Last week, the Occupational Safety and Health Administration (OSHA) issued an Emergency Temporary Standard (ETS) implementing President Joe Biden’s COVID-19 vaccine mandate covering employers with at least 100 employees. The ETS is summarized here, including the general compliance deadline of 30 days from November 5, 2021, with an additional 30 days for testing to begin, if applicable.

Employers may already have the basic policy in place – get vaccinated or submit to periodic testing. But they may not be ready for the ETS’ record collection and record keeping requirements, or the obligations to make these records available upon request, sometimes within 4 business hours. Those are outlined here should the ETS survive the legal challenges filed in courts across the country.

When employers consider their ETS policies, they should consider these records issues to ensure compliance.

What records must covered employers collect and maintain?

Vaccination status. Because the ETS requires covered employers to determine the COVID-19 vaccination status of each employee, covered employers must collect “acceptable proof” of vaccination status, including whether each employee is fully or partially vaccinated. The list of items constituting “acceptable proof” includes, among other things, a copy of a COVID-19 Vaccination Record Card. See the full list here. If these items are unavailable, “acceptable proof” may also be an employee’s written certification, which is a signed and dated statement by the employee:

  • Attesting to vaccination status,
  • Attesting that they lost or are otherwise unable to provide the other forms of acceptable proof, and
  • Stating: I declare that this statement about my vaccination status is true and accurate. I understand that knowingly providing false information regarding my vaccination status on this form may subject me to criminal penalties.

The ETS notes that when attesting to vaccination status, employees should include in the attestation, to the extent they can recollect: (i) vaccination type, (ii) date(s) administered, (iii) name of health care professional(s) or clinic site(s) administering the vaccination. Employers using an app for this purpose, will want to ensure the app can capture this information, if available.

Employers must maintain a record of each employee’s vaccination status and preserve the “acceptable proof” for each fully or partially vaccinated employee. This includes the vaccine ascertainment records the employer obtained from employees prior to the ETS becoming effective. Employers also must maintain a roster of each employee’s vaccination status. The roster must list all employees and clearly indicate for each one whether they are fully vaccinated, partially vaccinated, not fully vaccinated either because (i) they qualify for a medical or religious accommodation, or (ii) they have not provided acceptable proof of their vaccination status.

Testing. Covered employers that opt for a policy permitting employees either to be fully vaccinated or provide proof of regular testing must collect:

  • Documentation of the most recent COVID-19 test result which may not be provided more than seven days after the employee last provided a test result. This is for employees who report at least once every seven days to a workplace where other coworkers or customers are present.
  • Documentation of a COVID-19 test within 7 days prior to returning to the workplace, to be provided upon return. This is for employees who do not report for seven or more days to such a workplace.

The employer must maintain a record of each test result provided by each employee.

Are these records confidential?

The vaccination records and rosters, as well as testing records, discussed above are considered employee medical records and must be maintained as such. They must not be disclosed except as required or authorized by the ETS or other federal law. Here are some best practices to consider. Employers using third parties to assist in the administration these obligations should take steps to assess the safeguards in place at those third parties.

How long must the records be maintained?

In a move that will please covered employers, OSHA’s standard 30-year retention requirement is not applicable to the records or rosters discussed above. Instead, they must be maintained and preserved while the ETS remains in effect. Of course, all are hoping that period will be much shorter than 30 years! But remember the Emergency Temporary Standard is just that, temporary, and only remains in effect for 6 months unless extended, while OSHA works on a permanent standard under which OSHA could choose to make COVID-19 vaccination records subject to its normal 30 year rule for retention.

Do employees have a right to the COVID-19 vaccination or testing records maintained by their employers?

Yes. Covered employers must make individual COVID-19 vaccination documentation and any COVID-19 test results available either to an employee or anyone with the written authorization of the employee. The records must be available for examination and copying, and must be available by the end of the next business day following the request. The regulation does not indicate whether the employee’s request must be in writing.

In an effort to help ensure compliance with the ETS, covered employers also must make available to an employee or the employee’s representative (no written consent required here; OSHA does not believe these records will contain any PII and has no serious confidentiality or privacy concerns) the aggregate number of fully vaccinated employees along with the total number of employees at the workplace.  Again, employers must make this information available by the end of the next business day following the request. Representatives include an employee’s (or former employee’s) personal representative as well as an authorized representative – an authorized collective bargaining agent of one or more employees.

What about OSHA, does it have a right to the COVID-19 vaccination or testing records maintained by employers?

An even tighter time frame applies to the obligation of covered employers to provide the Assistant Secretary for examination or copying (i) the employer’s written policy required for vaccination/testing and (ii) the aggregate number of fully vaccinated employees and total number of employees at the workplace. An Assistant Secretary includes the Assistant Secretary’s designees, which could include OSHA’s Compliance Safety and Health Officers.

The time frame – within 4 business hours of a request. If the records are maintained at a location in a different time zone, the employer may use the business hours of the establishment at which the records are located when calculating the deadline. For any other records required to be maintained under the ETS, covered employers have until the end of the next business date after the request to provide same to the Assistant Secretary.

How must these requests for information be submitted to employers?

As noted in ETS FAQs, employees, employee representatives, and OSHA can submit requests in any manner that provides adequate notice of the request to the employer. This may include requests by in writing (e.g., email, fax, letter), by phone, or in person.


We anticipate many employers will be leveraging either existing platforms or new applications to assist with managing the records, roster, and other information required under the ETS. In the course of doing so, employers should be sure to maintain the privacy and security of the information throughout the process.

Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Joseph J. Lazzarotti Joseph J. Lazzarotti

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP)…

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and management of data, as well as the impact and regulation of social media. He also counsels companies on compliance, fiduciary, taxation, and administrative matters with respect to employee benefit plans.

Privacy and cybersecurity experience – Joe counsels multinational, national and regional companies in all industries on the broad array of laws, regulations, best practices, and preventive safeguards. The following are examples of areas of focus in his practice:

  • Advising health care providers, business associates, and group health plan sponsors concerning HIPAA/HITECH compliance, including risk assessments, policies and procedures, incident response plan development, vendor assessment and management programs, and training.
  • Coached hundreds of companies through the investigation, remediation, notification, and overall response to data breaches of all kinds – PHI, PII, payment card, etc.
  • Helping organizations address questions about the application, implementation, and overall compliance with European Union’s General Data Protection Regulation (GDPR) and, in particular, its implications in the U.S., together with preparing for the California Consumer Privacy Act.
  • Working with organizations to develop and implement video, audio, and data-driven monitoring and surveillance programs. For instance, in the transportation and related industries, Joe has worked with numerous clients on fleet management programs involving the use of telematics, dash-cams, event data recorders (EDR), and related technologies. He also has advised many clients in the use of biometrics including with regard to consent, data security, and retention issues under BIPA and other laws.
  • Assisting clients with growing state data security mandates to safeguard personal information, including steering clients through detailed risk assessments and converting those assessments into practical “best practice” risk management solutions, including written information security programs (WISPs). Related work includes compliance advice concerning FTC Act, Regulation S-P, GLBA, and New York Reg. 500.
  • Advising clients about best practices for electronic communications, including in social media, as well as when communicating under a “bring your own device” (BYOD) or “company owned personally enabled device” (COPE) environment.
  • Conducting various levels of privacy and data security training for executives and employees
  • Supports organizations through mergers, acquisitions, and reorganizations with regard to the handling of employee and customer data, and the safeguarding of that data during the transaction.
  • Representing organizations in matters involving inquiries into privacy and data security compliance before federal and state agencies including the HHS Office of Civil Rights, Federal Trade Commission, and various state Attorneys General.

Benefits counseling experience – Joe’s work in the benefits counseling area covers many areas of employee benefits law. Below are some examples of that work:

  • As part of the Firm’s Health Care Reform Team, he advises employers and plan sponsors regarding the establishment, administration and operation of fully insured and self-funded health and welfare plans to comply with ERISA, IRC, ACA/PPACA, HIPAA, COBRA, ADA, GINA, and other related laws.
  • Guiding clients through the selection of plan service providers, along with negotiating service agreements with vendors to address plan compliance and operations, while leveraging data security experience to ensure plan data is safeguarded.
  • Counsels plan sponsors on day-to-day compliance and administrative issues affecting plans.
  • Assists in the design and drafting of benefit plan documents, including severance and fringe benefit plans.
  • Advises plan sponsors concerning employee benefit plan operation, administration and correcting errors in operation.

Joe speaks and writes regularly on current employee benefits and data privacy and cybersecurity topics and his work has been published in leading business and legal journals and media outlets, such as The Washington Post, Inside Counsel, Bloomberg, The National Law Journal, Financial Times, Business Insurance, HR Magazine and NPR, as well as the ABA Journal, The American Lawyer, Law360, Bender’s Labor and Employment Bulletin, the Australian Privacy Law Bulletin and the Privacy, and Data Security Law Journal.

Joe served as a judicial law clerk for the Honorable Laura Denvir Stith on the Missouri Court of Appeals.