Beckage continues to monitor this evolving landscape and provide updates on important topics that impact data privacy and security, which have a very real impact on business operations. Regardless of the legislative landscape, a robust data security and privacy program that can stand the test of time is a wise investment. Our team is available to assist your team in the evaluation of legal implications of current requirements and legislative changes in the data privacy field.

Email Beckage Compliance Team Leads Kara L. Hilburger, Esq., at khilburger@beckage.com or Jordan L. Fischer, Esq., at jfischer@beckage.com call 716.898.2102 for assistance in analyzing this and other regulatory and legislative matters in the Health Law space.

*Attorney advertising: prior results do not guarantee similar outcomes.

Subscribe to our newsletter.

Leave a Reply

Your email address will not be published. Required fields are marked *