Employee Vaccination Mandates Accentuate the Need for HIPAA-compliant File Transfer for HR Professionals
If you are like me, you were hoping at this time last year that things would be essentially back to normal in time for our summer vacations in 2021—if not before. We were all already weary of COVID-19 even then! When various countries began approving vaccines against SARS-CoV-2 last December, many hoped that they would enable a relatively quick end to the pandemic, at least in wealthier countries like the United States and Canada.
But while things are much safer for vaccinated people, the combination of a more contagious variant and lower than anticipated vaccination rates means that the novel coronavirus is still wreaking havoc nearly two years after it was discovered—in both developed and less developed countries. This impacts not only those who choose not to be vaccinated, but also those unable to be vaccinated—for health and religious reasons or age—and those with immune system problems that render vaccines less effective.
To increase the vaccination rate and hasten a return to normal, both the United States and Canada are starting to implement employee vaccination mandates where legally possible. The hope is that vaccination rates will improve before new variants that are more resistant to the current regimen of vaccines develop and spread. But for HR professionals, this brings unique challenges for compliance with the Health Insurance Portability and Accountability Act (HIPAA) in the U.S. and the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada when it comes to protected health information (PHI).
Federal Vaccine Mandates in the U.S.
News of U.S. federal mandates began with a White House announcement in July of this year that vaccination or weekly testing would be required for civilian employees of the federal government and onsite federal contractors. The military followed soon afterward, with Defense Secretary Lloyd Austin announcing in August that coronavirus shots would be added to the Pentagon’s required immunization list upon full approval of a vaccine by the Food and Drug Administration (FDA). Full approval for the Pfizer-BioNTech vaccine was granted on August 23.
On September 9, 2021, the White House released a newly expanded plan to deal with COVID-19, called “Path Out of the Pandemic.” It instructs the Occupational Safety and Health Administration (OSHA) and the Centers for Medicare and Medicaid Services (CMS) to draft requirements for full vaccination or weekly testing for employees at many private-sector entities. These include organizations in any industry with 100 or more employees, and healthcare institutions that receive Medicare or Medicaid reimbursements regardless of employee count. These organizations will also be required to provide paid time off for employees to receive vaccines and recover from their side effects as needed. OSHA has reportedly prepared its regulation and submitted it to the Office of Management and Budget for final approval, so it could be on the books very soon.
The September directive also expanded the federal vaccine mandate to include all employees of federal contractors (not just those working onsite) and removes weekly testing as an option for federal workers. The Safer Federal Workforce Task Force established a deadline of November 22 for full vaccination. Since one is considered fully vaccinated two weeks after receiving the requisite number of injections, employees must complete their courses by November 8.
Federal Vaccine Requirements in Canada
In Canada, the prime minister’s office recently announced timelines for previously announced vaccine mandates. Federal government employees in the Core Public Administration are required to be vaccinated by October 29. The Canadian Armed Forces and other federal entities are instructed to implement guidelines that mirror those for the core workforce, and these requirements will be issued soon.
In addition to the requirement for government employees, full vaccination will be required of all employees and travelers in the federally regulated transportation sector by October 30. This means that vaccination will be required for all passengers who travel by air, national passenger rail, or cruise ship anywhere in Canada—and for the employees who serve them.
Other Vaccine Mandates
Even before the federal mandates were announced, many state and local governments in the U.S. had acted to mandate vaccines for some or all of their employees, and others have followed suit since then. Some jurisdictions allow regular testing in lieu of vaccination, while others do not. In Canada, most provinces require proof of vaccination for entry into businesses like indoor bars and restaurants, gyms, and performance venues, for employees and customers alike. And some provinces have mandated vaccines for essential workers such as teachers and healthcare professionals.
In addition, many private businesses have instituted policies requiring vaccinations, either for onsite employees or all employees, usually with a daily or weekly testing option. These organizations recognize that the risk posed by unvaccinated members of their workforce is significant. As a result, private-sector mandates likely would have become more commonplace over time, even without the forthcoming OSHA regulation. But the new federal regulations will simplify the patchwork of different requirements while allowing specific employers to go beyond the federal requirements.
The Need for Secure PHI File Sharing
For HR professionals, these new requirements represent a new, complicated, and extremely short-notice compliance regime. While scrambling to create a system to comply with the vaccine mandate as deadlines fast approach, some may not immediately think about the security repercussions—how to provide governance over the captured data and stay compliant with HIPAA and PIPEDA. This can expose their organizations to a risk of expensive noncompliance fines and their employees to a risk of a leak of protected information. The unique nature of the new requirements highlights the need for secure PHI file sharing in the HR context.
The issue is complicated by various factors. First and foremost, vaccine and testing records are covered by existing PHI regulations—including HIPAA and PIPEDA. This means that as organizations gather vaccine records from employees to comply with the new mandate, they must protect them against loss and theft to comply with existing standards—not to mention other risks presented by data loss.
Another complication involves the fact that vaccination content may be collected differently than other employee health information. In the U.S., the only universal means of vaccine verification is the FDA-issued paper cards, and a vast majority of employees will likely submit their information by taking a photo of the card and emailing it or uploading it. For those that submit negative COVID-19 tests on a regular basis, documentation will be even more complex, and systems are largely untested. Canada has a new federal vaccine passport for international travel, but its provinces have a patchwork of methods that vary by province for verification. The bottom line is that PHI must be transmitted using a secure PHI file-share solution.
The Problem: Disparate Content Communication Systems
In many ways, this new compliance mandate is not all that different from past ones. Companies tend to be ill-prepared to secure any newly protected type of personal information—PHI or otherwise. And although organizations had many months to get ready for the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), many wound up scrambling at the last minute to comply.
Regardless, this fast-track compliance requirement exposes a risk management gap that exists in almost every organization when it comes to sensitive content communications. A new type of PHI is suddenly required to be documented for all employees. This requires enterprise-level entities—even relatively small ones—to create a streamlined process for employees to transmit the data.
But this secured PHI must move through an application layer that includes collaboration tools, file-sharing solutions, enterprise resource planning (ERP) tools, and more. These disparate content communication systems convey the information to systems of record like the human resources information system (HRIS). But that content is nearly impossible to track—in transit or at rest—which is required by HIPAA and PIPEDA, and essential to passing compliance audits. Worse yet, content communication tools typically do not encrypt the files as they move through the network.
Kiteworks Simplifies Compliance
As many readers of the Security and Compliance Blog know, Kiteworks brings order to this kind of chaos. For this new information collection mandate, it enables organizations to quickly build a secure, streamlined process for collecting and verifying COVID-19 testing and vaccination data from employees with a HIPAA- and PIPEDA-compliant file-share framework.
1. Unified Secure Content Communication
Kiteworks unifies secure content communication technologies and standardizes multiple content audit trails into one centralized system. It enables organizations to develop a user-friendly way for employees to transmit required COVID-19 vaccine and/or testing documentation via mobile device, web interface, or even email attachment. The solution is scalable for all entities, regardless of industry or employee count. By unifying a complicated array of solutions, Kiteworks gives organizations the ability to demonstrate compliance while providing the peace of mind that the data is protected.
2. Tracking of Content
Kiteworks tracks what happens with each COVID-19 vaccination and testing record by logging every action—downloads, uploads, views, sends, and permission changes. This provides full visibility for activity that is virtually untrackable with file sharing and collaboration tools alone. It also helps demonstrate compliance with HIPAA and PIPEDA by keeping track of every event that touches a particular piece of PHI while providing the simple and comprehensive reporting needed to prepare for compliance audits.
3. Controlled Content Access
Setting policies according to role rather than manually configuring each user reduces administration time and ultimately reduces the risk of human error while making compliance documentation easier. Without such controls, there is a risk of accidental exposure of employee records to peers due to missing access controls, or unencrypted attachments sent through email due to missing encryption policies.
4. Secure Vaccination and Test Records
Kiteworks uses a layered defense model to protect content regardless of the source, and whether it is at rest or in motion. Employees can submit their vaccination records from their phones, PCs, or by email. Data is automatically double encrypted with every send, upload, download, and save. And encryption keys are stored in an organization’s private cloud rather than the public cloud.
Takeaways on PHI and Vaccination Mandates
The last thing that HR professionals need is a new, last-minute compliance requirement to deal with! But I am sure they understand why it is time-sensitive and critical for their organizations. Now is the time for them to get their “ducks in a row,” as the requirement will be in place very soon—if it is not already. Organizations that do not take prompt action will face the risk of noncompliance penalties, whether for the vaccine mandate or for HIPAA/PIPEDA.
Manual approaches are simply not workable for a massive new requirement involving all employees. An ad hoc or less automated approach can create operational bottlenecks and expose secured PHI to potential theft by cyber criminals. Kiteworks provides an automated, comprehensive PHI content-sharing approach that is easy for employees, IT administrators, and HR professionals, while keeping workers’ personal information secure.
Bob Ertl is Head of Product Marketing at Kiteworks