Workplace Privacy Counsel : San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

The Genetic Information Nondiscrimination Act (GINA) takes effect on November 21, 2009. How does GINA impact employers? GINA does the following: (a) prohibits employers from discriminating against an employee based upon genetic information, (b) places broad restrictions on an employer’s deliberate acquisition of genetic information, (c) mandates confidentiality for genetic information that employers lawfully collect; (d) strictly limits disclosure of such information, and (e) prohibits retaliation against employees who complain about genetic discrimination.

Some of the more obvious violations of this new law occur when an employer requires a worker to take a genetic test or fires the worker based on information about such a test. However, employers can run afoul of GINA in a number of other ways they may not anticipate because the Act broadly defines “genetic information” to include not only genetic test results but also any information about the manifestation of a disease or disorder in a family member, such family medical history. For example, employers should tell health care providers who conduct post-offer, pre-employment medical examinations not to disclose to the employer the results of any family medical history or other genetic information. This example highlights the attention employers must now pay to GINA, violations of which subject employers to the same remedies as violations of Title VII of the Civil Rights Act of 1964.

• Email This
• Print
• Trackbacks
• Share Link

Today, the Department of Labor issued regulations to enforce Title I of the Genetic Information Non-Discrimination Act of 2008 (GINA). Title I regulates self-insured group health plans and health insurance issues, among others. Title I prohibits group health plans from "collecting" any "genetic information." "Collection" means requesting, requiring or purchasing. "Genetic information" includes a family medical history. Title II of GINA, which governs employment discrimination based on genetic information, has parallel provisions but the EEOC has not yet issued regulations. The anticipated regulations, however, likely will track those issued by the Department of Labor.

One of the examples in the Title I regulations states as follows:

Issuer A acquires Issuer B. Issuer A requests Issuer B's records and tells Issuer B that it does not want to receive any genetic information and that Issuer B should remove all genetic information from the production. Issuer B gathers the requested medical records and removes all medical information but inadvertently produces some family medical histories. Issuer A does not violate GINA's prohibition on collection because its receipt of the family medical histories falls within the incidental collection exception to the general prohibition.

• Email This
• Print
• Trackbacks
• Share Link

The Health Information Technology for Economic and Clinical Health Act (HITECH Act), one small legislative portion of the massive economic stimulus bill enacted on February 17, 2009, mandates that employers and health care providers provide notice of any “breach” of “unsecured” protected health information (PHI) to affected individuals; the U.S. Department of Health and Human Services (HHS); and, in certain circumstances, “prominent media outlets.” The quoted terms and many others in the HITECH Act are either undefined or raise a multitude of unanswered questions. HHS has recently published interim final regulations and accompanying commentary that clarifies many of the Act’s ambiguities.

For an in-depth discussion and guidance on this development, see Littler ASAP, Employers and Health Care Providers Receive New Guidance on HIPAA Security Breach Notification, by Philip L. Gordon.

• Email This
• Print
• Trackbacks
• Share Link

 On July 23, 2009, Littler Mendelson hosted a webinar, entitled “Meeting the Compliance Challenges of a Reinvigorated HIPAA and the Genetic Information Non-Discrimination Act of 2009.” Participants asked several questions to which we could not respond because of time. Below are the questions and the answers:

Q: Could you give a real life example of how an employer might experience an internal HIPAA violation?

A: We explained during the webinar that not all employee health information is protected by HIPAA. In fact, the universe of employee health information which HIPAA protects is relatively small. Protected health information (PHI) is limited to individually identifiable health information created or received by, or on behalf of, a group health, dental, or vision plan; health care reimbursement flexible spending account; employee assistance program; long-term care plan; or pharmacy benefits plan. HIPAA would be violated when, for example, a benefits administrator notices that an employee has submitted claims to an employer’s health plan for services related to an abortion, AIDS, or cancer and gossips with the employee’s manager about the employee’s condition. 

• Email This
• Print
• Trackbacks
• Share Link

After a lengthy public comment period and legal challenges, a U.S. Department of Transportation (DOT) drug testing regulation requiring employees of aviation, railroad, motor carrier, mass transit, pipeline and maritime industries who previously failed a drug test to partially disrobe and be directly observed during return-to-work and follow-up tests will go into effect August 31, 2009. Until then, observed collections are required only if a donor is suspected of attempting to adulterate or tamper with a test sample.

The requirement sat in limbo after the U.S. Court of Appeals for the D.C. Circuit, stayed enforcement in November 2008 pending a legal challenge. However, as previously discussed, in May 2009 the court held the regulations valid and lifted the stay on July 1, 2009.

Accordingly, the DOT has announced starting August 31, 2009, employees subject to DOT return-to-work and follow-up testing must be directly observed when providing a urine sample. Additionally, before the collection begins, shirts must be raised above the waist and clothing lowered to expose genitals in order to allow the observer to verify the absence of any cheating devices. 

This entry was written by Nancy N. Delogu.

• Email This
• Print
• Trackbacks
• Share Link

Transgender individuals have good reason to be concerned about expressing their gender identity in the workplace. According to recent studies, at least one in five transgender individuals reports experiencing employment discrimination. A review of six studies conducted between 1996 and 2006 showed the following concerning reports of mistreatment in the workplace based on gender identity:

• 13%-56% of transgender individuals had been fired;
• 13%-47% had been denied employment;
• 22%-31% had been harassed, either verbally or physically, in the workplace; and
• 19% had been denied a promotion due to their transgender status.

Most employees choose whether, when, and to whom they disclose certain personal information at work. However, transgender individuals who decide to transition from one gender to another while remaining with their current employer do not have the same luxury. This largely is due to the inherently public nature of the transition. Indeed, an employee who intends to undergo a gender transition generally is required to live full-time in their new gender role for at least a year before becoming eligible to undergo sex reassignment and reconstruction surgery (if they so choose to have surgery, which many do not). During this time frame, transgender individuals often seek a variety of medical treatments, including hormone therapy, as well as change their names, modify their identity documents, and other procedures. As a result, employers and co-workers necessarily, but often reluctantly, become involved in a transitioning employee’s gender transition. While a gender transition is an inherently private process, it necessarily becomes known to co-workers at some point by the very nature of the “transition.”

• Email This
• Print
• Trackbacks
• Share Link

Employers have good reason to re-evaluate their HIPAA compliance efforts. Recent enforcement actions by the U.S. Department of Health and Human Services (HHS) that resulted in large settlement payments signal more pronounced efforts to enforce HIPAA’s compliance requirements. These enforcement actions were driven by publicly disclosed security breaches that brought compliance lapses to HHS’ attention.

Recent amendments to the HIPAA Privacy Rule, enacted as part of the massive federal economic stimulus legislation, will fuel this “breach-driven enforcement.” Under existing law, the HIPAA Privacy Rule contains no security breach notification requirement. Effective February 17, 2010, however, employers will be required to take the following steps when they learn that the “unsecured” protected health information (PHI) of participants in HIPAA-covered plans has been subjected to unauthorized access, use or disclosure:

• Notify major media outlets and HHS if a breach involves 500 or more plan participants
• Notify affected individuals within 60 days of becoming aware of the breach
• Provide in the notice to individuals, at a minimum, five specific categories of information
• Deliver the notice by first-class mail to each affected individual’s last known address

This notice obligation applies regardless of whether the employer or a third-party service provider, such as a benefits administrator, pharmacy benefits manager, or insurance broker is responsible for the breach.
 

• Email This
• Print
• Trackbacks
• Share Link

Title II of the Genetic Information Nondiscrimination Act of 2008 (GINA) goes into effect for employers of 15 or more employees on November 21, 2009. On March 2, 2009, the EEOC issued its proposed regulations for public comment. The proposed regulations attempt to clarify the definition of genetic information and provide guidance both on the limitations on acquisition of genetic information and ways to limit disclosure of genetic information acquired. As some of these regulations may change employers' practices, employers should make sure that human resources personnel and managers are familiar with the provisions of Title II of GINA before the effective date.

For more information about this development, see Littler ASAP "Proposed Regulations Under Federal Genetic Information Nondiscrimination Act (GINA) Suggest Employer Action Now" by Margaret Hart Edwards, a shareholder in Littler's San Francisco office.

• Email This
• Print
• Trackbacks
• Share Link

Revised regulations, published on November 17, 2008, to enforce the Family and Medical Leave Act (FMLA) create a complex and detailed framework governing employees’ leave for their own, or a family member’s, serious health condition. Central to the regulatory scheme is the requirement that an employee seeking leave submit, at the employer’s request, a “complete and sufficient certification” from a health care provider. The certification must establish that the employee qualifies for FMLA leave. The regulations also permit employers to require submission of a fitness-for-duty certification before an employee returns from leave for the employee’s own serious health condition.

The certification process creates privacy challenges for employers because certification forms will reveal sensitive health information about employees and their family members. Under the revised regulations, the employer may require that the employee provide the following information in the certification: (a) a description of medical facts sufficient to support the request for leave, including, as necessary, a description of symptoms, diagnosis, hospitalization, doctors visits, use of medication, and referrals for further evaluation or treatment; and (b) if an employee is requesting leave for himself, facts sufficient to show that the employee can not perform essential job functions; or (c) if an employee is requesting leave because of a family member’s condition, facts sufficient to show that the family member needs medical care and the employee’s assistance.

Given the sensitive nature of the information contained in these certifications, the revised regulations mandate privacy protections for the forms. The certifications must be maintained in a confidential medical file, separate from the general personnel file. Only employees and third-party vendors responsible for administering the leave process may access the certifications. Supervisors and managers may be advised only of necessary work restrictions and accommodations. Consistent with long-established practice for handling employee medical files, these requirements are relatively straightforward; now for the twists.
 

• Email This
• Print
• Trackbacks
• Share Link

While the case is still in the early stages, Sidell v. Structured Settlement Investments, LP et al, Case No. 3:08-cv-00710-VLB (D.Conn 2008), is shaping up to be a case to watch. Recently covered by The New York Times, the lawsuit involves an interesting twist on workplace monitoring; namely, what are the limits on an employer’s access, using its own computer equipment, to an employee’s e-mail stored in an employee’s personal e-mail account. Ultimately, the case may add to the growing list of decisions regulating electronic communications in the workplace. See, e.g., Quon v. Arch Wireless; Scott v. Beth Israel. The Ninth Circuit decision in Quon was discussed in our prior blog entry, Ninth Circuit Ruling Not a Significant Obstacle to Employers' Accessing Text Messages.

According to the complaint, this is what happened: A company closed a branch and fired the office manager. The company claimed that the termination was for cause and explained the facts supporting its decision to the manager. Before the company had changed the locks, the office manager entered his old office, logged on to his computer, and sent an e-mail to his personal attorney regarding his potential claims against the company. The office manager did not log-off from his Yahoo! account, nor did he turn off his computer. As a result, this e-mail remained accessible through the computer in the office manager’s former office. Over the next few weeks while using the same e-mail account, the office manager sent his personal attorney numerous additional e-mails regarding his termination.

• Email This
• Print
• Trackbacks
• Share Link

The Los Angeles Times reported on June 19, 2008, that the Ninth Circuit’s decision in Quon v. Arch Wireless Operating Co., “sharply limited the ability of employers to obtain e-mails and text messages sent by employees on company-financed accounts.” And many major news outlets echoed this sentiment: "Court Rules Employee Text Messages Are Private," "SF Court Protects Privacy of Work Communications," "Stop Snooping on Email, Court Tells Some Nosy Bosses." However, the assertion of the LA Times reporter, while literally true, is pure hyperbole when viewed in the context of a real-world workplace.

The Ninth Circuit ruled in Quon that a text-message provider, Arch Wireless, violated the federal Stored Communications Act (the “Act”) by disclosing to the City of Ontario Police Department sexually explicit text messages sent by Sgt. Quon using a City-issued text-message pager, even though the City was the subscriber on the service contract. The court explained that the Act prohibits providers of an “electronic communication service” — Internet Service Providers (ISPs) and text messages services, for example — from disclosing stored e-mail or text messages without the consent of the sender or recipient. At first blush, this ruling appears to present a dramatic shift in the balance of power between employers and employees in the spy vs. spy world of workplace monitoring.

Not so fast: Employers can easily and lawfully circumvent the court’s ruling. Employers, for example, can prohibit employees from conducting any company business other than over the corporate network, and they can limit company-issued electronic devices to those, such as a Blackberry, that can be configured to route all communications through the corporate network. Notably, the Ninth Circuit’s decision expressly reaffirmed the well established rule that employers can defeat an employee’s expectation of privacy by distributing a policy unambiguously stating that employees communications using corporate resources will be monitored and are not private.

• Email This
• Print
• Trackbacks
• Share Link

Philip Gordon will present at the International Association of Privacy Professionals' (IAPP) human resources event on June 17 on the topics "Sex Offenders, Terrorists, And Video Resumes: How Far Can You Go To Get Information About Prospective, Current, And Former Employees?" and "It's 10:00 AM: Do You Know Where Your Employees Are And What They Are Doing?" Below, Mr. Gordon answers questions about workplace privacy.
 
IAPP: The IAPP is sponsoring its first ever Practical Privacy Series on Human Resources (HR) privacy. Why should privacy professionals be concerned about HR privacy?

Philip Gordon: There are many reasons. Here are just a few: First, privacy breaches involving employees are becoming a much more significant risk to organizations. Virtually every security breach involving employees triggers a notice obligation because of the prevalence of Social Security numbers, driver’s license numbers and financial account information in corporate HR departments. Also, sensitive health and disciplinary information can be much more easily disseminated through social networking sites or Web postings, raising the risks of litigation and substantial damages awards.

Second, employees are more likely to respect consumer privacy in an organization that is concerned about employee privacy. Demonstrating a commitment to addressing HR privacy issues establishes a culture that will enhance protection of consumer data.

Third, an employer’s commitment to HR privacy can provide an edge in recruiting and retaining employees, especially younger employees. In April 2007, Littler Mendelson and the Ponemon Institute published a study entitled “Workplace Survey on the Privacy Age Gap.” The study revealed that 85 percent of respondents under the age of 30 believed that their employer’s commitment to employee privacy was important, but only 20 percent believed that their employer was committed to protecting their privacy. Perhaps more to the point, 27 percent of respondents under age 30 said that they would find another job if their employer committed what they perceived to be a privacy violation.

Finally, HR privacy tends to fall into the gap between the chief privacy officer’s and the human resources director’s areas of responsibility. By way of illustration, in the Littler/Ponemon study, two-thirds of respondents said that their employer had a consumer privacy policy, but only 22 percent stated that their employer had an employee privacy policy. Along the same lines, only 6 percent of respondents said that they would contact a privacy professional in their organization if they had a question about workplace privacy.

IAPP: What do you see as some of the cutting-edge issues in the area of HR privacy?

Philip Gordon: Ironically, some of the most cutting-edge issues arise out of relatively public conduct on the Internet, such as social networking and blogging. Many employees perceive their off-duty blogging and social networking as private, but their postings often can have a significant impact on the workplace, for example, when they post photos of themselves with guns or in sexually provocative poses. Another example of this somewhat ironic twist on “privacy” can be seen when employers attempt to introduce location tracking devices into the workplace. The privacy implications of electronic monitoring also are becoming increasingly complex as employees rely more heavily on personal cell phones, PDAs, and Web-based e-mail accounts to conduct company business. Gary Clayton, founder of the Privacy Compliance Group, and I are going to delve into these issues in our presentations at the Practical Privacy Series, respectively entitled “It’s 10 AM: Do You Know Where Your Employees Are and What They Are Doing?” and “Sex Offenders, Terrorists and Video Résumés: How Far Can You Go to Get Information About Employees?”

IAPP: So much of the focus on consumer privacy revolves around data protection. How is data protection implicated in the area of HR Privacy?

Philip Gordon: Organizations tend to have more sensitive information about their employees than about their customers. State notice and data security laws have forced employers to focus more attention on safeguarding employee data. Global employers accustomed to the greater emphasis on employee data protection in the European Union also are turning their attention to employee data protection. Two of the presentations at the HR Practical Privacy Series will focus on these issues. Peter Rabinowitz, Privacy, Governance & Risk Compliance Consultant at PricewaterhouseCoopers, LLP and Lydia Payne-Johnson, CIPP, Financial Services Privacy Consultant at PricewaterhouseCoopers and former CPO at Morgan Stanley, will explain how to conduct an HR privacy risk assessment. Brian O’Conner, former CPO at Eastman Kodak, and Rick Dakin, founder of Coalfire Systems, will present on security incident response when a breach involves employee data.

IAPP: Congress recently put the spotlight on the privacy of employee health information by enacting the Genetic Information Non-Discrimination Act (GINA). What is the current regulatory environment in the area of employee health information privacy and why is it important for privacy professionals to understand that environment?

Philip Gordon: Employee health information is subject to a very complex regulatory environment involving a variety of federal and state laws in addition to GINA. Employers are being inundated with employee health information as the American workforce ages. Employers also are increasingly relying upon drug and alcohol tests to weed out applicants and employees who might pose a threat to sensitive customer and employee data. Understanding the interplay of these health privacy laws and the web of restrictions on drug and alcohol testing is particularly important for employers because breaches of privacy in this area often result in litigation. Nancy Delogu, a partner at Littler Mendelson and a national expert on drug and alcohol testing, will be addressing this complex area of privacy at the Practical Privacy Series in a presentation entitled, “HIPAA, FMLA, ADA, CMIA: How to Handle Employee Health Information and Drug and Alcohol Testing in Compliance with Confidentiality Requirements.”
 

• Email This
• Print
• Trackbacks
• Share Link

On April 25, 2008, the House passed H.R. 493, The Genetic Information Nondiscrimination Act of 2008 (GINA), a bill that President Bush is expected to sign barring private employers from engaging in genetic discrimination. On first read, I have spotted at least one potential trap for unsuspecting employers if the bill is enacted as drafted.

Section 206(b) of the Act permits disclosure of "genetic information" in only very limited circumstances, which do not include responding to a subpoena or a civil discovery request. Employment litigators, particularly on the defense side, commonly subpoena personnel files, including all medical information from a plaintiff's former employers -- for example, to test a plaintiff's allegation that the defendant/current employer's alleged actions caused emotional distress. Under the bill, as written, an employer who inadvertently produces "genetic information" in response to such a subpoena would violate the Act because the statute does not require a knowing disclosure to support a claim.

The possibility of an inadvertent disclosure of "genetic information" is not hypothetical. As defined in the House bill, that term encompasses "the manifestation of a disease or disorder in family members" of an employee, which could include, for example, an FMLA certification stating that an employee needs FMLA leave because a spouse or child has sickle-cell anemia or Tay-Sachs disease.

If the bill is enacted as written, employers should strongly consider screening all medical information upon receipt to determine whether that information might fall within the broad definition of "genetic information." If so, the information should be filed separately from all other medical information with a note that the information should not be produced except in response to a court order.
 

For a more detailed discussion of this Act, please see Littler ASAP: Genetic Antidiscrimination Law Creates New Compliance Challenges for Employers by Philip L. Gordon and Jennifer L. Mora.

• Email This
• Print
• Trackbacks
• Share Link

• Email This
• Print
• Trackbacks (1)
• Share Link

Gary Ross, the military veteran who urged his employer to accommodate his medical use of marijuana, has failed to convince the Supreme Court of California to revive his case.  On January 24, 2008, the Court affirmed (5 - 2) the trial and appellate court decisions that RagingWire Telecommunications was not required to employ Ross, who tested positive for marijuana, even though his use of the drug has been decriminalized under California’s Compassionate Use Act.

As discussed in an earlier posting, Ross argued that his former employer, RagingWire, had discriminated against him under the California Fair Employment and Housing Act by terminating him because of his positive drug test which resulted form his use of marijuana for his disability.  He also alleged that he had been wrongfully discharged as a matter of public policy.  Yesterday’s decision rejects Ross’s disability discrimination claim for one simple reason:  The Compassionate Use Act provides only that individuals who use marijuana pursuant to a recommendation from a health care provider have a defense to criminal prosecution.  Noting that California voters cannot obscure federal laws which state that the drug poses a risk of abuse, the Court concluded that the Compassionate Use Act simply fails to address the rights of employers and employees.  The Court further observed that any effort to enact such a law would likely generate significant controversy, and it declined to read such a requirement into the limited protections of the statute.

• Email This
• Print
• Trackbacks
• Share Link

Genetic tests are available today for more than 1000 diseases and counting. Individuals can use genetic testing to better identify and manage their risk of developing specific medical conditions before those conditions manifest themselves. For better or worse, such information may also have value to employers desiring to know whether an employee (or candidate) may be genetically inclined to ailments like carpel-tunnel syndrome or long-term illness from exposure to workplace toxins. However, given the fact that 84% of Americans mistrust their employers when it comes to having access to their genetic information, the data are not easy to use. To be sure, the controversy over genetic screening in the workplace is palpable and raises questions such as: Can (or should) genetic information be used in making employment decisions? What qualifies as sensitive “genetic information”? With what level of care must an employer handle genetic information already in its possession? 

While state law may resolve one or more of these questions in nearly 40 states, no federal legislation exists on the topic. That is likely to change soon. In April, the House passed the Genetic Information Nondiscrimination Act (“GINA”) of 2007 (H.R. 493) by a vote of 420-3, and the Senate is nearly certain to follow suit on its companion legislation (S. 358). With President Bush having already endorsed GINA, the debate is turning to what day-to-day effects GINA would have on the workplace. As it stands, GINA would: (1) prohibit employers from purposely acquiring genetic information about employees; (2) prohibit employers from making employment decisions based on an employee’s genetic information or use of genetic testing services; and (3) compel employers to treat genetic information in their possession as “health information” under HIPAA and the rules governing “confidential medical records” under the ADA.                       

• Email This
• Print
• Trackbacks
• Share Link