WORK WITH US
Confidentiality, Use, and Disclosure Requirements When Requesting Proof of COVID-19 Vaccination Information for Private Schools
With the recent adoption of amended Cal/OSHA COVID-19 Regulations, and its new allowances for fully vaccinated employees, many private K-12 schools, universities and colleges are considering whether to make any distinction between employees who are fully vaccinated and those who are not, and if so, how to request COVID-19 vaccination information from employees.
Further, in planning for the upcoming school year, many private K-12 schools, universities and colleges are also considering whether and if so, how to request COVID-19 vaccination information about students. This bulletin highlights these issues.
VACCINATION INFORMATION ABOUT EMPLOYEES
The ADA and the FEHA Permit Employers to Request Employee Vaccination Records/Status
In order to take advantage of the allowances provided under the amended Cal/OSHA COVID-19 Regulations to exempt fully vaccinated employees from certain regulatory requirements, employers must document employees’ vaccination statuses. Under the Americans with Disabilities Act (ADA) and the Fair Employment and Housing Act (FEHA), employers may request or require that employees provide documentation concerning their COVID-19 vaccination status. Such requests are permissible because the requested information relates to the employee’s vaccination status, not a health or medical condition that may qualify as a disability.
Nevertheless, an employer risks turning a lawful request related to the employee’s COVID-19 vaccination status into an unlawful disability-related inquiry if an employer asks follow-up questions that relate to the reasons why an employee is not vaccinated. Such follow-up questions may constitute disability-related inquiries because the questions are likely to elicit information about the employee’s health or medical conditions. Employers must avoid making disability-related inquiries unless the employer can demonstrate that the inquiry is job-related and consistent with business necessity.
The best documentation an employer can request from employees is a copy of the employees’ vaccination card issued by the Centers for Disease Control and Prevention (CDC) because the CDC-issued card provides no other medical information about employees. If an employer chooses to allow employees to provide other documentation, such as medical records, the employer should instruct its employees to redact any information from the documentation that relates to the employees’ health or medical conditions. The employer should then review any documentation it receives from employees to determine whether it contains any information about the employee’s health or medical condition, and the employer should return the documentation to the employee if it does.
Employer Options for Documenting Employee Vaccination Statuses
As a best practice, employers should request a vaccination record provided by either the CDC or the employee’s health care provider, because those vaccination records offer the strongest evidence of an employee’s vaccination status. If vaccination records are not available, an employer may request that the employee attest to or self-certify to their vaccination status. The attestation should be in writing, and it should include the date and the employee’s signature. Liebert Cassidy Whitmore has a model self-attestation form available for purchase.
Confidentiality Requirements for Employee Medical Information
Once an employer obtains documentation concerning an employee’s vaccination status, that information will constitute confidential medical information under both the ADA and the Confidentiality of Medical Information Act (CMIA). Additionally, the amended Cal/OSHA COVID-19 Regulations protect employee medical records and only permit disclosure where expressly permitted or required by law. Employers should note, however, that the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA) covers healthcare providers, health plans, and healthcare clearinghouses and does not cover or apply to employers with regard to the medical information of their employees in most circumstances.
Employers in possession of confidential medical information about their employees are subject to strict statutory obligations related to the protection and preservation of such information, and those confidentiality obligations apply regardless of whether the information indicates that the employee is vaccinated or unvaccinated.
For example, under the ADA, employers must keep confidential medical information in a medical file that is separate and distinct from the employee’s personnel records. Further, the CMIA requires that employers “establish appropriate procedures to ensure the confidentiality and protection from unauthorized use and disclosure of [employees’ confidential medical] information,” which may include, but are not limited to instruction regarding confidentiality of employees and agents handling files containing medical information, and security systems restricting access to files concerning medical information.”
Due to the stringent obligations under both the ADA and the CMIA, employers that request documentation concerning employees’ vaccination status should first establish a medical record/information policy and procedure that:
- Restricts employee access to information about employees’ vaccination status to those employees who need to know the information, such as Human Resources staff and individual employees’ immediate supervisors; and
- Includes other security measures and safeguards to protect such information, such as requiring passcodes to access sensitive files or anonymizing or encrypting employees’ information.
Further, because employees’ vaccination information is confidential medical information, employers must not share with students or parents the fact that certain employees are or are not vaccinated, and can only share this information with School employees who have a legitimate business reason to know the information.
Use and Disclosure of Information Concerning Employee Vaccination Status
In addition to requiring confidentiality, the CMIA also expressly limits how and when the employer may use or disclose confidential medical information. Civil Code section 56.20, subsection (c) provides the general requirement that employers obtain a signed authorization before using or disclosing employees’ medical information, subject to limited exceptions.
A CMIA-compliant authorization must satisfy each of the following requirements: 
- Be handwritten by the employee, or else typed in at least 14-point font;
- Be clearly separate from any other language on the page and must be executed by a signature that serves only to execute the authorization;
- Be signed and dated by the employee;
- State the limitations, if any, on the types of medical information to be disclosed;
- State the names or functions of both the person(s) authorized to make disclosures and the persons or entities authorized to receive disclosures of the medical information;
- State a specific date after which the employer may no longer disclose the medical information;
- State the limitations, if any, on the use of the information; and
- Advise the employee that he or she may receive a copy of the authorization.
Employers should request CMIA authorizations to use and disclose vaccinated employees’ vaccination status because the amended Cal/OSHA COVID-19 Regulations differentiate between fully vaccinated employees and others in certain circumstances. The CMIA authorization should request authorization to use and disclose the vaccination information “for legitimate and non-discriminatory business purposes where the information is necessary for the employer to make work-related decisions authorized by, or required for compliance with federal, state, or local laws.” This will allow the employer to use the information in a number of ways, including in order to exempt fully vaccinated employees from certain requirements under the amended Cal/OSHA COVID-19 Regulations, such as the obligation to wear face coverings where and when applicable. At present, however, under current CDPH guidance, face coverings must continue to be worn indoors by all employees, regardless of vaccination status, in K-12 school settings.
Employers must receive CMIA-compliant authorization from the fully vaccinated employee, in addition to documentation concerning their vaccination status or a completed self-attestation form, before allowing the employee to take advantage of the relaxed requirements. Employers should note that a CMIA-compliant authorization form should be completed by the employee regardless of whether they are providing documentation of their vaccination status, such as a CDC-issued card, or a completed self-attestation form. Liebert Cassidy Whitmore has prepared a CMIA-compliant model authorization for employer use.
Managing Employees Who Decline to Provide Documentation Concerning Their Vaccination Status or Refuse to Authorize Use or Disclosure of Vaccination Status or Records
If an employee declines to provide documentation of vaccination status or to sign a CMIA-compliant authorization, the employer must treat that employee as not fully vaccinated, and should treat the employee in the same manner that the employer treats other employees who the employer knows are unvaccinated. For example, if an employer requires employees to be vaccinated before returning to its worksites or facilities, the employer may exclude from those workplaces those employees who decline to provide the requested documentation. Alternatively, if the employer requires unvaccinated employees to report to its worksites or facilities, but requires that such employees use additional Personal Protective Equipment (PPE) while at work or participate in COVID-19 surveillance testing, the employer could reasonably require that employees who decline to provide documentation of their vaccination status also wear such PPE or participate in COVID-19 surveillance testing.
The ADA authorizes employers to establish and enforce a safety-related “qualification standard” that includes a “requirement that an individual shall not pose a direct threat to the health and safety of individuals in the workplace.” If the employer establishes such a standard, it may determine that unvaccinated employees pose a “significant risk of substantial harm to the health or safety of the individuals or others that cannot be eliminated or reduced by a reasonable [workplace] accommodation.” While employers must be mindful to provide reasonable accommodations to employees who cannot be vaccinated due to a qualifying disability or a sincerely held religious belief, employers are not obligated to provide employees an accommodation that would pose a direct threat to the health and safety of the workplace. As such, it may be that certain unvaccinated employees, or employees who refuse to provide their vaccination records or status, cannot be reasonably accommodated at the workplace due to a direct threat to the health and safety of the workplace as a result of their presence there.
Further, while the CMIA expressly prohibits discrimination against employees who refuse to provide authorization, the CMIA also provides that an employee’s refusal to sign an authorization will not “prohibit an employer from taking such action as is necessary in the absence of [such] medical information.” Therefore, the employer may take necessary actions in order to satisfy its other legal obligations, including those provided under the Cal/OSHA COVID-19 Regulations.
In the event that an employee produces a vaccination record to their employer, but declines to authorize the employer’s use of such information for other legitimate and non-discriminatory purposes, the employer should acknowledge and accept the employee’s decision not to provide the employer the additional use authority. However, the employer should consider informing the employee that not providing such authorization will require that the employer treat the employee as not fully vaccinated. As provided above, this would include circumstances where the employer intends to use information about the employee’s vaccination status to exempt the employee from certain regulatory requirements that would otherwise apply.
VACCINATION INFORMATION ABOUT STUDENTS
Given that the California Department of Public Health (CDPH) and some local public health departments have issued mandates and guidance with regard to face coverings, quarantining, and other COVID-19 prevention and mitigation measures that differentiate between vaccinated and unvaccinated individuals, there are legitimate reasons for private K-12 schools, universities, and colleges to collect COVID-19 vaccination documentation from students. Doing so would allow private K-12 schools, universities, and colleges to follow any mandates or guidance that would apply to vaccinated, as opposed to unvaccinated, students. Private K-12 schools should note, however, that at this time all individuals must wear face coverings when indoors at a K-12 school, childcare, and other youth settings regardless of their vaccination status.
In the student context, it is unclear whether the CMIA requires private K-12 schools, universities, and colleges that wish to obtain COVID-19 vaccination information about a student directly from the student or their parents to obtain an authorization consistent with the CMIA.  Given the uncertainty, the fact that private K-12 schools, universities, and colleges will likely be using and disclosing student COVID-19 vaccination information, and the relative ease of obtaining the authorization form at the same time the COVID-19 vaccination information is obtained, we recommend that private K-12 schools, universities, and colleges that wish to obtain COVID-19 vaccination information from students obtain an authorization consistent with the CMIA as well. For private K-12 schools, the CMIA authorization should be signed by the student’s parents and, if the student is age 18 or older, the student. For private colleges and universities, the CMIA authorization should be signed by the student and, if the student is under the age of 18, the student’s parents.
In the student context, a CMIA authorization should largely contain the same types of information required of CMIA authorizations in the employee context. Liebert Cassidy Whitmore has prepared a model CMIA authorization form to collect COVID-19 vaccination information about students, which is available for purchase here. Private K-12 schools, universities, and colleges should also store student COVID-19 vaccination documentation in a confidential manner and limit access to such information to only those employees who have a legitimate need to know.
Liebert Cassidy Whitmore attorneys are familiar with the laws implicated and are available to assist employers with specific challenges related to these matters and to provide advice and counsel to employers on these issues and others related to employee vaccination status.
 The amended Cal/OSHA COVID-19 Regulations are available at the following web address: https://www.dir.ca.gov/OSHSB/documents/Jun172021-COVID-19-Prevention-Emergency-txtcourtesy-Readoption.pdf. The amended regulations define “fully vaccinated” to mean “the employer has documented that the person received, at least 14 days prior, either the second dose in a two-dose COVID-19 vaccine series or a single-dose COVID-19 vaccine. (See 8 C.C.R. § 3205(b)(9).) Importantly, the amended regulatory definition of “fully vaccinated” requires the employer to have documented such status in order to treat the employee as fully vaccinated. The amended Cal/OSHA COVID-19 Regulations allow fully vaccinated employees to go without face coverings (See 8 C.C.R. § 3205 (c)(6)); be excepted from certain COVID-19 testing requirements if asymptomatic (See 8 C.C.R. § 3205 (c)(3)(B)(5)); and be excepted from certain exclusion requirements if asymptomatic (See 8 C.C.R. § 3205 (b)(9)(B)(1).)
 The Centers for Disease Control and Prevention (CDC) defines “fully vaccinated” to mean either two (2) weeks after an individual’s second (2nd) dose in a two-dose vaccination series (e.g., Pfizer/BioNTech or Moderna vaccines) or two (2) weeks after an individual’s single-dose vaccination (e.g., Johnson & Johnson Janssen vaccine).
 Equal Employment Opportunity Commission (EEOC), “What You Should Know About COVID-19 and the ADA, the Rehabilitation Act, and Other EEO Laws” (EEOC Guidance), K.4., K.9., https://www.eeoc.gov/wysk/what-you-should-know-about-covid-19-and-ada-rehabilitation-act-and-other-eeo-laws (Last updated on May 28, 2021).
 Department of Fair Employment and Housing (DFEH) “Employment Information on COVID-19” (DFEH Guidance), p. 10.
 Requesting vaccination records from the CDC or an employee’s health care provider is consistent with California Department of Public Health (CDPH) guidance advising employers to do the same. (See CDPH, Vaccine Record Guidelines & Standards (Published on June 14, 2021), https://www.cdph.ca.gov/Programs/CID/DCDC/Pages/COVID-19/Vaccine-Record-Guidelines-Standards.aspx.) It is best practice to request vaccination records from the CDC or an employee’s health care provider, although an employee attestation meets the requirements set by the amended Cal/OSHA Regulations. (See footnote 1 (defining “fully vaccinated”).)
 Civil Code §§ 56, et seq.
 See amended regulation 8 C.C.R. § 3205(c)(3)(C), https://www.dir.ca.gov/OSHSB/documents/Jun172021-COVID-19-Prevention-Emergency-txtcourtesy-Readoption.pdf.
 See 45 C.F.R. §§ 160, 162, 164.
 EEOC Guidance, K.4., https://www.eeoc.gov/wysk/what-you-should-know-about-covid-19-and-ada-rehabilitation-act-and-other-eeo-laws (Last updated on May 28, 2021).
 29 C.F.R. §§ 1630.14(b)(1)(i)–(iii), (c)(1)(i)–(iii); 29 C.F.R. pt. 1630 app. § 1630.14(b); see also EEOC “Pandemic Preparedness in the Workplace and the Americans with Disabilities Act,” A.2., Footnote 19, https://www.eeoc.gov/laws/guidance/pandemic-preparedness-workplace-and-americans-disabilities-act (Last updated on March 19, 2020).
 Civil Code § 56.20(a).
 See Civil Code § 56.20.
 See Civil Code § 56.21.
 See Proposed Regulations 8 C.C.R. §§ 3205-3205.4, https://www.dir.ca.gov/OSHSB/documents/Jun172021-COVID-19-Prevention-Emergency-txtcourtesy-Readoption.pdf.
 See EEOC Guidance, K.5., https://www.eeoc.gov/wysk/what-you-should-know-about-covid-19-and-ada-rehabilitation-act-and-other-eeo-laws (Last updated on May 28, 2021).
 The analysis involves two steps: determining if there is a direct threat and, if there is, assessing whether a reasonable accommodation would reduce or eliminate the threat. This requires an individualized assessment of each unvaccinated employee and his or her unique circumstances. Additionally, the employer must consider whether providing a reasonable accommodation, absent undue hardship, would reduce or eliminate the threat. See EEOC Guidance, K.5., https://www.eeoc.gov/wysk/what-you-should-know-about-covid-19-and-ada-rehabilitation-act-and-other-eeo-laws (Last updated on May 28, 2021).
 See Civil Code § 56.20 (b).
 Civil Code § 56.20 (b).
 Civ. Code, §§ 56.10, 56.11, & 56.13.