Thought Leadership

Masks Off: Navigating the COVID-19 Vaccine Era

Client Updates

As vaccination rates rise and local governments loosen COVID-19 restrictions on non-essential workers, companies will need to consider several factors as they implement their own strategies for bringing remote workforces back into the office. The growing acceptance of remote working and the desire of many workers to maintain some level of remote work will likely lead to hybridized workforces and a continuing need to maintain good privacy and data security hygiene. Bringing a workforce back, however, raises new concerns over issues such as masks, physical distancing, and vaccination status.

Companies should remain attentive to rapidly changing federal, state, and local COVID-19 guidance or requirements in order to remain compliant with relevant health, privacy, and employment laws.

One of the most challenging aspect of returning to the office for employers will be policy choices around vaccination status. Companies of all sizes are determining whether to require vaccinations and how best to accommodate unvaccinated workers. Whether by personal choice, medical necessity, or other reasons, not all personnel will be vaccinated.


1. EEOC Guidance

The Equal Employment Opportunity Commission (EEOC) has recently confirmed that employers may require employees to be vaccinated but must offer exemptions for employees who will not be vaccinated pursuant to Title VII religious exemptions or Americans with Disabilities Act accommodations. Employees with sincerely held religious beliefs foreclosing vaccination or who cannot be vaccinated because of a disability or pregnancy may be entitled to reasonable accommodations, so long as the accommodations do not pose an undue hardship on the employer’s business. The scope of reasonable accommodation reached with the employee might include, for example, continued requirements to wear a mask, social distancing, continued remote working, or even requiring periodic COVID-19 testing.

The EEOC, however, has cautioned employers that chose to require vaccination to “keep in mind that because some individuals or demographic groups may face greater barriers to receiving a COVID-19 vaccination than others, some employees may be more likely to be negatively impacted by a vaccination requirement.” If that barrier disproportionately affects a protected class, otherwise lawful practices may give rise to allegations that a mandatory vaccination policy has a discriminatory effect in violation of Title VII. Employers should evaluate the goals of their vaccination policy and consider if such goals would be met through a voluntary vaccination policy that offers incentives to encourage vaccination. To that end, the EEOC has stated incentive programs are permitted provided that the incentive is not “so substantial as to be coercive.”


2. Rapidly Changing Local Requirements

Federal, state, and local guidance or requirements remain in flux and should be consulted prior to implementation of company policy changes. Some localities update their guidance regularly to reflect changes made by the CDC or state public health agencies to those agencies’ standing COVID-19 guidance, while others are slower to adapt and rely heavily on references to outside agencies.

For example, Santa Clara County, California, the home of Silicon Valley, recently issued a mandatory directive requiring all businesses and governmental entities to determine the vaccination status of all employees, contractors, and volunteers working on site. The guidance provides for different treatment of vaccinated and non-vaccinated personnel. For example, employers must temporarily exclude personnel who are not fully vaccinated from the workplace following “close contact” with a confirmed case while fully vaccinated persons could continue to work in office. And if employees refuse to provide their vaccination status (which they are entitled to do under the directive), employers would be required to treat them the same as confirmed, non-vaccinated personnel.

In contrast, the State of Texas dropped all public masking requirements in March and recently prohibited local governments, including school districts, from imposing mask requirements. Private businesses may still require customers and employees to wear masks, with reasonable accommodations for individuals with disabilities who cannot wear a mask.

This leaves employers in a position where they may develop their own policies within the constraints of sometimes conflicting federal and state laws. For example, businesses operating on federal property would still be subject to President Biden’s January 21, 2021, executive order mandating masks in federal buildings and on federal land but would be able to adopt their own vaccination policies.


3. Privacy Requirements and Best Practices

An employer’s COVID-19 policy may have privacy implications. For example, if masking is tied to vaccination status, it would become apparent who is and is not vaccinated – except that it also might not, because some vaccinated persons may choose to remain masked out of politeness or for personal health reasons. Though co-workers would not immediately be able to ascertain the reasons for non-vaccination, workplace tensions may develop as some pejoratively assume their co-workers to be anti-vaccination, compelling some to disclose medical conditions or other non-discretionary reasons for not being vaccinated they would otherwise keep private to avoid social stigmas.

For companies that require proof of vaccination, whether to comply with local requirements or self-imposed company policy, they must—depending on the jurisdictions in which they operate—follow specific privacy requirements to protect the personal information disclosed and treat it the same way they would treat other similar private information. This includes disclosing the purpose of the collection, collecting only the essential information necessary for the disclosed purpose, and keeping it for only as long as necessary. Employers would also need to ensure limitations on disclosure of personal information. Within the organization, access to personal information should be limited to human resources, management, and possibly security. Disclosure to third parties should occur only when absolutely necessary or required by law.


4. OSHA and Safe Workplace Considerations

Employers also have a general obligation to maintain a safe workplace in compliance with OSHA requirements. Best practices suggest employers—especially those that do not require vaccination—should implement and maintain contact tracing programs to track positive cases and limit outbreaks in the workplace. Employers should be wary of third-party applications that may not comply with privacy requirements and only collect the minimum and least intrusive information needed to keep employees and customers safe.


5. Data Security Best Practices

Along with keeping personnel information secure, hybridized workforces will continue to require employers to be vigilant about their data security practices. Best practices—and sometimes legal obligations—require companies to maintain their security protocols, including up-to-date and tested VPNs, leveraging multi-factor user authentication, robust network attack detection and logging, and possibly employing full disk encryption on end-user devices to prevent loss of sensitive data. For remote workers, even those that only occasionally work from home, regular alerts and refreshers on security awareness and how to avoid falling victim to phishing attacks should be a regular occurrence.


6. Recommendations for Return to Work Strategies

Managing a hybrid workforce will pose new challenges. Here are a few recommendations to consider when setting office guidelines.

  • Normalize online communications where practical, even for those who are in the office, to help maintain social distance within the office.

  • If social distancing policies require reduced numbers in the office, consider rotating workers in teams to minimize exposure and better facilitate contact tracing if there is a positive case within the office.

  • Consider individual employees’ circumstances and individual reasons for the need to work from home while still ensuring that the policies are fair.

  • Allow equal opportunity to work from home regardless of whether a worker has children or other compelling reasons to work from home.

  • If following the CDC’s guidance that fully vaccinated individuals do not have to wear masks or social distance in the workplace, train managers and supervisors to avoid asking questions that might uncover information about disabilities or religious beliefs and to remind others that even fully vaccinated employees may feel more comfortable continuing to wear a mask around others.

Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit

Related Professionals