Employer and HR Guide: Can You Ask for Vaccine Records?

Employer Authority to Request Vaccination Records

You may ask employees or applicants for proof of vaccination when the request is job-related and consistent with business necessity. In practice, that means you can verify vaccination status to meet safety obligations, comply with client or site rules, or support legitimate Vaccine Documentation Policies tied to specific duties.

Keep your questions narrow. Request only proof of vaccination (for example, a card or attestation) and avoid asking follow-up medical questions about why someone is not vaccinated. Those “why” questions can trigger Americans with Disabilities Act Compliance issues by eliciting disability information.

For applicants, you can state that a role requires vaccination and ask whether they can meet the requirement. If an applicant indicates a medical or religious reason for noncompliance, pause the inquiry and shift to your accommodation process rather than probing for medical detail.

HIPAA Applicability to Employment Records

Asking workers to provide vaccination status is generally not a HIPAA issue. HIPAA governs covered entities (health plans, most health care providers) and their business associates—not employers acting in their role as employers. Employment records kept by an employer are not HIPAA-protected health information, even if they include vaccine details.

However, if you seek records directly from a health care provider, you will need the employee’s written authorization. Treat those records as Confidential Medical Information under Federal Employment Law requirements and keep them separate from personnel files as part of your Employment Medical Records practices.

Confidentiality Requirements for Vaccine Documentation

Under the ADA, any medical information you collect—including vaccination cards, test results, or attestations—must be kept confidential and stored apart from general personnel files. Limit access to a small group with a clear need to know, such as HR and designated safety personnel.

Apply data-minimization. Capture only what you need: name, status, date(s) of dose(s), and verification method. Do not collect family medical history or ask about household members’ status to avoid Genetic Information Nondiscrimination Act concerns.

Security and Access Controls

• Use role-based access, strong authentication, and encryption for stored files.
• Document who can view, update, and delete vaccine records and why.
• Train staff on handling Confidential Medical Information and incident reporting.
• Restrict third-party vendors with written terms covering privacy, security, and breach notice.

Recordkeeping Obligations for Employers

Decide what evidence you will keep and for how long before you begin collecting. Options include visual checks without retention, secure copies of records, or signed attestations. Align your approach with Vaccination Record Retention Requirements and your broader record schedule.

How Long to Retain

• General employment context: retain vaccine documentation only as long as necessary to achieve the stated purpose, then securely dispose. Many employers align with standard personnel-record retention (e.g., at least one year after separation) as a baseline, subject to stricter state rules.
• Safety or medical surveillance programs: if vaccination relates to workplace exposures governed by OSHA-type medical record rules, longer retention may apply (often duration of employment plus decades). Confirm whether your operations fall under such requirements.
• Litigation holds or audits: suspend destruction when a legal hold, investigation, or audit is reasonably anticipated or active.

Storage and Disposal Practices

• Maintain a clear index of what you collect and where it lives (system of record).
• Use secure shredding or digital wiping when disposing of records.
• Apply consistent Employee Accommodation Regulations to documentation generated during the interactive process.
• For multi-state employers, adopt the strictest applicable rule to simplify compliance.

Legal Considerations in Vaccination Policies

Under Federal Employment Law, a vaccination policy should be job-related, applied consistently, and free from discrimination. Build a process to assess individualized accommodation requests and document your decisions. Ensure managers know not to solicit medical details outside HR channels.

ADA disability accommodations require an interactive process and an undue hardship analysis (significant difficulty or expense). For religious accommodations under Title VII, the current standard asks whether a requested accommodation would impose substantial increased costs in relation to the conduct of your business. Train reviewers to apply the correct standard and to consider alternatives.

Avoid collecting genetic or family medical information, and beware of state laws that may limit vaccine mandates, require specific notices, or impose privacy and security obligations. In unionized settings, policy changes may be a mandatory subject of bargaining. Keep all terms aligned with your Employee Accommodation Regulations and internal Vaccine Documentation Policies.

Policy Checklist

• Purpose and scope tied to roles or worksites.
• Acceptable proof methods and a minimal data capture standard.
• Confidentiality, access control, and retention/disposal rules.
• Clear accommodation request and review steps with timelines.
• Manager training and escalation paths; vendor safeguards where applicable.

Employee Rights and Exemptions

Employees may seek exemptions due to disability or sincerely held religious beliefs. You must engage in a timely, good-faith interactive process, request only documentation necessary to evaluate the request, and consider reasonable alternatives such as reassignment, masking, testing, modified duties, or remote work when feasible.

Do not retaliate against employees for requesting an accommodation or for raising safety concerns. Share your process transparently—what to submit, who reviews it, and typical timelines—so employees understand how their Employment Medical Records will be handled and protected as Confidential Medical Information.

Recent Developments in Vaccine Record Management

Since the intense pandemic period, many employers have shifted to risk-based, role-specific approaches, emphasizing data minimization and shorter retention. Privacy laws in several states increasingly stress purpose limitation, secure storage, and timely deletion, influencing how you design Vaccine Documentation Policies.

Digital verification tools are more common, but you should prefer “verification without retention” where possible and ensure vendors do not collect more data than necessary. Review breach response plans and test your processes so you can act quickly if medical data is exposed.

Bottom line: ask only for what you need, keep it secure and separate, retain it no longer than required, and maintain a fair, well-documented accommodation process. This practical approach supports Americans with Disabilities Act Compliance while meeting operational and safety needs.

FAQs

Is asking for vaccine records considered a HIPAA violation?

No. HIPAA typically does not apply to employers in their role as employers, and employment records are generally outside HIPAA. Still, treat vaccine records as confidential under the ADA and store them separately from personnel files.

What laws regulate employer requests for vaccination status?

Federal frameworks include the ADA (confidentiality and disability accommodations), Title VII (religious accommodations), and, in certain safety contexts, OSHA-related rules. State privacy and employment statutes may add stricter requirements, so align your policy with both Federal Employment Law and applicable state law.

How should employers store vaccine records securely?

Limit access to HR or safety staff with a need to know, store in a separate medical file, encrypt digital records, and apply a clear retention schedule. Keep only minimal data and dispose of it securely once your Vaccination Record Retention Requirements are met.

Can employees refuse to provide vaccine records on religious grounds?

Employees can request a religious accommodation. You should assess sincerity on a case-by-case basis and evaluate whether accommodating the request would cause an undue hardship under Title VII. Consider alternatives before denying the request, and document your analysis carefully.