Download PDF

A Guide on Employee Vaccine Mandates While Complying With HIPAA

A Guide on Employee Vaccine Mandates While Complying With HIPAA

Executive Overview

As part of structured recovery initiatives to the COVID-19 pandemic, many businesses around the world must now manage vaccine requirements for their employees. Many of these programs are being voluntarily initiated internally within individual businesses. For other organizations, participation is mandated by federal, state, or local governments. Confirming employee vaccination status and enabling them to easily and securely upload that status involves the communication of sensitive protected health information (PHI)—proof of vaccination, virus test results, medical and religious exemptions—that must comply with the Health Insurance Portability and Accountability Act (HIPAA).

Public and private sector organizations require a content communications solution that enables employees to securely and easily upload their vaccination cards, COVID-19 test results, and medical and religious exemptions. They need to be able to upload vaccination content via multiple channels—email, web browser, and mobile devices—with capabilities that include email, file sharing, automated file transfer, web forms, and application programming interfaces (APIs). At the same time, employers require comprehensive audit trails on all employee vaccine content activities—download, upload, view, send, and permission change.


A Guide on Employee Vaccine Mandates While Complying With HIPAA

More Organizations Are Subject to Vaccine Requirements

Formal COVID-19 vaccination requirements have become a tool for disease control and economic recovery. These mandates are appearing at every level—from individual businesses and institutions within the private sector to local, state, and federal governing bodies. Some, though not all, of these programs offer the option of ongoing testing as an alternative to providing proof of vaccination.

U.S. Private Sector. More than half (57%) of U.S. employers have or plan to issue vaccine mandates for their workers.1 While about one-third (34%) of employees are still working remotely, this is projected to fall to 27% in Q1 2022.2

State Workers. Government employees in 19 states are required to be vaccinated.3

Healthcare Workers. Currently, 23 states have mandated vaccines for all hospital and healthcare facility staff.4

Schools (K-12). To date, 11 states have vaccine requirements for school faculty and staff.5 Schools in at least 14 states now require eligible students to get COVID shots.6

Higher Education. Most U.S. colleges and universities already require on-campus students to be vaccinated against viral diseases like measles, mumps, and rubella. Currently, over 1,000 private and public U.S. higher-ed institutions require the COVID-19 vaccine for residential students. Medical exemptions are guaranteed by law in all states, and religious exemptions, which may be relatively easy to receive, are permitted by most.7

New York City. The most populous city in the U.S. recently expanded its COVID-19 mandates by requiring all 184,000 private-sector companies within city limits to make employees show proof of vaccination by December 27, 2021. Many New York-based companies, including several Wall Street banks such as Goldman Sachs, Morgan Stanley, and Citigroup already require vaccines for anyone coming into their offices.8

Federal Contractors and Employees. Federal workers—including those working remotely—must demonstrate full vaccination status unless they have an approved exemption (testing option not included).9 Employees of federal contractors must also demonstrate vaccination (testing option not included).10

Canadian Public Sector and Transportation Sector. All Canadian public sector employees must demonstrate full vaccination; includes those who work from home and outside of the country.11 In addition, all employees and travelers in Canada’s transportation sector must demonstrate full vaccination—air, rail, and cruise.12

“In addition to federal, state, and local mandates, the majority of businesses (57%) have implemented or plan to implement vaccine mandates in the near future.”


A Guide on Employee Vaccine Mandates While Complying With HIPAA

Managing Vaccine Documentation Carries Risks

But for each organization needing to enforce one of these mandates (across their employees, contractors, partners, staff, students, vendors, visitors, etc.), this will require managing a trove of PHI. This presents numerous challenges:

  • Organizations must build and maintain accurate and updated records of vaccination status, exemptions from vaccination, and COVID-19 testing results for employees, contractors, and others.
  • Employers must secure this information against compromise and theft by both external cyber criminals and insider threats. Vaccination records, test results, and information that might be submitted in a medical exemption request are all protected PHI.
  • Organizations must demonstrate compliance with both the vaccine mandate and information protection provisions in laws like HIPAA in the U.S. or Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).

With the relative newness of these requirements, many organizations have not had time to sufficiently plan and execute a data management program that anticipates the complexities of governance and compliance risks. Without an effective and secure system in place, deficient sharing and transfer of PHI can potentially expose these communications to bad actors as well as compliance risks.

Organizations must be able to demonstrate that they have the right controls in place by implementing content access and functional rules matched to risk profiles and user roles. Setting policies according to role rather than manually configuring each user reduces administration time and ultimately reduces the risk of human error while making compliance documentation easier. Without such controls, there is a risk of accidental exposure of employee records to peers due to missing access controls, or unencrypted attachments sent through email due to missing encryption policies.

Organizations also need to be able to track PHI by logging every action (e.g., downloads, uploads, views, sends, permission changes). Detailed tracking ensures comprehensive visibility—capabilities that traditional file sharing and collaboration tools alone cannot provide. This feature becomes particularly important for auditing and reporting processes to demonstrate compliance with HIPAA and PIPEDA.

“Vaccine cards, COVID-19 test results, and even religious and medical exemptions all qualify as PHI and must comply with regulations that address their protection.”


A Guide on Employee Vaccine Mandates While Complying With HIPAA

HIPAA Penalties

Category 1: Entity was unaware of and could not have realistically avoided, had a reasonable amount of care been taken to abide by HIPAA rules. Minimum fine of $100 per violation up to $50,000. Maximum $25,000 per year.

Category 2: Entity should have been aware of but could not have avoided even with a reasonable amount of care. Minimum fine of $1,000 per violation up to $50,000. Maximum $100,000 per year.

Category 3: Direct result of “willful neglect” of HIPAA rules, in cases where an attempt was made to correct the violation. Minimum fine of $10,000 per violation up to $50,000. Maximum $250,000 per year.

Category 4: Willful neglect where no attempt was made to correct the violation. Minimum fine of $50,000 per violation. Maximum $1.5M per year

PIPEDA Penalties

It is an offence to knowingly contravene PIPEDA’s reporting, notification, and recordkeeping requirements related to breaches of security safeguards—and doing so can lead to fines. The Office of the Privacy Commissioner of Canada (OPC) refers information related to the possible commission of a PIPEDA offence to the Attorney General of Canada, who is responsible for any ultimate prosecution.

If an organization is found to be knowingly in breach of PIPEDA requirements, they can be fined up to $100,000 for each violation.


A Guide on Employee Vaccine Mandates While Complying With HIPAA

Choosing a Solution for Vaccine Mandate Compliance

Employees, contractors, and others need multiple channel options for uploading vaccine and test documentation easily and quickly—via mobile devices, web interfaces, or by email. Those required to provide content for the vaccine mandates might photograph their vaccination card from the Centers for Disease Control and Prevention (CDC) with their mobile device and then email, file share, or file transfer it. Alternatively, they might have a vaccination record, passport, QR code in a file, or state-issued documentation on their mobile device or laptop and seek to email, share, or transfer it.

For all of these activities, organizations need an easy way to manage their HIPAA and PIPEDA risks and then demonstrate compliance via audits. On the latter, without the right tools in place, the audit process could become complex and burdensome—wasting precious time and resources while exposing the organization to unnecessary compliance risks.

Unify. Employees need to be able to seamlessly transmit vaccine and test documentation via mobile device, web interface, or email attachment. Once received, organizations must be able to securely manage and store all PHI vaccine-related data. Typically, most organizations have multiple streams for document sharing—including email, file sharing, file transfer, web forms, and APIs. Rather than deploying siloed solutions for each of these, a platform-based approach to file sharing offers a unified system for all associated activities.

Track. A solution’s tracking capabilities should log every action—download, upload, view, send, and permission change. This supports regulatory compliance auditing and reporting requirements.

Control. An effective solution should automatically set access policies according to the user’s role, rather than manually configuring each user. This reduces administration time and helps eliminate opportunities for human errors that may accidentally expose sensitive vaccine-related PHI.

Secure. Finally, it should offer a layered defense model that protects content regardless of the source—whether it is at rest or in motion. Files should be double encrypted with every send, upload, download, and store.

Figure 1: An effective solution unifies vaccination records communications while providing tracking, control, and security of PHI.


A Guide on Employee Vaccine Mandates While Complying With HIPAA

Ensure Regulatory Compliance and Effectively Manage Risks

To help simplify HR support for COVID-19 vaccine requirements, a centralized platform can help organizations quickly deploy the necessary capabilities. When it comes time to evaluate solutions, organizations should keep in mind the following:

  • Employees need multiple channel options—mobile device, web interface, or email—for uploading vaccine and test documentation easily and quickly.
  • Breaches of vaccine and test documentation will result in substantial HIPAA and PIPEDA penalties.
  • Inability to demonstrate protections for vaccine and test data can create HIPAA and PIPEDA compliance risk exposure.
  • Failure to demonstrate compliance with vaccine and test mandates can result in significant penalties.

Over half of U.S. employers will require employee vaccines, Willis Towers Watson survey finds,” Willis Towers Watson, November 30, 2021.


State Efforts to Ban or Enforce COVID-19 Vaccine Mandates and Passports,” NASHP, updated December 20, 2021.



Matt Zalaznick, “Vaccine tracker: Schools in 14 states now require students to get COVID shots,” District Administration, November 15, 2021.

What Colleges Require the COVID-19 Vaccine?,” Best Colleges, updated on December 17, 2021.

Peter Szekely and Barbara Goldberg, “New York City expands COVID vaccine mandates for children, private sector,” Reuters, December 6, 2021.

Courtney Buble, “Biden Administration Details Who Is Covered By the Federal Employee Vaccine Mandate, Exemptions and Discipline,” Government Executive, September 16, 2021.

Courtney Buble, “Federal Contractors Must Show Proof of COVID-19 Vaccination by December 8,” Government Executive, September 24, 2021.

COVID-19 vaccination requirement for federal public servants,” Government of Canada, November 30, 2021.

Mandatory COVID-19 vaccination requirements for federally regulated transportation employees and travellers,” Government of Canada, October 6, 2021.

December 2021