More Organizations Are Subject to Vaccine Requirements

Formal COVID-19 vaccination requirements have become a tool for disease control and economic recovery. These mandates are appearing at every level—from individual businesses and institutions within the private sector to local, state, and federal governing bodies. Some, though not all, of these programs offer the option of ongoing testing as an alternative to providing proof of vaccination.

U.S. Private Sector. More than half (57%) of U.S. employers have or plan to issue vaccine mandates for their workers.¹ While about one-third (34%) of employees are still working remotely, this is projected to fall to 27% in Q1 2022.²

State Workers. Government employees in 19 states are required to be vaccinated.³

Healthcare Workers. Currently, 23 states have mandated vaccines for all hospital and healthcare facility staff.⁴

Schools (K-12). To date, 11 states have vaccine requirements for school faculty and staff.⁵ Schools in at least 14 states now require eligible students to get COVID shots.⁶

Higher Education. Most U.S. colleges and universities already require on-campus students to be vaccinated against viral diseases like measles, mumps, and rubella. Currently, over 1,000 private and public U.S. higher-ed institutions require the COVID-19 vaccine for residential students. Medical exemptions are guaranteed by law in all states, and religious exemptions, which may be relatively easy to receive, are permitted by most.⁷

New York City. The most populous city in the U.S. recently expanded its COVID-19 mandates by requiring all 184,000 private-sector companies within city limits to make employees show proof of vaccination by December 27, 2021. Many New York-based companies, including several Wall Street banks such as Goldman Sachs, Morgan Stanley, and Citigroup already require vaccines for anyone coming into their offices.⁸

Federal Contractors and Employees. Federal workers—including those working remotely—must demonstrate full vaccination status unless they have an approved exemption (testing option not included).⁹ Employees of federal contractors must also demonstrate vaccination (testing option not included).¹⁰

Canadian Public Sector and Transportation Sector. All Canadian public sector employees must demonstrate full vaccination; includes those who work from home and outside of the country.¹¹ In addition, all employees and travelers in Canada’s transportation sector must demonstrate full vaccination—air, rail, and cruise.¹²

“In addition to federal, state, and local mandates, the majority of businesses (57%) have implemented or plan to implement vaccine mandates in the near future.”

Managing Vaccine Documentation Carries Risks

But for each organization needing to enforce one of these mandates (across their employees, contractors, partners, staff, students, vendors, visitors, etc.), this will require managing a trove of PHI. This presents numerous challenges:

• Organizations must build and maintain accurate and updated records of vaccination status, exemptions from vaccination, and COVID-19 testing results for employees, contractors, and others.
• Employers must secure this information against compromise and theft by both external cyber criminals and insider threats. Vaccination records, test results, and information that might be submitted in a medical exemption request are all protected PHI.
• Organizations must demonstrate compliance with both the vaccine mandate and information protection provisions in laws like HIPAA in the U.S. or Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).

With the relative newness of these requirements, many organizations have not had time to sufficiently plan and execute a data management program that anticipates the complexities of governance and compliance risks. Without an effective and secure system in place, deficient sharing and transfer of PHI can potentially expose these communications to bad actors as well as compliance risks.

Organizations must be able to demonstrate that they have the right controls in place by implementing content access and functional rules matched to risk profiles and user roles. Setting policies according to role rather than manually configuring each user reduces administration time and ultimately reduces the risk of human error while making compliance documentation easier. Without such controls, there is a risk of accidental exposure of employee records to peers due to missing access controls, or unencrypted attachments sent through email due to missing encryption policies.

Organizations also need to be able to track PHI by logging every action (e.g., downloads, uploads, views, sends, permission changes). Detailed tracking ensures comprehensive visibility—capabilities that traditional file sharing and collaboration tools alone cannot provide. This feature becomes particularly important for auditing and reporting processes to demonstrate compliance with HIPAA and PIPEDA.

“Vaccine cards, COVID-19 test results, and even religious and medical exemptions all qualify as PHI and must comply with regulations that address their protection.”

Choosing a Solution for Vaccine Mandate Compliance

Employees, contractors, and others need multiple channel options for uploading vaccine and test documentation easily and quickly—via mobile devices, web interfaces, or by email. Those required to provide content for the vaccine mandates might photograph their vaccination card from the Centers for Disease Control and Prevention (CDC) with their mobile device and then email, file share, or file transfer it. Alternatively, they might have a vaccination record, passport, QR code in a file, or state-issued documentation on their mobile device or laptop and seek to email, share, or transfer it.

For all of these activities, organizations need an easy way to manage their HIPAA and PIPEDA risks and then demonstrate compliance via audits. On the latter, without the right tools in place, the audit process could become complex and burdensome—wasting precious time and resources while exposing the organization to unnecessary compliance risks.

Unify. Employees need to be able to seamlessly transmit vaccine and test documentation via mobile device, web interface, or email attachment. Once received, organizations must be able to securely manage and store all PHI vaccine-related data. Typically, most organizations have multiple streams for document sharing—including email, file sharing, file transfer, web forms, and APIs. Rather than deploying siloed solutions for each of these, a platform-based approach to file sharing offers a unified system for all associated activities.

Track. A solution’s tracking capabilities should log every action—download, upload, view, send, and permission change. This supports regulatory compliance auditing and reporting requirements.

Control. An effective solution should automatically set access policies according to the user’s role, rather than manually configuring each user. This reduces administration time and helps eliminate opportunities for human errors that may accidentally expose sensitive vaccine-related PHI.

Secure. Finally, it should offer a layered defense model that protects content regardless of the source—whether it is at rest or in motion. Files should be double encrypted with every send, upload, download, and store.

Figure 1: An effective solution unifies vaccination records communications while providing tracking, control, and security of PHI.

Ensure Regulatory Compliance and Effectively Manage Risks

To help simplify HR support for COVID-19 vaccine requirements, a centralized platform can help organizations quickly deploy the necessary capabilities. When it comes time to evaluate solutions, organizations should keep in mind the following:

• Employees need multiple channel options—mobile device, web interface, or email—for uploading vaccine and test documentation easily and quickly.
• Breaches of vaccine and test documentation will result in substantial HIPAA and PIPEDA penalties.
• Inability to demonstrate protections for vaccine and test data can create HIPAA and PIPEDA compliance risk exposure.
• Failure to demonstrate compliance with vaccine and test mandates can result in significant penalties.