Workplace Privacy Counsel : San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

Recently enacted legislation in Massachusetts will significantly affect employers’ use of criminal history information for employment purposes. While most provisions of the new law (pdf) do not go into effect until February 2011, one provision, effective on November 4, 2010, requires the immediate attention of multi-state employers.

This provision generally prohibits employers from inquiring in an “initial written application form” about an applicant’s criminal history. Two narrow exceptions permit questions about criminal history if a federal or state regulation (1) disqualifies the applicant from employment in the open position based on a criminal conviction; or (2) bars the employer from hiring for one or more positions an individual with a criminal conviction. The second exception, as written in the statute, is ambiguous. It is unclear whether an employer who is barred from hiring a convicted criminal for certain positions may inquire into an applicants’ criminal history on the initial employment application used for a variety of positions, including those that can be filled by a convicted criminal. This issue is particularly important for multi-state employers who use a standard job application form for all jurisdictions.

Before the new law’s November effective date, all multi-state employers should carefully reviewany job application form that is completed by Massachusetts applicants. If the employer has no position for which federal or state law prohibits the hiring of a convicted criminal, the employer should add an instruction to Massachusetts applicants, immediately below any question seeking information about criminal history, directing Massachusetts applicants not to respond. If the employer has one or more positions for which federal or state law prohibits the hiring of a convicted criminal, the employer should consider an instruction which directs Massachusetts applicants not to answer the question unless they are applying for one or more of a list of specified positions. The list would include those positions for which state or federal law prohibits the hiring of a convicted criminal.

• Email This
• Print
• Share Link

An article that I recently published in BNA’s Privacy & Security Law Report examined the incipient trend towards state law restrictions on the use of credit history in employment decisions. Illinois has now become the fourth state — following Hawaii, Oregon, and Washington — to impose such restrictions, and similar bills are pending in nearly one dozen other states.

The Illinois law, enacted on August 10 and effective on January 1, 2011, generally prohibits employers from making any employment decision based upon an individual’s credit report or credit history. While the term “credit report” is limited to credit information provided by a consumer reporting agency (e.g., a background check vendor), the statute broadly defines “credit history” to include “an individual’s past borrowing and repaying behavior, including paying bills on time and managing debt and other financial obligations.” The new law also generally prohibits employers from obtaining a credit report on an applicant or employee and from asking an applicant or employee about his credit history.

• Email This
• Print
• Share Link

Employers are increasingly tracking their employees’ whereabouts as smartphones, laptops, and vehicles equipped with location-tracing technology become ever more prevalent. Statutes restricting the use of location-tracking devices typically do not impinge upon such tracking because the law’s definition of a tracking device does not encompass phones or laptops enabled with Global Positioning System (GPS) technology or because the law permits the vehicle’s owner to install a tracking device. The question remains, however, whether tracking employees’ location constitutes a common law invasion of privacy.

A recent decision by the federal court of appeals in the District of Columbia suggests that, in certain circumstances, employers who track their employees’ location could face liability for invasion of privacy. In U.S. v Maynard (pdf), the court held that the FBI had infringed upon the criminal defendant's reasonable expectation of privacy by “tracking his movements 24 hours a day for four weeks with a GPS device they had installed on his Jeep without a valid warrant.” Key to the court’s decision was the intimate knowledge of the suspect’s life that could be gleaned from pervasive location-tracking as opposed to observing the suspect’s public movements for a short period of time:

Repeated visits to a church, a gym, a bar, or a bookie tell a story not told by any single visit, as does one's not visiting any of these places over the course of a month. The sequence of a person's movements can reveal still more; a single trip to a gynecologist's office tells little about a woman, but that trip followed a few weeks later by a visit to a baby supply store tells a different story. A person who knows all of another's travels can deduce whether he is a weekly church goer, a heavy drinker, a regular at the gym, an unfaithful husband, an outpatient receiving medical treatment, an associate of particular individuals or political groups — and not just one such fact about a person, but all such facts.

• Email This
• Print
• Share Link

On August 4, we posted about uncertainty created by the U.S. Department of Health and Human Services' (HHS) decision to withdraw its interim final regulations addressing security breach notification for breaches that involve protected health information (PHI) subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Since that time, HHS updated its website to state that, "[u]ntil such time as a new final rule is issued, the Interim Final Rule that became effective on September 23, 2009, remains in effect." This means that the harm standard embodied in the Interim Final Rule is still in effect and that, until further notice, employers and providers must conduct the risk assessment discussed in our July 30 blog post. 

This entry was written by Philip L. Gordon.

Photo credit: cosmonaut

• Email This
• Print
• Share Link

In a two-paragraph press release recently posted on its website, the U.S. Department of Health and Human Services (HHS) announced the withdrawal of its interim final regulations addressing security breach notification for breaches that involve protected health information (PHI) subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The interim final regulations construed the security breach notification provisions contained in the Health Information Technology for Economic and Clinical Health (HITECH) Act, which amended HIPAA effective February 17, 2010. The agency’s action could have significant implications for employers and health care providers and puts them in limbo until new regulations are published when responding to a security incident involving PHI.

• Email This
• Print
• Trackbacks
• Share Link

While HIPAA’s recently enhanced penalty provisions and newly enacted security breach notification requirements have each received a significant amount of attention, the connection between them and its significant implications for employers and health care providers subject to HIPAA have not. Most significantly, because of the enhanced penalties, it is critical that covered entities conduct a careful and documented risk assessment before deciding not to provide notice of a security incident.

HIPAA’s recently promulgated security breach notification regulations require notice only if (a) there has been access to, or acquisition, use or disclosure of, protected health information (PHI) in violation of the HIPAA Privacy Rule; and (b) that violation “poses a significant risk of financial, reputational or other harm” to the subjects of the PHI. In the preamble to the security breach regulations, the U.S. Department of Health and Human Services (HHS) takes the position that a covered entity “will need to perform a risk assessment” to determine whether the second element of the notification standard has been satisfied. Besides identifying four factors that covered entities might consider in conducting this risk assessment, HHS provides no other guidance on how to assess risk. HHS does emphasize, however, that “[c]overed entities and business associates must document their risk assessments, so their they can demonstrate, if necessary, that no breach notification was required.” In other words, covered entities should expect that if HHS ever challenges a decision not to provide notice of a security breach, HHS’ first request will be for production of the covered entity’s risk assessment that decision.

The decision whether to provide notice of a security breach could be momentous for a covered entity. Under HIPAA’s security breach notification regulations, if the incident involves more than five hundred individuals in the same state, the covered entity would be required to report the breach to HHS, which will post the report on its Web site and notify “prominent media outlets,” which may choose to publicize the breach. As a result, notification of even a relatively small breach could expose the covered entity to class action litigation, damaging media coverage, and collateral damage to patient or employee relationships, in addition to the cost of providing notice and incident response services to affected individuals. Given these potential adverse consequences, a covered entity often will have an overriding interest in finding that a HIPAA violation did not create a material risk of harm and, therefore, does not require notification.

• Email This
• Print
• Share Link

Anonymous Internet posts attacking employers and executives have become all too common. Until the Ninth Circuit Court of Appeals’ decision last week in Anonymous Online Speakers v. United States District Court for the District of Nevada Reno, courts have relied on the First Amendment right to speak anonymously to set substantial obstacles in the path of employers and executives seeking to compel Internet service providers to disclose the identity of anonymous speakers on the Web. In a case of first impression in the federal appellate courts, the Ninth Circuit appears to have made it significantly easier for employers and executives to unmask the perpetrators of anonymous Internet attacks.

The case arose out of Signature Management TEAM’s alleged smear campaign against Quixtar. According to Quixtar, TEAM was responsible for anonymous posts that accused Quixtar of “systemic dishonesty,” “systemic noncompliance” with regulations, and improperly treating its franchisees. TEAM’s online content manager refused to answer questions at his deposition seeking the anonymous speaker’s identity. Quixtar sought an order compelling disclosure; the anonymous speakers intervened in the proceeding to prevent disclosure.

In a significant victory for employers and executives, the Ninth Circuit rejected the approach to unmasking requests taken by all other courts to date. These courts required the putative victim of an anonymous attack to produce levels of proof that almost always will be unattainable at the early stages of a case when the unmasking issue typically is addressed, so the defendant can be identified, served with the complaint, and subject to discovery. The Ninth Circuit ruled that rather than requiring the victim to prove his claims, trial courts should determine whether the anonymous speech is political, religious or literary and entitled to heightened protection, or commercial and entitled to less protection.

• Email This
• Print
• Trackbacks
• Share Link

The U.S. Department of Health and Human Services (HHS) published on July 14, 2010, a voluminous Notice of Proposed Rulemaking (NPRM), containing dozens of proposed amendments to three sets of Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations: the Privacy Rule; the Security Rule; and the Enforcement Rule. The proposed amendments are directed principally at implementing the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which amended HIPAA and wen into effect on February 17, 2010. A careful review of the NPRM for its impact on employers who sponsor HIPAA-covered plans reveals that, if the proposed changes were adopted, employers would be required to revise their business associate agreements, their HIPAA notice of privacy practices, and their policies for responding to access requests. The NPRM also provides employers with a roadmap for avoiding civil monetary penalties. To learn more about the NPRM and its implications for employers, please continue reading Littler's ASAP, What Do Employers with HIPAA-Covered Health Plans Really Need to Know About Recently Proposed Revisions to HIPAA Regulations?, by Philip L. Gordon.

• Email This
• Print
• Trackbacks
• Share Link

In its first foray into the potentially treacherous intersection of workplace monitoring of electronic communications and employee privacy expectations, the United States Supreme Court considered whether the City of Ontario Police Department violated the privacy rights of Sergeant Jeff Quon by reviewing sexually explicit text messages sent by Quon using a City-issued pager. The Court declined to issue any broad pronouncements concerning the permissible scope of workplace monitoring. The Court's decision, nonetheless, provides useful guidance for employers — whether governmental or private — on steps they can take to reduce their exposure to privacy-based claims arising from their review of employees' text messages, e-mail, and other electronic communications. To learn more about this decision and its implications for employers, please continue reading Littler's ASAP, U.S. Supreme Court Ruling Provides Guidance on Monitoring Employee Texts and E-Mails, by Philip L. Gordon and Denise Drake. 

• Email This
• Print
• Trackbacks
• Share Link