Employers have been anxiously waiting for the EEOC to publish its guidance for employers on incentives offered to employees in exchange for getting vaccinated against COVID-19. Late last week, the EEOC finally released that guidance. The issue is whether the incentive renders the vaccine coerced and therefore non-voluntary, which would be unlawful under the ADA and GINA.
What did the EEOC say:
An employer may offer an incentive to employees to voluntarily provide documentation or other confirmation that they received a vaccination on their own.
An employer may offer an incentive to employees for voluntarily receiving a vaccination administered by the employer or its agent as long as the incentive is not so substantial as to be coercive, and as long as the employer does not acquire genetic information while administering the vaccines. The EEOC does not offer any guidance as to what “so substantial as to be coercive” means, but it’s safe to assume that the incentives employers are offering (a day or two of added PTO, payments or gift cards up to a couple hundred dollars) will not meet this standards and are safe. And when states are offering the vaccinated the chance to win a million dollarsâŚ
An employer may not offer any incentives to an employee in exchange for a family member’s receipt of a vaccination from the employer or its agent, as such incentive would necessarily require the disclosure of the family medical history of the employee, which would violate GINA.
An employer may offer vaccinations to an employee’s family members if those vaccines are voluntary, employees are not penalized if their family members are not vaccinated, and all medical information obtained from family members during the pre-vaccine screening process is only used for the purpose of providing the vaccination, is kept confidential, and is not provided to any managers, supervisors, or others who make employment decisions for the employees.
Employers may (and I’ll add, should) provide employees and their family members with information to educate them about COVID-19 vaccines and raise awareness about the benefits of vaccination.
This guidance is not earth-shattering or surprising. With more than 50 percent of the country having received at least one dose of the COVID-19 vaccine, it provides confirmation and legal comfort to those employers that have already offered such incentives. It also follows an important governmental trend we’ve recently seen across agenciesâthe adoption of policies intended to incentivize people to get vaccinated. Whether its PTO for vaccines, the CDC’s new mask rules, or OSHA reversing course and eliminating its prior guidance that required the reporting of adverse reactions to employer-mandated vaccines, the federal government is actively breaking down barriers that discourage or disincentivize employees from getting vaccinated.
With only 40.7 percent of the country fully vaccinated, we are a long way from the number needed to reach the all-important herd immunity, if we ever get there. While it feels like life is starting to return to normal, the COVID-19 pandemic is not over yet. Do your part and get your shot. And, if you’re an employer looking to get as many of your employees vaccinated as possible, you can rest easier knowing that the EEOC will not penalize you for offering vaccine incentives to your employees.
The CDC released guidance permitting large employers to establish temporary sites to vaccinate employees.
The CDC on March 16 said that employers should consider opting for an on-site vaccination program if they have a large number of employees with predictable schedules and enough space to set up a pop-up clinic while still allowing for COVID-appropriate social distancing.
Employers should consider pushing employees to off-site vaccination clinics if they have a smaller number of employees, employees with flexible or non-predictable schedules, mobile employees who don’t have one worksite, or employees who’d prefer not to have their employer administer their vaccine.
Employers who choose to set up a vaccination site still must follow the EEOC’s guidelines on managing vaccines under the ADA, Title VII, and GINA (which I summarized here).
Bravo to the CDC for implementing policies to encourage as many employees to get shots in their arms as quickly as possible. It’s the only way we are going to stay ahead of the more contagious (and perhaps more deadly) variants and beat this pandemic. To this end, I highly recommend that you check out the CDC’s COVID-19 Vaccine Communication Toolkit for Essential Workers, in addition to these 5 tips on building vaccine confidence in your workplace:
Encourage your leaders to be vaccine champions. These leaders should reflect the diversity of the workforce. Invite them to share with staff their personal reasons for getting vaccinated and remind staff why itâs important to be vaccinated.
Create a communication plan. Share key messages with staff through breakroom posters, emails, and other channels. Emphasize the benefits of protecting themselves, their families, co-workers, and community. This fact sheet is available in numerous languages.
Make visible the decision to get vaccinated and celebrate it! Provide stickers for workers to wear after vaccination and encourage them to post selfies on social media.
Now please do your family, friends, coworkers, me, and society in general a huge favor and get vaccinated as soon as your state allows you to do so. We are all counting on you.
Yesterday, the EEOC published its guidance on the COVID-19 vaccine under the ADA and GINA, in the form of nine Q&As. You can read them in their totality here.
The TL;DR: yes, you can force employees to receive the COVID-19 vaccine as a condition of employment (although the should is an entirely different issue), subject to limits on reasonable accommodations for employees’ disabilities and sincerely held religious practices or beliefs and subject to limits on pre-vaccination medical questions.
That’s more or less aligned with everyone’s collective conventional wisdom on this issue. What is new in this guidance is the agency’s position on what to do with employees who refuse the vaccine for medical or religious reasons.
If an employer requires vaccinations when they are available, and an employee indicates that he or she is unable to receive a COVID-19 vaccination because of a disability, the employer must accommodate that request unless the employer can show that “an unvaccinated employee would pose a direct threat due to a ‘significant risk of substantial harm to the health or safety of the individual or others that cannot be eliminated or reduced by reasonable accommodation’ ⌠with a “determination that an unvaccinated individual will expose others to the virus at the worksite.” Even then, an “employer cannot exclude the employee from the workplaceâor take any other actionâunless there is no way to provide a reasonable accommodation ⌠that would eliminate or reduce this risk so the unvaccinated employee does not pose a direct threat.” Moreover, a direct threat determination and an exclusion of an unvaccinated employee from the workplace does not necessarily equate to termination. An employer must in this case consider alternative accommodations, including remote work or an unpaid leave of absence.
Sincerely held religious practices or beliefs present a different problem for employees since Title VII does not offer a similar direct threat defense to an accommodation request. According to the EEOC, “If an employee cannot get vaccinated for COVID-19 because of a disability or sincerely held religious belief, practice, or observance, and there is no reasonable accommodation possible, then it would be lawful for the employer to exclude the employee from the workplace.” As is the case under the ADA, however, this lawful exclusion does not necessarily equate to termination, and alternative accommodations should be considered.
The bottom line for employers? The COVID-19 vaccine is here and will be available within months for your employees. Now is the time to figure out how you will handle it for your employees. Will you require it or recommend it? Will you offer it on-site or send employees elsewhere for the vaccine? What will you do when an employee objects for medical or religious reasons? Planning is everything, and with an issue this important there is no reason to be caught unprepared.
Can you “point” an employee under a no-fault attendance policy for a coronavirus-related absence? For example, an employee sick with COVID-19 or awaiting test results, quarantined because of an exposure, or at home because a child needs care?
For the uninitiated, no-fault attendance policies operate by having workers accumulate “points” for missing work, arriving late or other attendance-related issues; after the accumulation of a pre-determined number of “points,” employees face discipline or even termination.
During the ongoing COVID-19 pandemic, these policies are not only unnecessarily cruel, but they also might be illegal.
Generally speaking, if a law protects the absence (i.e., the FMLA or the ADA), then it is unlawful under such law to assign a point under an attendance policy for the absence. While there have not been any such cases decided under the FFCRA, one can safely assume the same logic applies. Thus, for employers with less than 500 employees, it would be illegal to assign no-fault points for absences related to:
A federal, state, or local quarantine or isolation order related to COVID-19;
Self-quarantine or isolation related to COVID-19 based on the advice of a health care provider;
The seeking a medical diagnosis for COVID-19 after experiencing symptoms;
The caring for an individual subject to an order described in (1) or isolation/quarantine as described in (2); and
The care for one’s child whose school or place of care is closed (or child care provider is unavailable) due to COVID-19.
Even if the FFCRA does not protect an employee’s absence an employer must still consider whether some other law, such as the FMLA, ADA, or GINA, offers similar protection.
In other words, pointing employees for COVID-related absences is fraught with risk. It’s also unnecessarily cruel. We are all trying to do our part to halt the spread of this rapidly accelerating virus. This including isolating, quarantining, and taking care of others who are at risk or unable to care for themselves. This pandemic needs compassion and flexibility, not strict adherence to rigid policies.
People share their experiences with depression on Twitter to show support for the mental health community. They join private Facebook groups to discuss similar health issues, without realizing that a âprivateâ online group does not actually offer privacy protections. Companies encourage employees to be open about their health in an effort to create a âculture of health.â And employees join âHIPAA-compliant” wellness programs without realizing that the health data they log in various apps may not be protected by any law if the program is voluntary.Â
When the Health Insurance Portability and Accountability Act was enacted in 1996, todayâs vast digital space didnât exist. Even if organizations comply with HIPAA, the Genetic Information Nondiscrimination Act and other laws that protect health-related data, that doesnât necessarily mean the data is protected in many contexts. There are gaps that have yet to be legally addressed. Meanwhile, employees increasingly share health information on digital health apps or online.
A vast amount of employee data is not legally protected. As collectors of employee data, employers should be aware of the health data privacy landscape and the concerns employees may have.
âAs much as it pains me to say, [data privacy] is probably nobody’s top priority,â said data privacy attorney Joseph Jerome. âIt only becomes their priority when something goes wrong or they get concerned or they hear something in the news.â
Employers in the U.S. and internationally have increasingly more data privacy regulations to pay attention to â as laws like the General Data Protection Regulation in the European Union and the California Consumer Privacy Act and Illinois Biometric Privacy Act in the U.S. move the data privacy legal environment forward. In this constantly changing world, thereâs information that can help organizations navigate this complicated intersection more intelligently.Â
There is a lack of understanding of what HIPAA protections apply where, when and to what data, Jerome said. At its core, HIPAA was enacted to facilitate the portability and interoperability of health care records, not for any greater data privacy reason. âWe act like this is a health data privacy law, but no. Itâs designed to govern data in hospital systems,â he said.
Employers want to learn increasingly more data about their employees, he said. They have the opportunity to do so through commercial apps that capture wellness and fitness data. âThese are things that people perceive as health data, but theyâre not covered by HIPAA, and they were never designed to be covered by HIPAA,â he said. Â
HIPAA â and therefore what data is considered health information â is limited to covered entities like hospital systems and doctorsâ offices. For example, within a health system, a patientâs email address is considered health information under HIPAA, but outside the health system, an email address is not considered health information and does not get HIPAA protection.
HIPAA also doesnât apply to anonymized data â the data remaining after being stripped of personally identifiable information from data sets, so that the people whom the data describe remain anonymous.
Further, anonymous data is fair game, legally. âThere is no regulation of âanonymizedâ data. It can be sold to anyone and used for any purpose.The theory is that once the data has been scrubbed, it cannot be used to identify an individual and is therefore safe for sale, analysis and use,â noted âRe-Identification of âAnonymizedâ Data,â a 2017 Georgetown Law Technology Review article.
A concern here is that anonymous data can be easily re-identified, and itâs tough to hold bad actors accountable for doing so, Jerome said. Further, itâs hard to do anything about it once the data is already identified and public information. Unfortunately, there are realistically not enough reinforcement resources, he added. Â
âThat’s a real problem right now, not just in health care or employment context, but you’ve got this giant ecosystem where a lot of companies are sharing information and they’re all saying they’re good actors, they’re all saying they’re not re-identifying information, they’re all saying they’re not even using personal information,â he said. âBut there’s data leakage all over the place. People are recombining profiles, and it’s very hard to attribute where the information originally came from.â
According to the Georgetown Law Technology Review article, the re-identification of anonymous data can lead to sensitive or embarrassing health information being linked to oneâs employer, spouse or community. âWithout regulation of re-identified anonymized data, employers, neighbors, and blackmailers have an unprecedented window into an individualâs most private information,â the article said. One of the privacy concerns some people have about their health data is that it could eventually be used against them and that they could suffer real-world implications like the loss of job opportunities, the denial of insurance or higher premiums for insurance.Â
The idea behind employee wellness programs is supposed to be a win-win, said Anya Prince, associate professor of law and member of the University of Iowa Genetics Cluster. Employees get healthier, and employers get lower health care costs and a more productive workforce.Â
But wellness programs are often not effective at changing employee health, she said.Â
âIf the premise is we’re doing this to benefit employees [but] there’s not actually evidence that it’s benefiting employees, the question then becomes why are [wellness programs] continuing to happen?â she said. âThe evidence shows that what theyâre doing is shifting health care costs back on to employees in various ways. That’s where the concern comes in.âÂ
Digital health apps on employeesâ phones play a part in many workplace wellness programs. But even though third-party health apps are common on peopleâs phones, the privacy landscape behind these apps is murky at best.Â
âSome of the medical apps are just completely bogus and donât give you anything helpful back,â Prince said about the general health data privacy environment. âBut they are collecting data on you, not just health information but geolocation and other data thatâs worth money.âÂ
Another trend in wellness programs is employers offering employees consumer-directed genetic tests to help them understand what medical issues they may be predisposed to and what preventative measures they can take to combat them. According to the Society for Human Resource Management, 18 percent of employers provided a health-related genetic testing benefit in 2018, up from 12 percent in 2016.
Many studies have shown that people are not aware of the Genetic Information Nondiscrimination Act or what privacy protections they have through the law, Prince said. âGINA is quite protective in employment in the sense that employers are not allowed to use genetic information to discriminate, so they can’t make hiring, firing, promotion, wage, any decisions based on genetic information,â she said, adding that genetic information includes family medical history, genetic test results and more.
Still, she said, there are some exceptions with GINA, including private employers with fewer than 15 employees and any employee in a voluntary wellness program.Â
There is currently a legal debate on whether wellness programs are voluntary or if employees feel coerced to join them, Prince said. Some wellness programs are participatory â meaning that employees donât need to hit a certain health outcome target to earn the incentive â but others are health contingent. Employees need to lose some amount of weight or accomplish another target measurement to get the financial benefits of the wellness program.
These programs are more participatory currently, she said. But if programs that collect genetic information become health contingent, that could bring up ethical issues and become more invasive.Â
âIf you think of [Breast Cancer gene] testing, which is a predisposition to breast and ovarian cancer, one of the preventive measures right now is to prophylactically remove your breast and ovaries. My dystopian future is the employer saying, âHave you finished having kids yet? Get on that, so that you can remove your ovaries,ââ she said. Â
This discussion begs the question of who is ultimately the best actor to push people toward better behaviors and health outcomes, she said. Society has to ask if employment is the best place to do this.Â
âIn a way the answer is yes because we’ve created a system where health insurance and employment are so intertwined, but maybe employment isn’t the right space to be encouraging people to make the right health choices,â she said. âMaybe that should be a public health system or your primary care physician or researchers.âÂ
The Pentagon has advised service members not to engage in 23andMe genetic tests, said Glenn Cohen, professor of law at Harvard Law School, and faculty director of the Petrie-Flom Center for Health Law Policy, Biotechnology and Bioethics.Â
Thereâs a major national security reason for this, he said, but part of the reasoning also has to do with protecting service membersâ privacy. The military is exempted from GINA, which is the law which prohibiting genetic discrimination by employers.Â
Employers could communicate with employees better, Jerome said. Privacy is more than just legal compliance, which may include a disclaimer in the company handbook or on the employeesâ computers that inform them âAll this can be tracked and monitored.â This can help set up the expectation for employees that they should have no expectation of privacy in anything they do at work.Â
While most employers have done their legal duty, theyâve yet to have a conversation with employees about what theyâre actually doing with this data, Jerome said.Â
âI get that those conversations can be difficult and uncomfortable and frankly might get employees riled up, but I think that’s probably a good thing in the end,â he said.Â
Employers â who sit on large troves of employee health data â may have the legal right to share data, but that doesnât mean employees and other parties wonât criticize them, said Cohen. âThey have to be worried a little bit about how it’s going to play as a PR matter and, in an industry where they’re competing for talent, how employees feel about [it],â he said.Â
When Ascension Health partnered with Google for the âProject Nightingaleâ initiative late last year â allowing the tech company access to the detailed personal health information of millions of Americans â it received a lot of backlash. It could be dangerous for an organization like Google, which already has so much of peopleâs personal data, to get access to peopleâs health records as well, critics argued. Supporters said it was perfectly legal.
âMy recommendation in general is even if you legally have the right to share the data, you may want to think about creating some internal governance mechanisms that have employees involved in trying to decide what gets shared or not,â Cohen said.Â
Practically, this could mean that the organization charters a committee that includes employers, employees and subject matter experts who can explain both the uses and the risks of adopting a certain solution, he said.
This could be a valuable decision for employers because better decisions get made and itâs better for the employer’s reputation, he said. When people find out a company has sold its employees data, it could look bad if there hasnât been employee input in the decision.Â
For most organizations dealing with health data and other personal data, their reputation is based on how they treat that data, said Ed Oleksiak, senior vice president at insurance brokerage Holmes Murphy. A data breach or misuse of data would be bad press, so the company would be incentivized to protect that data and ensure itâs used properly
When there is a health data mishap, there are a couple ways that organizations can address that breach of trust, he said. Organizations can provide impacted employees some kind of identity theft protection that will help them mitigate any harm. Further, the company is required to address whatever has resulted in the breach and do whatever it can to make sure it canât happen again in the future.Â
âWhether it’s the employer’s health plan, a hospital system, or a technology provider, everybody’s reputation is contingent on successfully mitigating that,â Oleksiak said. âYou just have to start over again, and try to fill that cup of trust back up.âÂ
Oleksiak also suggested that employers follow a key tenet of only getting and storing the minimum necessary data. Even though people involved with employee health plans most likely want to use patient data for the right reasons, people who can hack into these systems can access everything, including more unnecessary data.Â
Ultimately, this is an issue of balance. According to the aforementioned Georgetown Law Technology Review âRe-Identification of âAnonymizedâ Data,â âdata utility and individual privacy are on opposite ends of the spectrum. The more scrubbed the data is, the less useful it is.âÂ
Still, there are positive things companies can do with this data, Oleksiak said. No matter what privacy rules and regulations are put in place, a bad actor is going to find a way to do something that’s for their own benefit.
âHopefully we write rules that go after people that abused their position or access to data, but still allow everybody else that’s doing it for the right reasons to get the job done,â he said.
Sherryl Darby has the BRCA1 gene, otherwise known as the breast cancer gene, the best known gene associated with breast-cancer risk. Approximately two months after she started working as an administrative assistant at Childvine, an early childcare provider, Darby opted to have a double mastectomy to decrease her risk of developing breast cancer in the future. Two weeks later, Childvine fired her.
Despite the close-in-time link between Darbyâs surgery and her termination, the district court dismissed her ADA lawsuit.
While ânormal cell growthâ is a major life activity the ADA protects, the court could not find that the BRCA1 gene is a physical impairment that substantially limits normal cell growth.
Although mindful that the ADA is to be broadly construed, the Court concludes that Plaintiff fails to state a claim upon which relief can be granted. Plaintiff has offered no statutory, regulatory, or caselaw support for her âlegal conclusion couched as a factual allegationâ that the BRCA1 gene, like cancer itself, is a physical impairment that substantially limits normal cell growth. And the Courtâs own research has found none.
It is true that the Sixth Circuit has held that some conditions, even when dormant, may constitute a physical impairment.⌠But this is not a circumstance akin to remission of cancer. Rather, it is, presently, the absence of cancer.
The Courtâs decision should not be read to trivialize Plaintiffâs legitimate fear of developing breast cancer or minimize the transformative measures she took to avoid it. It merely recognizes that this Courtâs role is to interpret, not legislate. To expand the definition of physical impairment to include a condition that might lead to a disability in the future effectively puts every employee under ADAAA protection.
Whatever issues I have issues with this decision (and I have some big ones) could have been cured by pleading this case differently. I question why Darby pleaded her protected disability as an actual disability instead of a regarded as disability. I think she would have a had a much better chance at surviving dismissal if she framed her claim as one in which her employer terminated her based in its perception of her having a disability (which does not require any proof of any actual disability) instead of any actual disability itself.
Moreover, in many cases its largely irrelevant whether the ADA covers a dormant genetic disorder because another statute already doesâGINA, the Genetic Information Nondiscrimination Act. GINA prevents employers from using genetic information in employment decisions. GINA likely wouldnât have helped Sherryl Darby, because it does not appear the issue of her having the BRCA1 gene arose until her lawsuit (and long after her termination).
This case will be often be cited for the proposition that the law does not protect an employeeâs dormant genetic condition. While that is true based on how Darby pleaded her claims in this case, employers should not treat Darby as a license to discriminate, as doing so will likely violate both the ADA and GINA in many cases.
Employers want to learn increasingly more data about their employees, he said. They have the opportunity to do so through commercial apps that capture wellness and fitness data. âThese are things that people perceive as health data, but theyâre not covered by HIPAA, and they were never designed to be covered by HIPAA,â he said.  
Sherryl Darby has the BRCA1 gene, otherwise known as the breast cancer gene, the best known gene associated with breast-cancer risk. Approximately two months after she started working as an administrative assistant at Childvine, an early childcare provider, Darby opted to have a double mastectomy to decrease her risk of developing breast cancer in the future. Two weeks later, Childvine fired her.