Biden Announces Vaccine Mandates For Large Employers, Federal Employees And Contractors, And Health Care Employers
Large Employers Must Ensure Their Employees Are Fully Vaccinated Or Tested Weekly
The United States Department of Labor and Occupational Safety and Health Administration (OSHA) are developing an Emergency Temporary Standard (ETS) requiring that employers with 100 or more employees must ensure their workforce is fully vaccinated or tested at least weekly before coming to work. This rule is expected to be issued in several weeks. It is estimated to impact over 80 million private sector workers.
Requiring Employers to Provide Paid Time Off to Get Vaccinated
To continue efforts to ensure that no employee loses any pay because they get vaccinated, OSHA is developing a rule that will require employers with more than 100 employees to provide paid time off for the time it takes for workers to get vaccinated and to recover if they have post-vaccination side effects. This requirement will be implemented through the ETS.
Federal Employees and Government Contractor Employees Must be Vaccinated
On September 9, 2021, President Biden signed a series of Executive Orders that require all Executive Branch employees to be vaccinated. One of the Executive Orders requires this to be extended to employees of government contractors that conduct business with the federal government. The Safer Federal Workforce Task Force (Task Force) will issue further information on these requirements by September 16, 2021 for Executive Branch employees and September 24, 2021 for federal contractors.
There is no option for weekly testing for those impacted by these Executive Orders. However, it remains clear that disabled employees who cannot safely be vaccinated and those with sincerely held religious beliefs precluding vaccination will need to be accommodated.
The Executive Orders do not specify a vaccination deadline. The Biden administration has indicated that employees will have 75-days in which to become fully vaccinated.
The Department of Defense, Department of Veterans Affairs, Indian Health Service, and the National Institute of Health will implement their previously announced vaccination requirements covering 2.5 million people.
Vaccinations Required for Employees of Hospital and Health Care Settings that Receive Medicare and Medicaid Funds
The Centers for Medicare and Medicaid Services (CMS) is requiring COVID-19 vaccinations for employees in the majority of health care settings that receive Medicaid and Medicare reimbursements. This includes hospitals, dialysis centers, ambulatory surgical facilities and home health agencies. This is in addition to a recent vaccine requirement announced by CMS which applies to nursing home and hospital staff and other settings regulated by CMS, including clinical staff, volunteers, and those not involved in direct patient, resident or client care.
These requirements will apply to approximately 50,000 providers and impact the majority of health care workers in the United States.
Is the Vaccine Mandate Constitutional?
As expected, some pundits have challenged the constitutionality of the vaccine mandate by claiming it infringes on the constitutional right to liberty. A number of leading legal scholars have opined that the mandate will likely pass constitutional muster if challenged in the courts. In a 1905 case, Jacobson v. Massachusetts, the United States Supreme Court upheld the police power of the state to protect public health by requiring mandatory smallpox vaccinations. The Court’s holding seems to be as relevant to early twentieth century smallpox concerns as it is to the COVID-19 pandemic, but others will likely assert otherwise.
Given the Jacobson holding, it seems likely, although not definite, that the current Supreme Court will find the Biden Administration’s vaccine mandates constitutional.
When Will More Information Be Available?
We expect OSHA will issue its ETS in approximately one month. As noted, the Task Force will issue further information by September 16, 2021 for Executive Branch employees and by September 24, 2021 for federal contractors. We expect detailed guidance to be issued by the relevant federal agencies which should clarify the scope and requirements of the vaccine mandates. We also anticipate a number of legal challenges to the enforcement of these mandates.
What Steps Should Employers Take Now?
While we await specific federal agency guidance, we recommend that large employers, government contractors and those who receive Medicaid and Medicare reimbursement evaluate their COVID vaccine policies and prepare to implement (if not already in place) a mandatory vaccination program with safeguards for those employees who cannot be vaccinated due to medical concerns or sincerely held religious beliefs.
Unionized employers should begin negotiations with their Unions as soon as possible to address the impact and implementation of mandatory vaccinations on bargaining unit members.
We are closely monitoring these developments and will issue additional alerts as more details are made available.
Federal Contractors Must Be Vaccinated By Dec. 8
The Biden administration will add clauses to future government contracts mandating inoculations. President Joe Biden signed an executive order on Sept. 9 requiring federal contractors to mandate vaccinations but many federal contractors have awaited formal guidance from the White House before moving forward.
Largest Government Contractors
Some of the nation’s largest government federal contractors include McKesson Corp., Raytheon Technologies, Oshkosh Corp., General Dynamics Corp., BAE Systems, Lockheed Martin, Northrop Grumman, Maximus Inc., Boeing, CACI International, Southwest Valley Constructors, Honeywell International, Leidos and TriWest Healthcare Alliance Corp.
Nov. 22 Deadline for Federal Employees
The Biden administration said earlier this month that most federal employees must be fully vaccinated against COVID-19 no later than Nov. 22. On Sept. 9, Biden signed an executive order requiring most federal employees and federal contractors to get the COVID-19 vaccine, removing the option for them to instead undergo regular testing.
(Reuters) and (SHRM Online)
Steps Private-Sector Employers Can Take
The anticipated emergency temporary standard (ETS) for private-sector employers with at least 100 employees—requiring vaccination or testing—has not yet been released, but employers can take certain steps now to prepare. Employers can start by encouraging all employees to get vaccinated to make compliance easier once the rule goes into effect, said Ashley Brightwell, an attorney with Alston & Bird in Atlanta.
Nonetheless, the federal mandate for certain employers to require workers to be vaccinated against COVID-19 or undergo weekly testing may not increase the number of vaccinated people as much as was hoped. The anticipated ETS for private-sector employers is already facing challenges: religious and
U.S. Federal Contractors Get Guidance On Mandatory Vaccines While Other Private Employers Continue To Wait
Federal contractors and subcontractors in the US now have guidance on mandatory vaccines for employees, while private US employers with 100 or more employees are still waiting for the Occupational Safety and Health Administration (OSHA) to issue an Emergency Temporary Standard (ETS). On September 24, 2021, the Safer Federal Workforce Task Force—the task force created by President Biden to provide workplace guidance to heads of federal agencies during the COVID-19 pandemic—released its COVID-19 Workplace Safety: Guidance for Federal Contractors and Subcontractors (the Guidance). The Guidance primarily addresses vaccination requirements for employees of covered federal contractors, but it also imposes mask and physical distancing requirements for covered contractor worksites (including for employees, visitors and others) and requires contractors to designate a person (or persons) to coordinate COVID-19 workplace safety efforts at their workplaces.
The Director of the Office of the Office of Management and Budget has already determined the Guidance will promote economy and efficiency in federal contracting—making the Guidance effective immediately. Highlights include:
Vaccination and proof
- Contractors must ensure that all covered contractor employees are fully vaccinated for COVID-19 unless the employee is legally entitled to an accommodation for a disability (including medical conditions) or religious belief.
- Covered employees have until December 8, 2021 to be fully vaccinated. After that date, covered employees must be fully vaccinated by the first day of the period of performance on a newly awarded covered contract, and by the first day of the period of performance on an exercised option or extended / renewed contract when the clause has been incorporated into the contract. However, an agency head may approve a 60-day exception for “urgent, mission-critical need” for a covered employee to begin work on a contract or at a worksite before becoming fully vaccinated.
- Covered contractors cannot take their employee’s word for it (no self-attestation). They must review covered employees’ documentation to prove vaccination status.
- Covered contractors must require covered contractor employees to show or provide their employer with one of the following documents: a copy of the record of immunization from a health care provider or pharmacy, a copy of the COVID-19 Vaccination Record Card, a copy of medical records documenting the vaccination, a copy of immunization records from a public health or State immunization information system, or a copy of any other official documentation verifying vaccination with information on the vaccine name, date(s) of administration, and the name of health care professional or clinic site administering vaccine.
- Covered contractors may allow covered contractor employees to show or provide to their employer a digital copy of these vaccination records, including, for example, a digital photograph, scanned image, or PDF of such a record.
- Covered employees who work outside at covered worksites must be fully vaccinated.
- Covered employees who work remotely full time (i.e., from home) still must be vaccinated, but do not need to comply with the mask and distance rules outlined below.
- Employees who have already had COVID-19 must be vaccinated.
Masks and physical distancing
- Covered contractors must ensure that all individuals, including covered contractor employees and visitors, comply with published CDC guidance for masking and physical distancing at a covered contractor workplace.
- In areas of high or substantial community transmission (which is currently most of the US), fully vaccinated people must wear a mask in indoor settings, except for limited exceptions discussed in the Guidance. In areas of low or moderate community transmission, fully vaccinated people do not need to wear a mask. Fully vaccinated individuals do not need to physically distance regardless of the level of transmission in the area.
- Individuals who are not fully vaccinated must wear a mask indoors and in certain outdoor settings (see below) regardless of the level of community transmission in the area. In addition, to the extent practicable, individuals who are not fully vaccinated should maintain a distance of at least six feet from others at all times, including in offices, conference rooms, and all other communal and workspaces.
- Covered contractors must require individuals in covered contractor workplaces who are required to wear a mask to:
- Wear appropriate masks consistently and correctly (over mouth and nose).
- Wear appropriate masks in any common areas or shared workspaces (including open floorplan office space, cubicle embankments, and conference rooms).
- For individuals who are not fully vaccinated, wear a mask in crowded outdoor settings or during outdoor activities that involve sustained close contact with other people who are not fully vaccinated, consistent with CDC guidance.
- At least weekly, covered contractors must check the CDC COVID-19 Data Tracker County View website for community transmission information in all areas where they have a covered contractor workplace to determine proper workplace safety protocols.
- When the level of community transmission in the area of a covered contractor workplace increases from low or moderate to substantial or high, contractors and subcontractors should put in place more protective workplace safety protocols consistent with published guidelines.
- However, when the level of community transmission in the area of a covered contractor workplace is reduced from high or substantial to moderate or low, the level of community transmission must remain at that lower level for at least two consecutive weeks before the covered contractor utilizes those protocols recommended for areas of moderate or low community transmission.
- Covered federal contracts executed after October 15, 2021 must include a clause requiring compliance with the Guidance, including future amendments. For contracts awarded prior to October 15, 2021 where performance is ongoing, the requirements must be incorporated when an option is exercised or an extension is made.
- Covered contractors shall designate a person or persons to coordinate implementation of and compliance with the Guidance and the workplace safety protocols detailed in the Guidance at covered contractor workplaces (including communication of policies and protocols to employees and visitors and ensuring that employees comply with requirements to provide proper vaccination documentation).
The Guidance includes FAQs on vaccination and safety protocols (“How do covered contractors determine vaccination status of visitors to covered contractor workplaces?”); workplaces (“Does this Guidance apply to outdoor contractor or subcontractor workplace locations?”); scope and applicability (“Must the order’s requirements be flowed down to all lower-tier subcontractors and, if so, who is responsible for flowing the clause down?”); and compliance (“What is the prime contractor’s responsibility for verifying that subcontractors are adhering to the mandate?”). These FAQs are in addition to the Task Force’s FAQs for vaccinations (issued September 16, 2021) which includes a specific section on federal contractors and visitors.
Another Privacy Headache For California: Court Of Appeal Ruling Will Slow Down Criminal Background Checks Throughout California
Companies that hire employees and engage independent contractors in California should brace for a significant slowdown in background checks that include criminal record searches in California state courts. This will result from the court of appeal’s opinion in All of Us or None v. Hamrick, which prohibited the Riverside Superior Court from allowing its electronic criminal case index to be searched using an individual’s known date of birth or driver’s license number. Background check companies rely on searching such indexes for most criminal background checks in California state courts. And, while the lawsuit was brought against the Riverside Superior Court only, the court of appeal’s ruling impacts most California state courts, because the court’s ruling was based on a statewide law: California Rules of Court, rule 2.507 (Rule 2.507).
The Court of Appeal’s Opinion
In All of Us or None v. Hamrick, the plaintiffs, including a civil and human rights organization supporting ex-offenders, alleged that Riverside County and its executive officer and clerk allowed users of the Riverside Superior Court’s public website to search the court’s electronic criminal case index by inputting a defendant’s known date of birth and driver’s license number, in violation Rule 2.507. Rule 2.507 specifies the information to be included in and excluded from court calendars, indexes, and registers of actions.
In the trial court, the defendants successfully argued that allowing the public to search the index using an individual’s known date of birth or driver’s license did not run afoul of Rule 2.507, because the index was not making those identifiers available to the general public in the first instance. But the court of appeal rejected that argument, reasoning the text of the rule was not limited to publicly disclosing only information not otherwise known to the person accessing the index. The court also emphasized the purpose of the rule: protecting the privacy interests of those involved in criminal proceedings.
On September 1, 2021, the California Supreme Court declined to review the court of appeal’s opinion.
Takeaways for Employers
Last year, pandemic-related court closures slowed down criminal background checks nationwide. The delay affected hundreds of businesses seeking to hire employees and engage independent contractors. It also interfered with the ability of thousands of job applicants and prospective contractors seeking to start performing work and providing services. The court of appeal’s opinion threatens to be yet another serious setback in California, because most employers rely on background check companies for criminal background checks, and most background check companies rely on index-based searches to source criminal records, including serious felonies (e.g., rape, murder, arson, etc.).
The problem is not going to be easy to overcome. The fair credit reporting laws, such as the federal Fair Credit Reporting Act (FCRA), outright prohibit background check companies from attributing criminal records to an individual based only on a “match” between the individual’s name and the name of the defendant in the criminal case.3 These companies use other “identifiers,” such as the full date of birth, to make reliable matches. As a practical matter, without access to date of birth information, background check companies may not be able to complete some criminal record searches at all.4
Background check industry groups, such as Professional Background Screening Association (PBSA), are mounting a full court press to try to remedy the situation. However, even if a “fix” is possible, it is not likely to be any time soon. Meanwhile, businesses that conduct criminal background checks should consider doing the following:
- Notifying executives and operations of this development for sake of planning and business continuity, especially if the company is required to conduct criminal background checks by law or contractual agreement;
- Coordinating with the background check company to receive real-time updates about problematic counties;
- Evaluating existing background check “packages” (i.e., the types of searches included in background checks) to determine whether to fortify them;
- Assessing options for and legal limitations on gathering criminal record information directly from candidates themselves; and
- Assessing pre-hire/engagement paperwork, such as conditional offer letters, to ensure the paperwork includes appropriate contingencies.5
Companies should also identify potential indirect issues of concern, for example, how this development in California will impact the ability of their vendors, such as temporary staffing agencies, to meet contractual obligations to do their own vetting. Such vendors will be grappling with these same issues for the foreseeable future.
California Guidance For COVID-19 Vaccination And Testing Requirements
After the announcement of President Biden’s COVID-19 Action Plan, employers across the country, including California started to consider how to implement vaccination and testing requirements, even ahead of clear guidance from the federal government.
California already has its own Emergency Temporary Standards (ETS) which were amended in June by Cal/OSHA. However, currently, the California ETS does not mandate vaccination and the Cal/OSHA Standards Board has indicated it does not plan to amend the ETS further until at least December.
California’s administrative agencies have issued some guidance regarding the handling of both testing and vaccination in the workplace.
Earlier in 2021, California’s Labor Commissioner issued an FAQ regarding COVID-19 Testing and Vaccination, which covers concerns related to regulations enforced by the Labor Commissioner.
Similarly, the Department of Fair Employment and Housing also updated its guidance regarding COVID-19, to include information pertaining to vaccination and related issues in March 2021.
As guidance about the federal requirements become clearer, employers should also review California-specific requirements related to vaccination and testing to ensure compliance with state and local requirements.
Maine’s Public Sector Employers Will Be Subject To OSHA COVID-19 Vaccination Mandate
The Maine Department of Labor announced on September 17, 2021 that the state’s public sector employees will be subject to President Biden’s COVID-19 vaccine mandate due to Maine’s state plan agreement with the federal government.
On September 9, President Biden directed the U.S. Occupational Safety and Health Administration to develop a rule requiring all private employers with 100 or more employees to ensure their workforce is either fully vaccinated for COVID-19 or subjected to weekly testing. President Biden’s plan also calls for employers to provide paid time off for employees to get vaccinated. Since OSHA has not yet issued the Emergency Temporary Standard (ETS), it is unclear whether the employer or employee will be required to pay for testing or whether time spent testing should be considered compensable time.
The Maine DOL stated in its press release that it “sought clarification from OSHA about the rule’s applicability to public employers because, under longstanding State law and a 2015 agreement with the Federal government…Maine is required to adopt and enforce for public employers all of OSHA’s occupational safety and health standards.”
As noted in the press release, “Maine is one of 26 states and two territories to have a state plan agreement with the Federal government.” Due to the agreement, public sector employers with 100 or more employees in Maine will be required to follow the OSHA ETS on COVID-19 vaccinations and testing. Covered employers will include state, county, and local governments as well as public school systems.
Considering the Maine DOL’s announcement—and pending the release of OSHA’s ETS and the outcome of various expected legal challenges to it—all public and private employers in Maine with 100 or more employees should prepare to implement vaccination requirements or weekly testing programs likely before the end of 2021.
Maine’s healthcare industry is already subject to a state COVID-19 vaccination mandate requiring all healthcare workers to be fully vaccinated by October 1 with enforcement beginning on October 29. This includes all employees of hospitals, nursing homes, EMS organizations, dental practices, and other healthcare facilities regardless of size.
Once OSHA releases its ETS—no set timeframe for its publication in the Federal Register has been announced—the Maine Board of Occupational Safety and Health must adopt and enforce the forthcoming rule within 30 days of its release.
Be Prepared For The New Illinois Equal Pay Reporting And Certification Requirements
In 2021, Illinois has amended the Illinois Equal Pay Act (“EPA”) into law, imposing new equal pay compliance requirements on any private employer who has more than 100 employees in the State of Illinois and is required to file an Annual Employer Information Report EEO-1 with the EEOC. On June 25, 2021, Governor Pritzker signed additional amendments to the EPA into law, providing crucial updates and clarifications to the newly mandated certificate reporting requirements.
Put briefly, the amendments altogether create new obligations for employers with more than 100 employees in Illinois to biannually report pay data, submit equal pay registration certificates, and certify compliance with the State’s equal pay laws.
Here are some key takeaways:
- Covered Employers who are authorized to transact business in Illinois as of March 23, 2021, must submit an application to obtain an equal pay registration certificate between March 24, 2022 and March 23, 2024, and must recertify every 2 years.
- Employers having fewer than 100 employees still must certify in writing that they are exempt from this requirement.
- To apply, employers must pay a $150 filing fee and submit wage records and an equal pay compliance statement to the Illinois Director of Labor.
- The wage record must include a list of all employees from the prior calendar year, separated by the protected categories as reported in the employer’s most recent EEO-1 Report. In addition, the record must include the county where each employee works, the date the employee started working for the business, and total wages paid to each employee during the past calendar year, rounded to the nearest $100.
- The compliance statement must be signed by a corporate officer, legal counsel, or authorized agent of the business, which includes a certification that the business is in compliance with the Equal Pay Act and other relevant laws, that the average compensation for its female and minority employees is not below the average compensation for its male and non-minority employees, and that the business does not restrict employees of one sex to certain job classifications.
- Employers whose applications are rejected have 30 days to cure any deficiencies that led to the rejection.
- Employers who violate the equal pay registration requirements will be fined up to $10,000 per employee affected once this law goes into effect.
Employers should begin preparing for these new reporting and certification requirements that will begin in 2022, and, if necessary, conduct any audits with the assistance of legal counsel that may be deemed necessary. Thompson Coburn’s employment attorneys are available to assist you with this process and provide further information and specifications regarding these new requirements.
New York State Employers Must Activate HERO Act Plans
On Monday, September 6, 2021, New York State Governor Kathy Hochul announced that the New York State Commissioner of Health (“Commissioner”) has designated COVID-19 as a “highly contagious communicable disease that presents a serious risk of harm to the public health” under the New York Health and Essential Rights Act (HERO Act). The Commissioner’s designation requires that all New York State employers “promptly” activate their workplace airborne infectious disease exposure prevention plans which they were required to adopt under the HERO Act.
The HERO Act requires that all New York State employers have in place an industry-specific model airborne disease exposure prevention plan issued by the New York State Department of Labor (DOL) or develop their own exposure prevention plan that equals or exceeds the exposure prevention standard set by the DOL. The DOL standard and model exposure prevention plans are available here.
- Review its exposure prevention plan and update it as necessary to incorporate current information, guidance and mandatory requirements;
- Finalize and promptly activate its exposure prevention plan;
- Verbally review its plan and policies with employees and inform employees of their rights under New York Labor Law § 218-b; and
- Provide employees with a copy of its plan, post a copy in a visible and prominent location at the worksite, and ensure a copy is accessible to employees during all work shifts.
Employers should review the specifics of their own exposure prevention plans to ensure that they comply with all other requirements listed in them.
As long as the Commissioner’s designation is in effect, employers must also do the following:
- Assign one or more supervisory employees to enforce their exposure prevention plan;
- Monitor and maintain exposure controls; and
- Regularly check for updated information and guidance from the New York State Department of Health and the CDC and update their plans accordingly.
New York State Issues Updated Model Workplace Safety Plans And FAQ Guidance Under The HERO Act
On September 23, 2021, New York State issued updated model airborne infectious disease exposure prevention plans for employer use pursuant to the HERO Act.
As we previously reported, the HERO Act requires all employers in New York to implement certain safety standards and adopt a prevention plan to protect against the spread of airborne infectious diseases in the workplace. Following the September 6, 2021 designation of COVID-19 as a covered infectious disease under the law, employers across the state must now “promptly” take certain steps to activate and distribute their plans and otherwise ensure compliance with the Act.
While a general model plan appropriate for office workplaces and separate plans for certain specific industries were previously issued by the New York State Department of Labor (NYDOL), these have now been updated and reissued with substantive changes to two sections—face coverings and social distancing.
- With regard to face coverings, the model plans now provide that, in workplaces where all individuals on premises, including but not limited to employees, are fully vaccinated, face coverings are “recommended, but not required.” For all other workplaces, the model plan now states: “Employees will wear appropriate face coverings in accordance with guidance from State Department of Health or the Centers for Disease Control and Prevention, as applicable.” Previously, the model plans stated that “employees will wear face coverings throughout the workday to the greatest extent possible” and “[f]ace coverings and physical distancing should be used together whenever possible.”
- With regard to social distancing, the revised model plans remove prior references to “avoiding unnecessary gatherings” and “using a face covering when physical distance cannot be maintained.” Now, the section states only: “Physical distancing will be used to the extent feasible, as advised by guidance from State Department of Health or the Centers for Disease Control and Prevention, as applicable.” The revised plans still, however, require the employer to list the health and safety controls it will implement in circumstances where distancing cannot be maintained.
The NYDOL also recently issued a set of frequently asked questions on the HERO Act. The FAQs primarily re-iterate information from the HERO Act statute as well as the standard and model plans. However, some notable provisions from the FAQs include:
- Modifications to the Model Plan: If an employer adopts a plan other than one of the models provided by the state, the HERO Act requires that the employer “develop such plan pursuant to an agreement with the collective bargaining representative, if any, or with meaningful participation of employees where there is no collective bargaining representative.” To what extent an employer may alter one of the model plans before it becomes an “alternative plan” remains open to some interpretation, but according to the FAQs “[m]odifications by the employer in the Controls or Advance Controls sections of the Department of Labor’s General Industry Template do not necessarily constitute an ‘alternative plan’ for the purposes of the HERO Act and likely do not require additional employee participation. However, amendments to such templates that go beyond the open fields of such template likely do constitute an ‘alternative plan’ requiring employee review and/or participation.”
- Workplace Safety Committees: The HERO Act also states that employers with at least 10 employees “shall permit employees to establish and administer a join labor-management workplace safety committee.” On this provision of the Act, the FAQs state that “[t]he law requires employers with 10 or more employees to establish and administer a joint labor-management workplace safety committee.” Employers should continue to watch for additional clarification and guidance (discussed further below) regarding the workplace safety committee provisions of the Act and any next steps that may be needed in this regard.
- HERO Act Regulations: The FAQs state that the NYDOL will be promulgating regulations regarding the HERO Act, including the provisions governing workplace safety committees, in the future. While the FAQs do not provide a timeframe for the publication of these regulations, they may resolve some of the open questions remaining under the Act.
New Jersey Cannabis Regulatory Commission Temporarily Waives Requirement For Employers To Conduct Physical Examinations In Connection With Cannabis Drug Testing
On August 19, 2021, the New Jersey Cannabis Regulatory Commission (the “Commission”) published its long-awaited first set of Personal Use Cannabis Rules (the “Initial Rules”) regarding recreational cannabis use for adults age 21 and over under the New Jersey Cannabis Regulatory, Enforcement Assistance, and Marketplace Modernization Act (“NJCREAMMA”). These Initial Rules largely address licensing standards for cannabis businesses and equity and safety issues in the new marketplace. Significantly, however, the Initial Rules do not provide any additional clarity on the employment protections and employer drug testing requirements enacted under NJCREAMMA.
NJCREAMMA provides various employment protections for employees who use cannabis recreationally. Namely, NJCREAMMA prohibits New Jersey employers from taking any adverse employment action against applicants or employees based solely on their use of cannabis. As a result of the publication of the Initial Rules, these employment protections became enforceable as of August 19, 2021.
Further, while NJCREAMMA codified an employer’s right to conduct cannabis drug testing of applicants and employees in certain circumstances, the law also imposed new onerous requirements on such testing. Under NJCREAMMA, work-related cannabis testing must include a physical examination conducted by a Workplace Impairment Recognition Expert (“WIRE”), who must be certified in accordance with standards to be established by the Commission. The Initial Rules state that until the Commission, in consultation with the Police Training Commission, develops such certification standards, employers are not required to conduct physical evaluations of employees for cannabis drug testing purposes.
It is unclear when the Commission will adopt WIRE certifications standards or when there will be additional regulations regarding the employment protections or drug testing requirements imposed by NJCREAMMA. New Jersey employers should continue to stay up-to-date with any developments and consult with counsel to review drug- and alcohol-free workplace policies and drug testing protocols.
New Charlotte Ordinance Expands Employment Non-Discrimination Protections
On August 9, 2021, the Charlotte City Council voted unanimously to expand the protections under the City’s non-discrimination ordinance to include additional protected categories.
On August 9, 2021, the Charlotte City Council voted unanimously to expand the protections under the City’s non-discrimination ordinance by adding familial status, sexual orientation, gender identity and gender expression, veteran status, pregnancy, and natural hairstyle to the list of protected classes. The employment protections become effective January 1, 2022.
The ordinance, however, also includes a number of exceptions to the employment discrimination prohibitions:
- A Religious Organization that employs a person to perform work associated with the Religious Organization and that insist employees adhere to the tenets of the Religious Organization as a condition of employment are exempted from the ordinance.
Employees are still permitted to express sincerely held religious or moral beliefs and commitments in the workplace in a reasonable, non-disruptive, and non-harassing way so long as the expression is not in direct conflict with the essential business interests or needs of the employer.
- Employers are not required to hire or retain unqualified employees when there is a legitimate non-discriminatory or non-retaliatory reason for not doing so.
- Employers are permitted to require employees to adhere to reasonable dress or grooming standards during their hours of work due to a business necessity and that are not prohibited by federal, state, or local law.
- Employers are still permitted to adhere to the conditions of a bona fide seniority system or affirmative action plan that is not a pretext to evade the purposes of the employment discrimination prohibitions.
Implications for Employers:
- The ordinance applies to all employers in the City.
- Employees do not have a private right of action under the ordinance. Instead, an employee may file a complaint with the conciliation division of the City of Charlotte Community Relations Committee (“CRC”) within 180 days of the alleged incident. The CRC will review the complaint to first determine if it should be forwarded to the appropriate federal (EEOC) or state authority for review and appropriate action.
- The ordinance is intended to address gaps in employment protections not provided by federal or state law. For example, existing state and federal anti-discrimination laws only apply to employers with 15 or more employees. If the federal or state agencies do not have jurisdiction or authority over a complaint or otherwise decide not to take up a complaint, the CRC shall address and investigate the complaint. An investigator will make a finding within 100 business days of the development of an investigation plan and submit it to the CRC Director for review.
- If the CRC Director finds no cause to believe the employer violated the non-discrimination ordinance, the CRC Director will close the case. If the CRC finds reasonable cause, the CRC will attempt to conciliate the matter. If the parties enter into a conciliation agreement, the CRC will monitor compliance for one year. If there is a failure to conciliate, the matter will proceed to a public hearing before a CRC panel that will issue a cause or no cause finding. If the panel issues a cause finding, the parties may enter into a conciliation agreement. If there is a failure to conciliate after the panel’s cause finding, the CRC will refer the matter to the City Attorney’s Office for appropriate action, which may include civil fines and penalties.
Rhode Island Expanded Equal Pay Protections & Employer Responsibilities
On July 6, 2021, Rhode Island amended its Wage Discrimination Based on Sex law (R.I. Gen. Laws § 28-6-17–§ 28-6-21) in seven key respects. Specifically, the amendments, which take effect on January 1, 2023, expand the scope of the equal pay law’s protections to various characteristics in addition to sex; provide for additional scenarios where wage differentials are permissible; prohibit employers from asking about an applicant’s wage history; enact pay transparency requirements; create a “safe harbor” defense for employers that have audited their pay practices and remedied any disparities; prohibit retaliation against employees for exercising their rights under the law; and require employers to post a notice of employees’ rights under the law.
Effective January 1, 2023, Rhode Island’s equal pay law will extend from protecting sex alone to also prohibiting wage differentials based on race, color, religion, sexual orientation, gender, gender identity or expression, disability, age, and country of ancestral origin for “comparable work.” Under the amended statute, “comparable work” means “work that requires substantially similar skill, effort, and responsibility, and is performed under similar working conditions.” Whether two jobs are comparable turns on “an analysis of the jobs as a whole,” and “[m]inor differences in skill, effort, or responsibility” will not undermine comparability.
While the current version of Rhode Island’s equal pay law contains only four limited exceptions, the new law contains eight exceptions—including a broad, catchall exception modeled largely on “business necessity” defense of Title VII of the Civil Right Act of 1964 (“Title VII”) to disparate impact claims—permitting wage differentials if they are the result of the following:
- “A seniority system; provided, however, that time spent on leave due to a pregnancy related condition or parental, family and medical leave shall not reduce seniority.”
- “A merit system.”
- “A system that measures earnings by quantity or quality of production.”
- “Geographic location when the locations correspond with different costs of living, provided, that no location within the state of Rhode Island will be considered to have a sufficiently different cost of living.”
- “Reasonable shift differential, which is not based upon or derived from a differential in compensation based on [a protected] characteristic.”
- “Education, training, or experience to the extent such factors are job-related and consistent with a business necessity.”
- “Work-related travel, if the travel is regular and a business necessity.”
- “A bona fide factor other than [a protected] characteristic…which is not based upon or derived from a differential in compensation based on [a protected] characteristic…which is job-related with respect to the position in question; and which is consistent with business necessity.” Like Title VII’s “business necessity” defense, an employer will not be able to rely on this exception “if the employee demonstrates that an alternative business practice exists that would serve the same business purpose without producing the wage differential and that the employer has refused to adopt such alternative practice.”
In an effort to prevent past disparities from influencing future compensation decisions, the amended law prohibits employers from asking about an applicant’s salary history and from relying on an applicant’s wage history when considering the individual’s candidacy. But after making an offer of employment, an employer may consider and seek to confirm the applicant’s “wage history” but only for the limited purpose of “support[ing] a wage higher than the wage offered by the employer, if wage history is voluntarily provided by the applicant for employment, without prompting from the employer…”
Joining the growing number of states that have enacted pay transparency laws, Rhode Island amended its equal pay law to require or encourage four disclosures of wage information. First, upon request, employers must provide applicants with the wage range of the position for which they have applied. Second, employers “should” provide an applicant with the wage range for the position under consideration “prior to discussing compensation.” Third, whenever employees are hired or move into a new position, the employer must provide them with the wage range for their position. Finally, if employees request the wage range for their position at any time during their employment, the employer must provide them with that information.
“Safe Harbor” Affirmative Defense
Similar to other states’ equal pay laws, the amended law provides a “safe harbor” affirmative defense for an employer that voluntarily conducts a good-faith audit of its pay practices to identify any violations and remedies any identified issues within 90 days of completing the audit. For this defense to be successful, the employer must have completed the audit within the past two years and before the commencement of the legal action at issue. While an employer may use its own evaluation form to conduct this audit, the Department of Labor and Training (“DLT”) will issue a standard evaluation form employers may use.
Under the amended equal pay law, employers are prohibited from retaliating against employees for discussing their wages, participating in any proceeding under the equal pay law, or opposing unlawful practices under the equal pay law.
Finally, employers must post a notice issued by DLT explaining employees’ rights under the amended law in a conspicuous place on its premises.
Connecticut Publishes Guidance Regarding Disclosure Of Salary Range For Vacant Positions
The Connecticut Department of Labor has published guidance regarding the state’s “An Act Concerning the Disclosure of Salary Range for a Vacant Position,” which goes into effect on October 1, 2021.
In reviewing this guidance, employers should be mindful that it does not constitute legal advice and is non-binding. A court may have a different interpretation of the law’s provisions.
The guidance reiterates that the law applies to any employer within the state using the services of one or more employees for pay, even if those employees are located outside the physical confines of the state.
With respect to covered employees, the Department of Labor considers remote employees working outside the Connecticut as covered by the law if they are working for or reporting into an employer within the state.
With respect to national employers, however, the Department of Labor does not interpret the law to cover employees who report to a physical location out of the state, even if the employer also has a location within Connecticut.
The guidance acknowledges that there is no definition of “applicant” in the law and advises employers to interpret the term broadly. The Department of Labor has defined “applicant” as “any individual who applies for a job” and cautions employers that they may not adopt their own definition of “applicant.”
The guidance also discusses what must be included in the wage range. Consistent with how “wages” are defined under Connecticut law, the Department of Labor states that, “[g]enerally, discretionary pay does not constitute wages,” and therefore, “such compensation is not required to be disclosed to an employee or applicant.” Non-discretionary bonuses and commission plans must be disclosed as part of the wage range, however.
The guidance further addresses employers’ concerns about the breadth of the required disclosures. Under the law, an applicant can only request the wage range for the position to which that applicant is applying. According to the guidance, “The employer is not required to provide the applicant with information concerning the amount of wages paid to any other employees.” While employees may ask other employees about their wages, and are protected from retaliation for doing so, an employer is not required to disclose the wages paid to other employees.
Finally, the guidance reiterates that an applicant or employee may file a civil action within two years of the date of any alleged violation of the law. Available remedies include compensatory damages, attorney’s fees and costs, punitive damages, and any other relief that a court deems “just and proper.” Additionally, any person who alleges a violation of the law may file a complaint with the Labor Commissioner. The Labor Commissioner may assess civil penalties against an employer but cannot seek damages for the applicant or employee if a violation is found.
San Francisco Implements Expanded Vaccination Requirements
In response to the spread of the Delta variant, the City and County of San Francisco has expanded its COVID-19 vaccination requirements for certain businesses and added food and exercise establishments as covered entities for the first time. The expansion was included in an August 12, 2021, update to the Order of the Health Officer (“Updated Order”).
Previously, the Order required COVID-19 vaccination for personnel in “High-Risk Settings” and for personnel and patrons in “Mega Events.” The Updated Order makes three major changes:
- Creates a separate COVID-19 vaccination requirement for certain food and exercise establishments;
- Expands the existing High-Risk Setting COVID-19 vaccination requirements to include additional businesses; and
- Alters the rules related to Mega Events and large events.
1. Food and Exercise Establishments
The Updated Order creates a new requirement that certain food and exercise businesses verify the COVID-19 vaccination status of patrons and staff. This requirement applies to:
- Operators or hosts of establishments or events where food or drink is served indoors—including but not limited to dining establishments, bars, clubs, theaters, and entertainment venues.
- Gyms, recreation facilities, yoga studios, dance studios, and other fitness establishments where any patrons engage in cardiovascular, aerobic, strength training, or other exercise involving elevated breathing.
The Updated Order requires proof of vaccination for patrons and staff and imposes different guidelines for each group. The Updated Order does not define “staff” but indicates that the term is narrower than the definition of “personnel” used elsewhere in the Order. Specifically, individuals who enter or work in the facility on an intermittent or occasional basis or for short periods of time (e.g., individuals who deliver goods or packages) are not covered by these requirements.
Proof of Patron COVID-19 Vaccination
Proof of patron COVID-19 vaccination must be verified for all patrons 12 years and older beginning August 20, 2021. Proof must be provided prior to entering an indoor portion of the facility (typically at the entrance or in advance of arrival), with limited flexibility for certain establishments:
- Dining establishments and bars may require proof of patron vaccination status at the time of the patrons’ first in-person interaction with staff, provided such patrons are wearing face coverings;
- Dining establishments and bars may allow individuals wearing a face covering to order, pick up, or pay for takeaway orders without requiring proof of vaccination status; and
- Theaters where concessions are sold may require proof of patron vaccination status to be shown at the time of the patrons’ purchase of concessions rather than at the entrance to the establishment.
Proof of patron vaccination is not required when using any outdoor portions of the facilities or when coming indoors only to use the restroom, provided patrons are wearing a proper face covering. The requirement for proof of vaccination is subject to any applicable accommodation laws.
Proof of Staff COVID-19 Vaccination
Beginning October 13, 2021, businesses must obtain proof of staff COVID-19 vaccination prior to entering or working in any indoor portion of the facility, subject to applicable accommodation requirements. Additionally, by August 20, 2021, businesses must ascertain the vaccination status of all staff. Both of these requirements apply to staff who routinely work onsite. They do not apply to individuals who work on an intermittent or occasional basis or for short periods of time.
Businesses must keep records of staff vaccination or exemption status. Those records should be kept confidential, but the Updated Order requires they be provided to the Health Officer upon request.
How to Check for Proof of Patron or Staff COVID-19 Vaccination Status
For both patrons and staff, the following forms of proof are acceptable:
- The CDC vaccination card, which includes name of person vaccinated, type of vaccine provided, and date last dose administered, or similar documentation issued by another foreign governmental jurisdiction;
- A photo or copy of a vaccination card as a separate document;
- A photo of a vaccination card stored on a phone or electronic device;
- Documentation of vaccination from a healthcare provider; or
- A personal digital COVID-19 vaccine record issued by the State of California and available by going to cdph.ca.govor similar documentation issued by another state, local, or foreign governmental jurisdiction, or by an approved private company.
- For staff only,a sixth option is available: written self-attestation of vaccination signed (including an electronic signature) under penalty of perjury and containing the name of the person vaccinated, type of vaccine taken, and date of last dose administered. This option is expressly prohibited for patrons.
Businesses must cross-check proof of vaccination against a form of photo ID unless photo ID is already integrated into the digital COVID-19 vaccine record. If proof of vaccination was presented in advance of arrival, identification must be confirmed at the time of entry into the facility.
No later than August 20, 2021, businesses must post specific signage aimed at patrons and staff to inform individuals that they are required to provide proof of their full COVID-19 vaccination status. Sample signage can be found here.
2. High-Risk Settings
The prior order imposed certain requirements, including COVID-19 vaccination, on High-Risk-Settings such as general acute care hospitals, skilled nursing facilities, shelters, jails, and other locations. The Updated Order now requires that adult care facilities, adult day programs, and dental offices must comply with the High-Risk Setting requirements, including the requirement that “personnel” be vaccinated. Additionally, businesses with home healthcare workers and pharmacists must comply with a limited number of the High-Risk setting requirements.
These requirements must be satisfied by October 13, 2021.
3. Large Events
The prior order imposed certain requirements, including COVID-19 vaccination and testing, on Mega Events (indoor events with 5,000 attendees and outdoor events with 10,000 attendees). The Updated Order tightens these requirements and expands them to indoor events with 1,000 or more attendees.
- Businesses should review the Updated Order and determine whether they are subject to any of the proof of vaccination requirements.
- Affected businesses should develop a plan to meet the requirements by the stated deadlines.
- Businesses should pay particular attention to recordkeeping requirements, as well as compliance with accommodation and privacy laws.
- All businesses should continue to monitor for updates to applicable COVID orders.
Mask Up, Vax Up: Illinois Governor Issues Immediate Face Covering Mandate For All, COVID-19 Vaccine Mandate For Healthcare, School And State Workers And Students
On August 26, 2021, Illinois Governor J.B. Pritzker issued Executive Order 2021-20 (COVID-19 Executive Order No. 87) (the Order). The Order mandates that all individuals in Illinois who are at least two years old and who are medically able must wear face coverings indoors and in other specified settings. In addition, the Order mandates COVID-19 vaccination for certain professionals in healthcare and education, as well as for students and state employees, subject to certain exemptions which require regular COVID-19 testing. The Order is effective immediately.
Face Covering Requirement
The Order requires all individuals in Illinois two years old or older, and regardless of vaccination status, to wear a face covering over their nose and mouth when in an indoor public space, so long as they are able to medically tolerate a face covering. Where individuals are in close contact with others in an outdoor setting, the Order also strongly suggests (but does not mandate) wearing a face covering. Face coverings may be removed by (1) individuals actively eating or drinking (including in bars and restaurants), and (2) workers in workplaces when they can consistently maintain six feet of distance (such as when workers are in their office or cubicle space).
In addition to indoor public spaces, the Order confirms that individuals will continue to be required to wear a face covering in the following areas:
- Public transportation and gathering hubs (planes, buses, trains, airports and bus or train stations);
- Congregate facilities (such as correctional facilities and homeless shelters); and
- Any healthcare setting.
Covid-19 Vaccination Requirements
What are the vaccination requirements and deadlines?
The Order requires all Health Care Workers, School Personnel, Higher Education Personnel and Higher Education Students (each as defined below) to (1) receive at least the first dose of a two-dose COVID-19 vaccine series or a single-dose COVID-19 vaccine within 10 days after issuance of the Order (i.e., by September 5, 2021), and (2) be fully vaccinated against COVID-19 within 30 days following administration of their first dose in a two-dose vaccination series.
“Fully vaccinated” means that it is two weeks after receiving the second dose of a two-dose series of a COVID-19 vaccine authorized for emergency use (EUA), licensed or otherwise approved by the US Food and Drug Administration (FDA), or two weeks after receiving a single-dose COVID-19 vaccine authorized for emergency use, licensed or otherwise FDA-approved.
The Order also requires state employees at state-owned or operated congregate facilities to have both doses of a two-dose COVID-19 vaccine series or a single-dose COVID-19 vaccine by no later than October 4, 2021, subject to bargaining.
Who is covered by the Order?
The Order generally applies to all individuals who meet the definition of Health Care Worker, School Personnel, Higher Education Personnel or Higher Education Student, and it also applies to certain state workers. Specifically:
- “Health Care Worker” is any individual who is (1) employed, contracted or volunteering at a healthcare facility (defined below); and (2) in close contact (fewer than six feet) with other persons for 15 or more minutes at least once per week on a regular basis as determined by the healthcare facility. A “Health Care Facility” is broadly defined to include any institution used to provide health services, medical treatment/nursing and rehab or preventative care. This includes the following: ambulatory surgical treatment centers, hospices, hospitals, physician offices, dental offices, free-standing emergency centers, urgent care facilities, birth centers, post-surgical recovery care facilities, end-stage renal disease facilities, long-term care facilities (including skilled and intermediate long-term care facilities licensed under the Nursing Home Care Act, the ID/DD Community Care Act or the MC/DD Act), Specialized Mental Health Rehabilitation Facilities, assisted living facilities, supportive living facilities, medical assistance facilities, mental health centers, outpatient facilities, public health centers, rehabilitation facilities, residential treatment facilities and adult day care centers.
- “School Personnel” means any person (1) employed, contracted or volunteering at a school or school district with student pre-kindergarten through 12th grade, and (2) in close contact (fewer than six feet) with other persons in the school for 15 or more minutes at least once per week on a regular basis as determined by the school. “School” refers to both private and public elementary or secondary school, including charter schools, serving students in pre-kindergarten through 12th grade, including state-operated residential schools.
- “Higher Education Personnel” means any person (1) employed, contracted or volunteering to provide services for an institution of higher education, or employed by an entity contracted to provide services for an institution of higher education, and (2) in close contact (fewer than six feet) with other persons in the school for 15 or more minutes at least once per week on a regular basis. An “Institution of Higher Education” is any publicly or privately operated university, college, community college, junior college, business, technical or vocational school or other educational institution offering degrees, programs or instruction beyond the secondary school level.
- “Higher Education Student” means any individual enrolled in credit-bearing or non-credit bearing coursework at an institution of higher education, either on campus or at an affiliated off-campus location. Importantly, the Order does not apply to students completing their coursework exclusively remotely.
- In addition, the Order’s vaccine mandate applies to all state employees, as well as contractors or vendors, who work at “state-owned or operated congregate facility,” meaning congregate facilities operated by the Illinois Department of Veterans’ Affairs, the Illinois Department of Human Services, the Illinois Department of Corrections and the Illinois Department of Juvenile Justice.
Is anyone excluded from the Order?
Yes. The Order does not apply to:
- Healthcare workers employed, contracted or volunteering for any state-owned or operated facility;
- Students completing their coursework exclusively remotely; and
- Individuals who are present at a covered Health Care Facility, School or Institution of Higher Education or affiliated off-campus location, or contractors or vendors who are present at state-owned or operated congregate facilities, if they are present for only a short period of time and their movements of close proximity to others is fleeting (e.g., contractors making deliveries and who remain physically distanced or individuals who enter a site briefly to pick up a shipment).
Though the Order does not state explicitly, given the exclusion of individuals who are present at covered facilities and locations for only short periods of time, fully remote employees appear to be excluded from the Order, as well.
What types of proof are acceptable to demonstrate COVID-19 vaccination status?
Individuals covered by the Order must provide proof of COVID-19 vaccination to their applicable facility or school. Proof of COVID-19 vaccination may be met by providing any of the following:
- A Centers for Disease Control and Prevention (CDC) COVID-19 vaccination record card or photograph of the card;
- Documentation of vaccination from a health care provider or electronic health record; or
- State immunization records.
Are there any exemptions to the vaccine mandate?
Yes. Individuals are exempt from the Order’s requirement to be fully vaccinated against COVID-19 if they demonstrate that vaccination is medically contraindicated, including any individual who is entitled to accommodation under the Americans with Disabilities Act or other disability-related reasonable accommodation law. An individual is also exempt from vaccination if it would require the individual to violate or forego a sincerely held religious belief, practice or observance. (The Order is silent on any further procedures for furnishing proof of exempt status.)
The Order further provides that covered individuals who are not fully vaccinated against COVID-19 must be excluded from the premises unless they comply with the testing requirements set forth in the Order. It is unclear whether the testing option is available to anyone who chooses not to receive a COVID-19 vaccination, or whether it may only be available for those individuals with an approved medical or religious exemption or who are in process to become fully vaccinated at the time the Order becomes effective.
Are there additional safety requirements that apply to anyone who is not fully vaccinated?
Yes. Starting 10 days after the Order’s issuance, on September 5, 2021, any Health Care Worker, School Personnel, Higher Education Personnel or Higher Education Student who is not fully vaccinated must be excluded from the premises of the applicable Health Care Facility, School or Institution of Higher Education unless the individual is tested for COVID-19 at least weekly with a test that has EUA or is operating per the Laboratory Developed Test requirements by the CDC.
The Health Care Facility, School or Institution of Higher Education must either conduct the testing on site or must obtain proof or confirmation from the individual of a negative test result obtained elsewhere. Though not required, the Illinois Department of Public Health recommends that PCR tests are used for this testing, if available.
State employees who are covered by the Order and who are exempt from vaccination pursuant to medical or religious reason will also be required to comply with additional testing requirements; however, the Order is silent on the details of such requirements as to state employees, possibly due to bargaining obligations.
Are Illinois employers permitted to implement their own vaccination requirements, even if the Order does not require them to do so? And can covered facilities implement more stringent requirements than the Order requires?
The Order explicitly states that nothing in the Order shall prohibit any entity from implementing its own vaccination and/or testing requirements for personnel, contractors, students or other visitors that exceed the requirements of the Order. Moreover, the Order encourages all entities to implement robust vaccination and testing programs to reduce the spread of COVID-19.
Connecticut Enacts Law Shielding Businesses That Comply With Cybersecurity Frameworks From Punitive Damages In Data Breach Tort Lawsuits
On July 6, 2021, Connecticut Gov. Ned Lamont (D) signed Public Act No. 21-119 into law.
The new law immunizes businesses that comply with specific cybersecurity frameworks from punitive damages in tort actions brought under Connecticut law or in a Connecticut state court alleging that the failure to implement reasonable cybersecurity controls resulted in a data breach concerning personal information or information that can be used to determine an individual’s identity or is reasonably linkable to an individual. This statutory immunity applies to all businesses regardless of whether or not they are incorporated or do business in Connecticut and is available to all forms of for-profit and nonprofit business entities including corporations, partnerships, trusts, limited liability companies, joint ventures, associations, individuals, and sole proprietorships.
While the law only immunizes compliant businesses from punitive damages and does not provide any immunity from compensatory and other non-punitive damages, compliance may significantly reduce businesses’ exposure in the event of a data breach, especially given that some courts have become more likely to impose common law duties on businesses that collect and possess personal information to safeguard such information from data breaches.
The specific cybersecurity frameworks enumerated in the law include the Payment Card Industry Data Security Standard (PCIDSS), which major credit card companies require businesses that accept credit card payments to adhere to, the federal National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity and Special Publication 800-171, Special Publications 800-53 and 800-53a, the Federal Risk and Management Program’s FedRAMP Security Assessment Framework; the Center for Internet Security’s Center for Internet Security Critical Security Controls for Effective Cyber Defense; and the ISO/IEC 27000-series.
In addition to availing themselves of this newfound statutory immunity, businesses that work with an interdisciplinary team of experienced legal and technical professionals to ensure compliance with one of the enumerated cybersecurity frameworks can significantly reduce their vulnerability to cyberattacks and data breaches, the frequency of which has increased exponentially in recent years, especially during the COVID-19 Pandemic.
U.S. District Court Grants TRO Barring New York From Excluding Religious Exemptions For COVID-19 Vaccine Mandate
On September 14, 2021, District Court Judge David N. Hurd of the Northern District of New York granted a temporary restraining order (TRO) barring the New York State Department of Health (DOH) from enforcing the vaccine mandate to the extent that it requires that any employers deny religious exemptions from COVID-19 vaccination or that they revoke any exemptions employers already granted before the mandate was issued.
The TRO was granted as a result of a lawsuit filed on September 13, 2021. The plaintiffs are composed of several medical professionals employed in the State of New York who assert that their sincerely held religious beliefs require them to refuse the COVID-19 vaccine. They allege that the vaccine mandate, in its current form, violates the First and Fourteenth Amendments, the Supremacy Clause, and the Equal Protection Clause of the US Constitution. The named defendants are New York State Governor Kathy Hochul, New York State Commissioner of Health Dr. Howard A. Zucker, and New York State Attorney General Letitia James.
Next Steps and Takeaway
- The TRO only prevents the DOH from enforcing the vaccine mandate to the extent that it bars consideration or granting of religious exemption requests. Accordingly, healthcare employers must adhere to all remaining requirements of the vaccine mandate.
- A TRO is only a temporary measure to prevent anticipated harm as the parties litigate the constitutionality of the vaccine mandate.
- The lawsuit, A, et al., v. Kathy Hochul, et al., 21-CV-1009 (DNH) (ML), is currently pending in the Northern District of New York. We will continue to monitor this matter closely and accordingly, we advise our clients to adhere to current federal, state, and city laws regarding religious accommodations.
Data Protection 101: What Every Organization Needs To Know (Brazil, European Union, Singapore, Thailand, United Kingdom)
All organizations will collect, use, and store sensitive information that they wish to keep protected, whether it is customer-centric information, employee data, or defined intellectual property data. Too many organizations today mistakenly attribute data breach incidents to hackers forcing entry into their networks and systems. Whilst those breaches make the daily headlines, it is employee error, such as a lost or stolen unencrypted computer or mobile device, phishing email attack or emailing large data sets to the wrong recipient that makes up the majority of breaches today.
What is Data Protection?
The primary purpose of a data protection policy is to protect the information held by an organization. When people think of data protection, they think of computer programs. Yet, the overarching principle is the same whether the information is within a document on a computer, a number stored on a piece of paper or even digital images stored on a cloud storage system. These documents, data, and media become ‘sensitive’ because they are the subject of transactions, contracts, and other business relations. The data protection policies need to have the purpose of protecting the sensitive information held by that company.
Why is data protection so important?
According to Forbes, 94 per cent of customers believe it is essential for organizations to protect their data, and 85 per cent of consumers who have been victims of data breaches say that such breaches have affected their trust in an organization. Organizations, therefore, have two main objectives concerning their data protection obligations. First, Achieve compliance with global data regulations that require organizations that process their residents’ personal to comply with their specific data regulations. Second: Ensure they use cost-effective solutions and processes to achieve that compliance in the most efficient way.
Defining what personal data is and what it isn’t
Personal data is information about an individual. Examples of personal data include information about an individual such as names, addresses, email addresses, telephone numbers, and date of birth, Credit card information, Financial transaction information, Medical data, such as insurance identification numbers or disease information
Most websites and email clients will also provide a list of “cookies” used to identify you if you have signed up or browse the website. That can include information such as the IP address, location, device ID, often known as online identifiers. When you visit a website that transparently informs through its privacy policies about the types of information they collect from you, You can find out what data and how long this cookie data is retained.
The different types of security measures that are available to protect your organization’s data
Organizations are under increasing pressure to ensure that they are safeguarding all of the information on their systems. The availability of many data protection products is a significant factor in this. This level of threat from hackers is something that every organization has to think about, especially now that we live in a world where people can use the internet to make purchases and do business without ever interacting with a human being. Organizations need to ensure that all of the security measures are in place to protect the data they hold, and they need to have robust measures in place to protect their information. Having a solution that maps and tracks the personal data to the data subject level provides essential information when dealing with a breach. It provides precisely which data subjects have been affected.
All organizations are legally obliged to comply with data privacy regulations such as the EU GDPR, UK DPA2018, Brazil LGPD, Thailand PDPA or the Singapore PDPA. Data protection law sets out the minimum requirements to preserve personal information confidentiality, integrity, and availability. All organizations are obliged to make reasonable efforts to carry out these requirements. Where a data breach occurs, an organization is required to notify the relevant authority. If the breach isn’t reported in time, the organization may face fines and penalties. Organizations need to proactively know what data they have, how it is used, and how it is protected to safeguard their business.
Types of security, how they work and their benefits
It is important to remember that it is important to determine which ones you want to focus on with all the different types of security controls. While keeping your systems and data secured is an essential part of running your business, as a CIO, I believe it is more important to focus on improving your organization’s business fundamentals. You do not need to go out and invest in the most expensive anti-virus software or the most significant database in the world to ensure your business is secure; you need to work hard at ensuring the basics are in place. There are many fundamentals to consider when it comes to building and maintaining a secure and successful business.
There has been a considerable amount of cybersecurity research done in the last five years, which has fundamentally changed the way businesses view and prepare for a cyber-attack. There are many keys things that an organization should implement in their organization to make sure that they are protected against cyber-attacks, and this article has provided an excellent introduction to that.
Monitoring Home Workers
March 2020 saw one of the biggest changes in working practices this country has ever seen. Sectors that primarily utilized office-based staff moved, within a matter of a couple of weeks, to being reliant on workers based at home.
While both employers and employees adapted to this new way of working with admirable speed, it brought with it a new focus on the already contentious subject of employee monitoring. Employers concerned about tracking productivity, protecting confidential information and ensuring appropriate use of IT systems looked for answers—and technology companies responded by offering tools ranging from remote monitoring of their IT system usage to using work device webcams to check employees were actually working. Many employees meanwhile were concerned about breaches of privacy occurring in their own homes.
Longer term attitudes to flexible working have become exactly that—more flexible—as a result of the pandemic. Even as the vaccine roll out gives hope of a return to some normality, multiple surveys have found that many employees would prefer to continue working from home in some capacity, even when social distancing laws no longer require them to do so. In many cases employers are supportive of this.
This realization that a full time return to the office post-pandemic is unlikely has led to concerns that current privacy protections for employees are inadequate. Those concerns led to a cross-party group of MPs, some of the country’s leading academics and the union, Prospect writing to the Information Commissioner, Elizabeth Denham, in December 2020 asking her to update guidance to keep pace with advancements in software used to monitor home workers. The Labor party also called for the UK Government to introduce better regulatory oversight to ensure workers are not monitored without their consent.
Current Legal Framework
The General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018, along with the Investigatory Powers Act 2016 and the Investigatory Powers (Interception by Businesses etc. for Monitoring and Record-keeping Purposes) Regulations 2018 are the primary pieces of legislation regulating the ability of an employer to monitor employees. Employees can look to Article 8 of the European Convention on Human Rights (implemented via the Human Rights Act 1998) which sets out the right to family and private life, as well as the Equality Act 2010, the Employment Rights Act 1996 and the implied duty of trust and confidence contained in all contracts of employment when seeking protection from breaches of privacy, or discrimination or unfair treatment related to monitoring in the workplace.
In addition, guidance on monitoring employees working from home can be found in the ICO’s Employment Practices Code (published in 2011) and the Article 29 Working Party Opinion on data processing at work (“WP29”) (published in 2017). It is noteworthy that both these documents pre-date the implementation of GDPR in May 2018, although WP29 does specifically consider its impact. The European Data Protection Board (“EDPB”) has since replaced WP29. However, the WP29 Opinion did consider certain developments in technology which enable more intrusive monitoring and as such, for the time being, it is a helpful resource.
The Information Commissioner’s Office (“ICO”) issued guidance early on in the pandemic confirming their intention to take a pragmatic approach to enforcement of GDPR, acknowledging the many other difficulties businesses faced during this time. Guidance was issued on this basis in May 2020. This approach is though time limited to the pandemic and it remains important, nonetheless, for employers to comply with the regulatory requirements that are in place.
What Steps Need to be Taken to Comply with the GDPR
Monitoring of employees will amount, in most cases, to an employer processing personal data. Under the GDPR any such data must be processed lawfully, transparently and fairly. It must also be collected for specified, explicit and legitimate purposes and be limited to what is necessary for those purposes. That means minimizing the data that is collected to no more than is required for the monitoring to achieve its purpose.
Employers must have a legal basis for processing data and, in most cases, this is likely to be the “legitimate interest” of the employer. Consent is generally not appropriate because of the imbalance of power between employer and employee, making it difficult to prove it has been given freely. In essence, for monitoring to be lawful, the employer has to find the right balance between its interests in monitoring employees and employees’ rights to protection of data relating to them and their privacy.
Although not specifically required by the GDPR, the ICO recommends employers undertake a legitimate interests assessment (“LIA”)—a type of light touch risk assessment based on the specific context and circumstances of the processing—which can be retained to evidence the decision-making process and justification for processing on the basis of legitimate interests. This encourages employers to question why the processing is needed and objectively consider what the reasonable expectations of their employees will be around monitoring—specifically what their reasonable expectation of privacy will be in the circumstances—and any impact it has on them. As a general rule, the more intrusive the monitoring, the harder it will be to demonstrate a balance with the employer’s legitimate interest.
Unlike LIAs, Data Protection Impact Assessments (“DPIA”) are a GDPR requirement where a type of processing is likely to result in a high risk to the rights and freedoms of individuals. Some types of processing automatically require a DPIA to be undertaken—systematic and extensive profiling with significant effects, large scale use of sensitive data and public monitoring. In other cases, the employer will need to assess whether the processing is higher risk. WP29 published guidelines with nine criteria which may act as indicators of likely high-risk processing, with a combination of two of the criteria often indicating the need for a DPIA. A number of these factors may arise when an employer introduces technology to monitor employees, triggering the need for a DPIA, but even if a DPIA is not a requirement, it would still be good practice to carry one out.
Should an employer choose to continue with their chosen monitoring method, transparency is essential. In addition to updating the staff privacy notice and any related policies, in the normal course, employees should be specifically made aware of the monitoring, the reasons for it and how it is being carried out. Covert monitoring will only be lawful in exceptional circumstances. Employers also need to be aware that some monitoring technologies may gather more information than was originally intended risking an unintended breach of GDPR.
What can be Distilled from Case Law?
While there is case law relating to employee monitoring from the European Court of Human Rights (“ECHR”)—arising from alleged breaches of Article 8—none has yet specifically addressed monitoring employees working from home. The cases before the ECHR have also tended to relate to disciplinary matters rather than monitoring for reasons such as checking productivity. In many cases monitoring for misconduct reasons will be limited in nature, whereas company-wide performance monitoring will be considerably broader in scope. This, together with it being likely that an individual’s reasonable expectation of privacy will be greater when working from home than when in an office environment, should be borne in mind when considering the case law.
The need for transparency when undertaking monitoring was highlighted in Barbulescu v Romania  ECHR 742, a case which revolved around monitoring email. The employer had a policy which made clear that its work computers could not be used for personal purposes but it did not specifically indicate the nature and extent of the monitoring or that the employer could access the content of the communications. Mr. Barbulescu only became aware of this when the employer produced evidence of his personal use of a work Yahoo account during a disciplinary process that led to his dismissal. After unsuccessful claims in the Romanian courts, the case was referred to the ECHR where Mr. Barbulescu argued his Article 8 right to respect for private and family life had been breached by virtue of the employer monitoring his emails. The ECHR initially decided by a majority that the employer was permitted to check whether or not Mr. Barbulescu was performing his work, however this was overturned on appeal to the Grand Chamber, who held Article 8 had been breached. The employer’s failure to expressly advise that this included monitoring the content of personal communications was key to the Court’s judgment that the correct balance between the employer’s interests and the employee’s right to privacy had not been met.
In Lopez Ribalda and Others v Spain  ECHR 752, a Chamber of the ECHR initially upheld a claim that an employer’s use of covert surveillance when trying to catch employees involved in workplace theft was a breach of the right to privacy under Article 8—the surveillance was a significant intrusion into the employees’ private lives and a fair balance had not been struck between the employees’ rights of privacy and the employer’s interest in protecting its property from theft. However, on appeal to the Grand Chamber that decision was overturned. Key to this decision was the limited nature of the monitoring. It took place in an area open to the public as well as employees where the “expectation of privacy” would have been lower, it only continued until the culprits were identified and was then used for the limited purpose of disciplinary action. Crucially, the Court also found there was no other less intrusive way of fulfilling the aim pursued—advising the staff of the surveillance would have defeated its purpose.
Closer to home, transparency was once again important when the domestic courts considered whether monitoring breached the implied term of trust and confidence in Argus Media Ltd v Halim  EWHC 42 (QB). When Argus sought to enforce post termination restrictions, Mr. Halim argued he had been released from them via the employer repudiating his contract by reading his personal emails. The Court disagreed. Significant in its reasoning was the Court’s finding that Argus had authority to monitor or review the use of their IT systems under their Electronic Information and Communications Policy which Mr. Halim had signed. The actions of Argus in reviewing the emails was not an illegitimate interference with the Article 8 right to family and private life. Even if there had been a breach of privacy, the Court held that, in the particular circumstances, such a breach was not one that was calculated or likely to destroy the relationship of trust and confidence.
Is the Current Regulatory Regime Adequate to Protect Home Workers?
The issue with the current regime is perhaps one of lack of understanding and a consequent failure by employers to take the necessary steps to properly balance justifiable protection of the employer’s interests with their employees’ rights to privacy. New challenges may be created (or at least become more common) as a consequence of higher numbers of home workers. There may be an increased risk of processing non-corporate information where employees are using personal devices for work during the week and for personal reasons in the evenings and at weekends. Other family members may also be caught up in the surveillance if the devices are shared. However, these are the types of issues that can and should be identified by employers, perhaps via DPIAs, at the planning stage.
The pragmatic approach to protecting employees’ privacy, at least initially, may be to ensure that the current regime and its requirements are accessible and easily understood via a campaign of publicity and education rather than an overhaul of legislation. Employers looking to grapple with the existing fairness and data minimization requirements of GDPR will be better supported in doing so once the ICO updates its guidance to employers to take account of both GDPR and the significant changes to how work is carried out. It was reported in January that the ICO was at the early stages of developing employer-focused guidance and that it would be engaging with organizations to seek their views.
The current practice of naming and shaming employers who breach rights may also have a place—highlighting the potentially significant fines that the ICO can make for GDPR breaches to deter employers, while concurrently letting employees know which businesses may not respect their privacy, should they consider working for them. Greater consultation with employees and unions could also be encouraged.
If employees’ Article 8 rights continue to be breached, we can expect to see increasing numbers of claims being made in tribunals and courts. If these claims show an inadequacy in the current regulatory regime, rather than a failure on the part of employers to comply with it, it may transpire, in due course, that statutory correction needs to be considered.
Alternatives to Monitoring
In some sectors monitoring will be a necessity—financial services firms were recently warned by the FCA that it expected them to put in place rigorous oversight on traders working from home. However, for many others, the first question that should be asked is not what type of monitoring is required, but if any is needed at all. In a recent CIPD report, 73% of employees who responded felt that introducing workplace monitoring would damage the trust between them and their employers. Arguably, maintaining trust is even more important when employees work from home than when they are in the office environment. Indeed, in some cases, the need to use tracking software may indicate bigger problems than productivity.
Choosing alternatives to employee monitoring software has a number of benefits. Encouraging managers to check in regularly with employees and build strong working relationships with them can increase employee loyalty. Motivating employees to engage with the aims of the business can be done via clear instruction and recognizing and rewarding positive behaviors and performance. This approach—creating a desire to do well rather than a fear of failure—is more likely to have the added benefit of improved wellbeing as well as productivity.
Monitoring of employees, however, should not be demonized. Data that is collected can be used to enhance worker wellbeing as well as safeguard the employer’s interests. The key is for the employer to assess the risk posed by home working and to respond in a proportionate manner that limits encroachment on their employees’ right to a private life.
Labor Law Revolution In Mexico: New Labor Laws Enforced By The U.S. Government Against U.S. Companies
Within the last few months, U.S. employers doing business in Mexico have felt the effects of the enforcement mechanisms of the “U.S.-Mexico-Canada Agreement” (“USMCA”). It is perhaps counterintuitive to many employers that the USMCA would result in labor enforcement actions against U.S. companies under Mexican law. But it is.
Most readers—especially in Texas, whose largest trade partner is Mexico—will be aware that the USMCA (i) went into effect on July 1, 2020, (ii) is the result of President Trump’s renegotiation of NAFTA, and (iii) has a goal of enforcing the stronger labor laws that Mexico was required to enact as part of the USMCA.
While the history of enforcement of labor laws in Mexico might lead some U.S. companies operating there to assume the same level of enforcement in the future, the USMCA also established an Interagency Labor Committee, which has the power to refer complaints of denials of labor rights in Mexican facilities to the U.S. Trade Representative, who, in turn, may take enforcement action.
The first two such enforcement actions have been related to U.S. companies. This may be unsurprising—it makes sense that the U.S. Trade Representative has particularly good enforcement mechanisms with respect to U.S. companies that have facilities in Mexico. As a result of the first petition under the USMCA’s “Rapid Response Labor Mechanism,” General Motors entered into a comprehensive plan to address labor practices at its Silao, Mexico facility last month. This month, the Mexican based subsidiary of an American company, Cardone Industries, with operations in Matamoros, Mexico, entered into an action plan and agreed to pay damages, including backpay, to Mexican workers. The action plan was the result of a petition filed by the AFL-CIO and other unions.
These action plans are agreements with the U.S. government and give the U.S. government power to enforce them. In effect, a U.S. government agency can now enforce Mexican labor law against the companies in these agreements. These first instances of success unions have had under the Rapid Response Labor Mechanism of the USMCA mean it is likely there will be more of these types of actions.
Not only is the greater enforcement of Mexican labor laws important for U.S. companies to note, but also, as companies with cross border operations develop Environmental, Social and Governance (“ESG”) programs, they need to note how USMCA actions can impact the “S,” or social aspect, of their ESG disclosures. Due to the focus on ESG by investors and the Securities and Exchange Commission (as the V&E ESG Taskforce has written continuously over the last few years), now is the time for companies to evaluate compliance with Mexican labor standards, with respect to both their subsidiaries in Mexico and the companies in their supply chains.
Employer Guidance Regarding Mandatory Vaccinations
More employers either have or are considering mandating employee vaccinations for COVID-19
While generally permissible under federal employment laws, employers must accommodate employees with disabilities or sincerely held religious beliefs that may limit their ability to receive a vaccine
When determining what to do regarding vaccination policies, employers should consider state laws and state executive orders
On Aug. 23, 2021, the Federal Drug Administration (FDA) granted full authorization to Pfizer’s COVID-19 vaccine, now branded as Comirnaty, and it is expected that the Moderna and Johnson & Johnson vaccines will receive full authorization as well. This approval helps employers address one objection that some employees had raised about vaccine mandates.
President Biden followed up the FDA’s announcement by requesting that employers begin mandating COVID-19 vaccinations for their employee populations.
Other federal agencies have weighed in on mandatory vaccine policies. On Aug. 13, OSHA also issued non-binding guidance recommending that employers consider adopting mandatory COVID-19 vaccination policies. Although non-binding, this language underscores OSHA’s support for properly drafted vaccination mandates, given the current pandemic situation.
Even before the FDA took this step, a number of large employers, including the Walt Disney Co., and Facebook, all announced either mandatory vaccination policies or that they are requiring employees to be vaccinated in order to return to their offices.
The Employer Guidance addresses the labor and employment considerations for employer mandatory vaccination policies and is generally focused on non-healthcare employers given that some state and local jurisdictions have already mandated vaccines in the healthcare industry. Additionally, President Biden announced that nursing homes will be required to vaccinate their staff or risk losing Medicaid and Medicare funding in the near future.
At present, there is no federal employment law prohibiting private or public sector employers from implementing a policy requiring employees to receive a COVID-19 vaccination.
Title VII Considerations
Title VII prohibits discrimination based on religion and employers are required to reasonably accommodate employees that refuse vaccinations (not just a COVID-19 vaccination) due to sincerely held religious beliefs. The courts have also held, however, that employers are not required to accommodate personal lifestyle choices or preferences. Determining whether an objection to the COVID-19 vaccine is based on a sincerely held religious belief requires some caution and sensitivity. While employers are generally permitted to assess whether an employee has a sincerely held religious belief that requires accommodation, and what accommodation is needed, prior to the COVID-19 pandemic, the Equal Employment Opportunity Commission (EEOC) had recommended that employers assume a request for religious accommodation was legitimate.
Whether that position changes, given the pandemic, remains to be seen. In addition, it should be noted that the standard for reasonably accommodating an employee under Title VII is different than reasonably accommodating an employee with a disability under the Americans with Disabilities Act (ADA). Under Title VII, an employer is not required to reasonably accommodate an employee’s sincerely held religious belief if it would impose more than a “de minimis” cost or burden on the business.
Americans with Disabilities Act (ADA)
Under guidance from the EEOC, asking employees whether they have been vaccinated or requiring proof of vaccination, is not a medical examination under the ADA (though vaccination status is considered confidential medical information). The ADA does not otherwise prohibit an employer from implementing a policy requiring employees to get vaccinated. However, the ADA does require that an employer reasonably accommodate an employee with a disability that prevents them from receiving a vaccination. The employer will need to work with the employee to determine the appropriate accommodation.
Certain states have taken steps potentially limiting mandatory vaccination policies. Montana was the first state to prohibit discrimination by private employers based on an employee’s vaccination status. Others have prohibited state and local government employers from implementing vaccine mandates. Finally, some states, either by legislation or executive order, have intended to ban or limit use of so-called “vaccine passports” establishing proof of vaccination status. Many of these limitations do not apply to private sector employers. Those that do may not survive judicial challenge, as demonstrated by a district court recently entering an injunction prohibiting Florida from enforcing its ban on “vaccine passports” against Norwegian Cruise Lines. Therefore, employers must evaluate state and local restrictions and work with counsel concerning the same in developing their vaccination program.
Most state anti-discrimination statutes governing religious and disability discrimination have been interpreted in a manner consistent with Title VII and the ADA. However, court or state agency decisions under these state anti-discrimination laws should also be reviewed.
NLRA and Bargaining-Related Considerations
There is some uncertainty under the National Labor Relations Act (NLRA), given that its previous general counsel had issued non-binding guidance that employers might unilaterally implement changes in terms and conditions of employment in response to an emergency related to the COVID-19 pandemic. The NLRB has previously ruled mandatory vaccination or infection control policies that result in changes to employees’ terms and conditions of employment are a mandatory subject of bargaining. Therefore, absent a specific grant of authority under a collective bargaining agreement or a union waiver of the right to bargain, a unionized employer should consider giving its union notice and an opportunity to bargain over a mandatory vaccination program. If bargaining is required, the decision cannot be implemented until either an agreement or impasse is reached.
Moreover, even if the employer has the contractual right to implement a mandatory vaccination program (or the union has waived its right to bargain over that decision), bargaining may still be required over the effects of that decision, such as a deadline for employee vaccines or the disciplinary consequences for those who refuse.
As a practical matter, collaborating with the employees’ bargaining representative concerning such a program or policy may be necessary to “sell” the policy to employees, given that some, but not all, unions have come out in favor of vaccination mandates. Unionized employers should consider reviewing their applicable collective bargaining agreements to confirm their ability to unilaterally implement such a mandate or discuss the issue with the employees’ collective bargaining representative.
Non-union employers must also consider that the NLRA protects employees’ rights to engage in protected concerted activity regardless of whether a union is present. In the vaccination context, this might include a group protest or walkout over a mandatory vaccination program. Generally speaking, under the NLRA, it is unlawful to discipline or discharge employees engaged in protected concerted activity. Therefore, employers should consider consulting labor counsel in the event of concerted employee activity protesting a mandatory vaccination policy.
The COVID-19 vaccine is currently being provided to the public free of charge. However, an employer may be required to compensate an employee for time spent obtaining a vaccination, such as those employers covered by the new OSHA COVID-19 Emergency Temporary Standard governing the health care industry. The issue of whether time spent getting vaccinated is compensable is a fact-intensive inquiry that may also require an analysis of state wage-hour laws, in addition to federal laws.
Many employers have hesitated implementing mandatory vaccination policies. Instead, employers have relied upon educating their employees on the well-established data supporting the safety and effectiveness of the vaccines and are encouraging and/or incentivizing employees to get vaccinated. Given the high levels of misinformation concerning the vaccines, as well as a rise in vaccine hesitancy and/or active resistance to the COVID-19 vaccines, employers must carefully consider the potential impact of such a policy, particularly given the current challenges some employers are having in obtaining adequate staffing.
As an example, it was reported that when Houston Methodist implemented its mandatory vaccination program for its healthcare workers—a program upheld by a federal district court—over 150 employees resigned or were terminated. Consideration should also be given to the various stakeholders—employees, vendors, customers, and of course, the employer’s operations.
Checklist for Creating Mandatory Vaccine Policy
In deciding whether to adopt a mandatory vaccine program, an employer might consider the following issues, in addition to reviewing the legal considerations with counsel:
- Why is the policy being implemented? Will it improve or hurt operations? Will it provide for a safer workplace? Should it be implemented across the board, or only at certain work locations or within certain classifications of employees? If so, what is the justification for differentiating between work locations, or groups of employees?
- What is the current vaccination status of your employee population? Has a voluntary program been effective, and how have employees reacted to your efforts to educate and encourage vaccination? Have you attempted to incentive your workforce to get vaccinated prior to moving to a mandatory vaccination policy?
- What is the likely reception by employees, customers, visitors, vendors and the public? How will you address potential objections to the policy among any of these stakeholders?
- What is your understanding of federal, state and local legal restrictions (or requirements) that impact your implementations of a mandatory vaccination policy? It’s important that employers stay up to date, as state and local government policies and reactions, in particular, have been rapidly evolving, and this will only continue given the continued spread of COVID-19 variants, as well as the politicization of the COVID-19 vaccines and vaccine mandates.
- Develop a written policy. Such a policy should be reviewed by in-house or external counsel, as well as human resources and communications professionals. The policy must be clear so that it is understood by all employees, and detail the requirements of the policy, the consequences for not complying, and the process for requesting accommodations/exceptions to the policy. In advance of implementation, employers should also have a well-defined decision tree for assessing requested accommodations.
Imposing Group Health Plan Monthly Surcharges On The Unvaccinated
Calling it “a more-punitive approach toward getting its workforce vaccinated against Covid-19,” the Wall Street Journal recently reported that Delta Airlines will require its unvaccinated workers to pay a $200 monthly health insurance surcharge. Delta’s CEO is quoted as saying the “additional charge will help to cover hospital stays that are more likely for unvaccinated people infected with Covid-19,” which he claimed, “can cost the company as much as $50,000 a person.” Delta later reported that “just within the two weeks of the announcement, we’ve seen nearly 20%, or one-fifth, of that 20,000 decide to get the vaccine.” While efforts to impose workplace vaccine mandates are not new (and only heating up), Delta’s approach based on an economic incentive has caused some to ask whether it is permitted under applicable law. This post explores that question.
Delta’s $200 Monthly Surcharge is Likely Permissible under HIPAA and the ACA.
First, some background. No Federal law requires that employers provide group health plan coverage to all employees on the same terms and conditions. Rather, employers have a good deal of latitude to design their group health plan eligibility and coverage terms and to dictate premium costs subject to certain limitations. For example, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Affordable Care Act (ACA), bars health plans from discriminating (e.g., charging different premiums or contributions imposing different deductibles, copayments or other cost sharing requirements) against an individual based on the individual’s “health factors,” which would likely include one’s vaccination status.
To this general nondiscrimination rule, however, HIPAA recognizes an exception for certain “wellness programs,” whereby an employer can offer an award to the employee based on their participation in the program. Final regulations issued in 2013 under the Affordable Care Act (ACA) (the 2013 Final Regulations) recognize two types of wellness programs provided in connection with a group health plan that will satisfy the exception to HIPAA’s nondiscrimination rules: (1) participatory wellness programs; and (2) health-contingent wellness programs.
(1) Participatory wellness programs
Participatory wellness programs are generally available without regard to an individual’s health status. Either no reward is offered, or none of the conditions for obtaining a reward are based on an individual satisfying a standard related to a health factor. These programs comply with the nondiscrimination requirements so long as the program is made available to all similarly situated individuals.
(2) Health-contingent wellness programs
Health-contingent wellness programs require participants to satisfy a standard related to a health factor in order to obtain a reward. There are two types of health-contingent wellness programs: (i) activity-only; and (ii) outcome-based.
(i) Activity-only programs
Activity-only programs require an individual to perform or complete an activity related to a health factor in order to obtain a reward.
(ii) Outcome-based programs
Outcome-based programs require an individual to attain or maintain a specific health outcome (such as not smoking or attaining certain results on biometric screenings) in order to obtain a reward.
In order to present as a viable health-contingent wellness program (and therefore avoid a violation of the HIPAA/ACA nondiscrimination rules), such a program must meet the following five conditions:
- The program must give individuals eligible to participate the opportunity to qualify for the reward at least once per year.
- The total reward for all the plan’s wellness programs that require satisfaction of a standard related to a health factor is limited—generally, it must not exceed 30 percent (or 50 percent for programs designed to prevent or reduce tobacco use) of the cost of employee-only coverage under the plan. If dependents (such as spouses and/or dependent children) may participate in the wellness program, the reward must not exceed 30 percent (or 50 percent) of the cost of the coverage in which an employee and any dependents are enrolled. For example, for an employee who elected self-only coverage with a total monthly premium of $1,600 per month, the $200 surcharge would total 13% of the total premium cost of the coverage, which is less than the 30% limit imposed by the final ACA wellness plan regulation.
- The program must be reasonably designed to promote health and prevent disease.
- The full reward must be available to all similarly-situated individuals. This means the program must allow a reasonable alternative standard (or waiver of the otherwise applicable standard) (more on that below).
- The plan must disclose in all materials describing the terms of the program the availability of a reasonable alternative standard (or the possibility of a waiver of the otherwise applicable standard).
Different requirements apply for activity-only and outcome-based programs when satisfying certain of these factors. With respect to the alternative standard, under an activity-only program, a reasonable alternative standard (or waiver of the otherwise applicable standard) must be offered to any individual for whom it is unreasonably difficult due to a medical condition to satisfy the otherwise applicable standard, or for whom it is medically inadvisable to attempt to satisfy the otherwise applicable standard. The program can seek physician verification with respect to a request for a reasonable alternative standard if the request is reasonable under the circumstances.
Although regulatory guidance has yet to be issued, provided Delta satisfies the above five factors, Delta’s $200 monthly surcharge is likely a permissible activity-only, health-contingent wellness program under HIPAA/ACA. That is: the program requires an individual to become fully vaccinated (the “activity”) for purposes relating the individual’s health status (protection against severe illness or death because of COVID-19), and in return, the vaccinated employee will not incur the $200 monthly surcharge (the award).
We look forward to seeing how Delta designed its program to satisfy the reasonable alternative standard. Does Delta’s plan require physician verification of the reason for an alternative along with attendance at an employer-paid educational training course covering pandemic-control measures (handwashing, distance, masking). Does it also require masking and testing? Or, in the alternative, does Delta merely waive the surcharge?
While we don’t know all of the particulars of Delta’s program, it is in all likelihood permissible, at least under HIPAA and the ACA.
Delta’s $200 Monthly Surcharge is Also Likely Permissible Under Applicable Anti-Discrimination Laws If It Offers Reasonable Accommodations and Part of a Voluntary Wellness Program.
Most employers that sponsor group health plans are subject to the Americans with Disabilities Act (ADA), which prohibits employers from discriminating against individuals on the basis of disability, including regarding employment compensation and other terms, conditions, and privileges of employment, which includes fringe benefits. They are also subject to other Federal, state and local laws prohibiting discrimination, such as Title VII of the Civil Rights Act, which, among other things, prohibits discrimination based on religion. The ADA and Title VII (and similar state and local anti-discrimination laws) also require employers to make reasonable accommodations to disabled employees and employees with certain religious objections and practices to enable them to have equal access to fringe benefits, such as access to, and participation in, wellness programs, unless doing so would cause the employer undue hardship.
The “reasonable accommodation” standard under the ADA and Title VII and the “reasonable alternative” standard under the HIPAA wellness program requirements are two similar, but ultimately different, concepts. As the 2013 Final Regulations recognize, compliance with the HIPAA wellness program rule requirements does not necessarily equate to compliance under any other provision of the law, including the ADA and Title VII. But presumably if an employer provides a reasonable alternative that would allow participation in the wellness program, then it should also meet the ADA and Title VII’s reasonable accommodation standard. (A now-withdrawn ADA final rule from the Equal Employment Opportunity Commission (EEOC) had said as much.) For example, Delta would likely satisfy the ADA and Title VII’s reasonable accommodation requirements by permitting a surcharge waiver if the employee attends a pandemic control educational course. Other accommodations could include onsite masking or testing, or simply waiving the surcharge requirement altogether for those that qualify for an accommodation.
The ADA also generally restricts employers from asking employees to provide health information or to submit to a medical exam. As with the HIPAA/ACA nondiscrimination rules, an exception applies here, too—employers may inquire about an employee’s health or conduct medical examinations that are part of a voluntary employee health program, including wellness programs.
Some may point to a recent EEOC pandemic-related guidance document in which the EEOC notes that inquiring about an employee’s vaccination status is not a disability related inquiry under the ADA when the inquiry pertains to a vaccination administered by a third party (e.g., the employee’s health care provider, pharmacy, etc.) and not by the employer or its agent. And therefore, the voluntary nature of the wellness program is irrelevant because the ADA does not apply. But we urge employers to exhibit caution here despite the fact that this observation would indeed be correct. And that is because if an employer requires an employee to identify their need for a “reasonable alternative” under their wellness program to satisfy HIPAA rules—a.k.a. the employer is asking the “why” behind the employee’s unvaccinated status to make an exception to its program’s requirements—then the employer has now potentially asked a disability-related question and we fall back into ADA territory.
The EEOC has, over the last few years, struggled to establish rules governing the meaning of “voluntary” under the ADA (and another discrimination law, the Genetic Information Nondiscrimination Act (GINA), which prohibits discrimination based on genetic information with respect to health insurance and employment). A Federal district court invalidated a 2016 final rule defining the meaning of “voluntary.” Proposed Trump-era rules issued in January 2021 under the ADA and GINA tried again, this time by stating that de minimis incentives could be offered to meet the definition of voluntary for a health-contingent wellness program and noted that HIPAA’s 30% reward rule (discussed above) would meet that standard. The Biden Administration, however, withdrew these proposed rules. So the EEOC’s current position on health-contingent wellness programs is in flux, and its most recent view can be found in the aforementioned EEOC pandemic guidance Q&A document in which it states that to be voluntary, “any incentive (which includes both rewards and penalties)” must not be “so substantial as to be coercive.”
With this in mind, questions remain over whether Delta’s program would comply with the ADA. Would the Biden Administration conclude that a $200 monthly surcharge ($2,400 annually) is not “so substantial as to be coercive,” and therefore Delta’s program is voluntary? We would think given the Biden Administration’s push for vaccination, it would endorse this program, but we eagerly await further guidance confirming or disabusing us of this view. Further, regardless of the Administration’s view, would a court apply the EEOC’s current standard similar or the “de minimis” standard from the now withdrawn regulation, or some other standard in analyzing the surcharge?
Questions also remain over whether a wellness program will be considered “voluntary” where an employer waives the surcharge if the employee agrees to COVID-19 testing, but where the employer requires the employee to pay for such testing. Leaving aside any potential wage and hour issues, vaccination may seem like the only viable option for employees in that case, which could impact a voluntary finding.
Do Employers Have To Pay For COVID-19 Testing Time?
As many employers implement a COVID-19 vaccination-or-weekly-testing mandate (soon to be required of all employers with 100+ employees, as we discussed here), a recurring issue is whether the time that employees spend getting that weekly test must be paid under federal and state wage and hours laws. And the answer is a lawyerly, “Well, it depends.” (Of course).
Earlier on in the pandemic, the US Department of Labor issued some guidance on COVID and the Fair Labor Standards Act. This guidance included the following Q&As:
7. If my employer requires COVID-19 testing during the workday, do I need to be paid for the time spent undergoing the testing?
Yes, under the FLSA, your employer is required to pay you for time spent waiting for and receiving medical attention at their direction or on their premises during normal working hours. Other laws may offer greater protections for workers, and employers must comply with all applicable federal, state, and local laws.
8. My employer is requiring me to undergo COVID-19 testing on my day off before I can return to the jobsite. Do I need to be paid for the time spent undergoing the testing?
It depends, under the FLSA, your employer is required to pay you for all hours that you work, including for time on your vacation day if the task you are required to perform is necessary for the work you are paid to do. For many employees, undergoing COVID-19 testing may be compensable because the testing is necessary for them to perform their jobs safely and effectively during the pandemic. For example, if a grocery store cashier who has significant interaction with the general public is required by her employer to undergo a COVID-19 test on her day off, such time is likely compensable because it is integral and indispensable to her work during the pandemic. Other laws may offer greater protections for workers, and employers must comply with all applicable federal, state, and local laws.
Testing during the workday. So, if the employee is being tested during their normal workday, that time is definitely compensable. (At least that’s clear.)
Testing during off-duty time – federal law. But if the employee is being required to get the testing done during their off-duty time, it becomes a whole lot messier. Under the DOL’s guidance above, the issue really is whether “the testing is necessary for them to perform their jobs safely and effectively during the pandemic.” For those in direct contact with the public, it would seem that they meet that standard, meaning that they should be paid for the time.
As for others not directly dealing with the public, although they are being required by the employer/government mandate to get the testing, it’s not “necessary” for their specific job (even though it’s being required if you understand the difference). For these other folks, it’s arguably not compensable time.
The existing caselaw on the somewhat-related issue of security screenings is supportive of this difference—the U.S. Supreme Court has held that post-shift security screenings, although required by the employer, are not a part of the employee’s principal duties and need not be compensated (we discuss this 2014 ruling in detail here).
Of course, no court has actually ruled on this specific COVID-testing issue yet, so who knows if they would agree with the DOL or our analysis? It’s possible they could find that required testing time is compensable for all employees, regardless of the job.
Given the forthcoming OSHA Emergency Temporary Standard that will require employers with 100+ employees to implement these vaccination-or-weekly-testing mandates, this issue looms large. We hope that the DOL (OSHA’s parent agency) will provide clarification. (And, in fact, we sent in a formal request to OSHA to address this specific issue during their recent briefing on the ETS, which we blogged about here. We’re trying, folks!)
Off-Duty Testing – State Laws. But regardless of the federal FLSA, employers must also keep state laws in mind—and these are, frankly, all over the place (yes, literally and figuratively). Depending on the state, off-duty testing time may or may not be considered working time. For example, California just issued guidance that COVID-19 testing time is working time and therefore employers must pay for it. In Maryland (my home state), employers must pay for any time that employees are required to report to the workplace, which sets up a weird situation where employers will have to pay if the testing is done at the workplace (like many healthcare employers do) but perhaps not if the employee goes elsewhere to get the test.
If the Time Is Paid, Some Options. Now, if the time is compensable, that’s not necessarily the end of the matter. Potentially, the testing time can be paid at a different rate—e.g., minimum wage. Employers who are interested in this option need to check applicable state laws—including those that may require advance notice (often a pay period) of any reduction in the rate of pay.
Also, another potential option is to require the employee to use their accrued PTO or vacation (but probably NOT statutory sick leave, since they’re not actually sick—depending on what any applicable state sick leave law says about reasons for sick leave and whether employees can be forced to use it for a qualifying reason) to cover the testing time. (Somewhat relatedly with regard to exempt employees, the DOL has stated in an opinion letter that employers can force them to use PTO to receive compensation for time off in order to meet the salary requirement for exempt status—I’m extrapolating from this principle.) Under the federal FLSA, the employee is being paid, so it should meet the requirements of the FLSA (although, again, this approach with regard to non-exempt employees has never been tested before the DOL or in court).
Arguably, an employee might claim that the employer was violating some contractual commitment of the PTO/vacation policy—but to the extent that the policy is in a handbook with a disclaimer, this would not be a viable claim. And (BIG CAUTION HERE), employers MUST check state law (or, actually, consult with their employment counsel) to see if this would be permitted, since many states consider vacation or PTO to be compensation, and there may be rules around forcing employees to use it.
So, bottom line, this is not an easy question, there are no easy answers, and we hope the DOL will help provide some clarification. But if payment is required, there may be some interesting options available to the employer, in lieu of paying straight time…