Employers are increasingly imposing requirements or offering incentives for employees to get vaccinated against COVID-19. President Biden’s executive order requiring federal contractors and subcontractors to comply with COVID safety precautions, including vaccination requirements, has accelerated this trend. Regulations by the Centers for Medicare and Medicaid Services (CMS) will require 17 million employees of Medicare- and Medicaid-participating hospitals and health care facilities to be vaccinated. By the end of November, all federal employees must be vaccinated or qualify for exceptions. Finally, the Occupational Safety and Health Administration has sent to the White House for review an emergency regulation that would mandate all employers with more than 100 workers to require vaccinations or weekly COVID tests.

Employers who impose vaccine mandates or offer incentives, however, must navigate a complex web of legal requirements. Their ability to impose mandates is limited by the Americans with Disabilities Act (ADA) and Title VII’s prohibitions against disability and religious discrimination. Vaccine incentive programs are governed by the Affordable Care Act (ACA) prohibition against health status discrimination. An employee vaccination program also may violate medical privacy rules under ADA, Health Insurance Portability and Accountability Act (HIPAA), and Genetic Information Non-Discrimination Act (GINA) regulations. Guidance issued recently by CMS, the Department of Health and Human Service’s Office of Civil Rights, and the Safer Federal Workforce Program, combined with earlier guidance from the Office of Economic Opportunity, provide some direction through this thicket of federal requirements.

Vaccine Mandates and Federal Law

Federal law permits, and in some situations requires, employers to ensure that their employees are vaccinated against COVID-19. Title VII and the ADA, however, limit the ability of employers to do so.

The ADA prohibits an employer from requiring an employee to be vaccinated if he or she has a disability that prevents a COVID-19 vaccination, unless the employee poses a “direct threat” in the workplace and no reasonable accommodation can be offered. At least for federal employees, the list of disabilities that would prevent vaccination (such as an allergic reaction to the vaccine) is very limited, although additional medical conditions (such as recovering from certain illnesses) may warrant a delay. Because COVID-19 is contagious, and thus unvaccinated employees can pose a threat to coworkers and customers, the focus of inquiry in most instances will be on whether a reasonable accommodation was offered rather than on the direct-threat requirement.

Title VII also requires employers to offer reasonable accommodations to employees who decline vaccination because of sincerely held religious beliefs, practices, or observations.

Reasonable accommodations might include masking, regular testing, telework, or limiting contact with other employees. An employer need not offer an accommodation for a disability or religious objection if doing so would cause an “undue hardship” to the employer, meaning a “significant difficulty or expense” for a disability accommodation or “more than minimal cost or burden” for a religious accommodation. For federal employees and employees of federal contractors, neither evidence of having already had COVID-19, the presence of COVID-19 antibodies, remote work, or compliance with a state law prohibiting mandates (such as those enacted in Texas or Montana) excuse compliance with the vaccine mandate.

About 40 federal lawsuits have been filed challenging employer or government vaccine mandates. In about half of these, the court has refused to block the mandate or dismissed the case. The only successful cases have involved government mandates that failed to accommodate religious objections.

Employer Vaccine Incentives

Employers can offer incentives to their employees to confirm they or their families are vaccinated. If an employer offers the vaccination itself, however, the program must be voluntary because the employer would have to ask screening questions before giving the vaccine that are related to disability or family medical history that are prohibited under the ADA and GINA. If incentives offered are so great that the employee is effectively coerced into answering these questions, the program would be involuntary and would violate the law. Incentives to get vaccinated from community-based providers — for instance, at a pharmacy — are allowed. Simply inquiring about vaccine status violates neither of these laws.

Health Plan–Related Vaccine Incentives

If an employer offers vaccination incentives or surcharges through its own health plan, such as Delta Airlines’ program charging unvaccinated employees $200 extra per month in premiums, a different set of laws comes into play. The ACA prohibits discrimination in health benefits based on health, including vaccination status. It does, however, permit wellness program incentives that meet certain requirements. A program that discounts or increases premiums or cost sharing based on vaccination status is considered an “activity-based” wellness program and must be reasonably designed and offer the full reward to all similarly situated individuals. The reward or penalty may not exceed 30 percent of the total cost of employee-only coverage. Individuals for whom vaccination is unreasonably difficult because of a medical condition or is medically inadvisable must be offered a waiver or reasonable alternative, such as compliance with other COVID-19 safety guidelines. An employer may not simply condition eligibility for medical benefits on vaccination.

If the amount of a premium surcharge would make employer-sponsored health coverage unaffordable under the ACA (defined as costing more than 9.83 percent of household income for 2021) and an employee gets premium tax credits based on unaffordability, a large employer may have to pay the penalty the ACA imposes under the employer mandate for failing to offer affordable coverage.

The Privacy Rule and Vaccine Information

The HIPAA privacy rule, which protects medical information, only applies to “covered entities”: health plans, health information clearinghouses, health care providers, and businesses that carry out health care functions and activities for them. It does not affect the ability of employers, schools, stores, restaurants, entertainment venues, or individuals to ask whether an individual is vaccinated. It also does not prevent individuals from responding to such a question. Individuals also may ask a company whether its workforce is fully vaccinated. Employers must, however, keep vaccine information on individual employees confidential and store it separately from personnel files.

Health care providers and other covered entities may disclose vaccination information only if authorized by the patient or as permitted by privacy law exceptions; for example, to public health agencies or to an insurer to collect payment.


In sum, private employers may — and in some situations, must — require their employees be vaccinated against COVID-19. In imposing this requirement, however, employers must be mindful of federal laws prohibiting discrimination, regulating health plans, and protecting privacy. Recent federal agency guidance makes these requirements clearer.