Workplace Privacy Counsel : San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

Privacy law stands as one of the most discussed areas of law during President Barack Obama’s first term in office. Though a  lot of action was seen, not all of it is attributable to the president, and the same may hold true during his second term. In an interview with the LexBlog Network, Philip Gordon, Chair of Littler‘s Workplace Privacy and Data Protection Practice Group, offers his thoughts on what the realm of privacy law will look like over the coming years—at both the federal and state level.

• Print
• Trackbacks
• Share Link

Reproduced with permission from the HR Library. Copyright © 2012 The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com

By Philip Gordon and Lauren Woon

The story went viral, and legislators around the country caught the virus. On March 21, 2012, the Associated Press reported a few incidents where employers had requested or required log-in credentials from applicants or employees to access their personal social media account. Over the next three weeks, more stories were published; some regurgitating the incidents originally reported by the A.P., and others reporting on additional, alleged inquiries. The media frenzy stoked public outrage. Legislators around the country and in Congress sought to ride the wave of public sentiment by introducing legislation to slam the door on the perceived abuse. The result has been one state law as well as bills pending in eleven states and in Congress that are unnecessary, radically rewrite the law of privacy, and unfairly expose private employers to potential liability.

Social Media “Password Protection” Laws Are Unnecessary

Neither the A.P. article nor any other article from a major U.S. news outlet comprising the media frenzy of spring 2012 cites a single study proving that private employers routinely ask applicants or employees for log-in credentials to their personal social media accounts. In fact, a careful review of the anecdotal “evidence” contained in these news stories demonstrates that the exact opposite is true. All of the media coverage combined reported one instance in which a private employer requested log-in credentials. All but this one reported incident involved public employers, such as corrections departments and police forces. The overwhelming buzz drowned out this distinction.

The only empirical data of which we are aware is fully consistent with this anecdotal evidence demonstrating that private employers do not ask for log-in credentials. Littler Mendelson’s Executive Employer Survey Report, published in June 2012, asked nearly 1,000 C-suite executives, corporate counsel, and human resources professionals from corporations throughout the United States and ranging in market capitalization from less than $1 billion to more than $4 billion the following question: “Has your organization requested social media logins as part of the hiring or onboarding process?”¹ The response: 99% of respondents answered the question in the negative.

• Print
• Trackbacks
• Share Link

On April 25, 2012, the Equal Employment Opportunity Commission (EEOC) issued its "Enforcement Guidance on the Consideration of Arrest and Conviction Records in Employment Decisions Under Title VII of the Civil Rights Act of 1964" (hereinafter "Updated Guidance") concerning the use of criminal records by employers. The EEOC issued the Updated Guidance "on the heels" of its January 2012 announcement of a $3.1 million settlement with an employer following the EEOC's finding that the employer allegedly screened out more than 300 African American job applicants due to their criminal records. Based on the EEOC's systemic initiative, the EEOC also has been intensively scrutinizing the criminal records screening policies used by employers in many different industries, including motor carriers, retailers and manufacturers. A flurry of new EEOC charges and similarly broad investigations by the Commission is virtually certain in the next 12 to 24 months. These developments set the stage for employers to closely review their hiring policies involving the consideration of criminal records in order to assess potential Title VII risk and opportunities to meaningfully reduce that risk without compromising other legitimate and even compelling business interests. A new Littler Report provides information and practical guidance for employers as well has an evolutionary perspective on the development of this latest EEOC Guidance. To learn more about the Updated Gudiance and its implications for employers, please click here.

• Print
• Trackbacks
• Share Link

By Philip Gordon

Two days after announcing its first-ever HIPAA penalty, a whopping $4.3 million imposed against Cignet Health of Prince George’s County, Maryland, HHS announced that a large Massachusetts hospital had agreed to pay $1 million to avoid a penalty proceeding. Although the hospital did not admit liability and did not pay a penalty, the settlement demonstrates how the significant increase in available HIPAA penalties as a result of the HITECH Act’s enactment has provided HHS with substantial leverage when negotiating a resolution of alleged HIPAA violations. HHS’ settlement with the hospital also is important because it suggests that HHS may not be very forgiving in one area of particularly high risk: the physical removal of protected health information (PHI) from a covered entity’s premises.

The incident that ultimately led to the hospital’s $1 million settlement payment was innocent enough. According to the settlement agreement, which is public, and HHS’ press release announcing the settlement, an employee of the hospital’s outpatient practice took home, for work purposes, paper records containing the PHI of 192 patients, including patients with HIV/AIDS. The settlement agreement states that the “documents consisted of billing encounter forms containing the name, date of birth, medical record number, health insurer and policy number, diagnosis and name of provider of 66 patients and the practice's daily office schedules for three days containing the names and medical record numbers of 192 patients.” On her way into work on the subway, the employee placed the documents, bound by a rubber band, on the seat next to her and forgot them there when she exited the train. The records never were recovered.

• Print
• Share Link

By Christopher E. Cobey

For those who suspect the Roberts Court always sides with business, the March 1 opinion in Federal Communications Commission v. AT&T (pdf) might give them pause.

In this 8-0 opinion, the Court held that the term “personal privacy,” as used in a statutory exception to the Freedom of Information Act (FOIA; 5 U.S.C. § 552), does not apply to corporations. The exception covers law enforcement records, the disclosure of which “could reasonably be expected to constitute an unwarranted invasion of personal privacy.”

The genesis of the case arose seven years ago. In 2004, AT&T was investigated by the FCC for self-reported possible overcharging of the federal government. The company settled the FCC’s investigation at the end of 2004 without admitting liability.Following the investigation, a private industry group submitted a FOIA request to the FCC, seeking materials produced by AT&T to the Commission in the course of the Commission’s investigation. AT&T opposed the group’s request for information.

The FCC disagreed with AT&T’s position, concluding that the information sought by the industry group (which included AT&T’s cost and pricing data, billing-related information, and identifying information about staff, contractors, and customer representatives) did not constitute materials protected under the exception on the basis of AT&T’s “personal privacy.”

• Print
• Share Link

Roberto Rodriquez tried to impress female acquaintances with an almost creepy knowledge of their personal information. He sent flowers on Valentine’s Day to one acquaintance who had never revealed her home address to him and called to wish her a happy half-birthday even though she never had revealed that fact to him either. He sent mail to another female acquaintance at her home address even though she directed all of her mail to a post office box, and he jotted her middle initial on the envelope even though she had not used her middle initial since grade school. He gave a female employee at a restaurant that he frequented a pair of earrings on her birthday even though she had not shared her birthday with him.

What was the source of Rodriguez’ apparent omniscience? Databases at the Social Security Administration (SSA), to which Rodriguez had access as a TeleService representative. In 2008 and 2009, Rodriguez accessed those databases for nonbusiness reasons on hundreds of occasions to view sensitive personal information of more than one dozen women. Rodriguez was a serial violator of an SSA policy that prohibited employees from obtaining information from SSA’s databases without a business reason. Mandatory training on the policy, notices posted in SSA’s office, and daily banners that appeared on Rodriguez’ computer did not stop him. Ultimately, Rodriguez was indicted and convicted for obtaining information from the federal government through unauthorized access to a computer in violation of the Computer Fraud and Abuse Act (CFAA).

Rodriguez tried to escape his conviction on appeal by arguing that he had accessed only databases that he was authorized to access as a TeleService representative. Rejecting this argument, the Eleventh Circuit explained (pdf) that the CFAA outlaws not only unauthorized access to a computer system but also access in excess of authorization. The court reasoned that SSA’s policy established the scope of Rodriguez’ authorized excess. By accessing SSA’s databases for purely personal reasons, Rodriguez violated that policy and thus had exceeded his authorized access.

• Print
• Share Link

Earlier this month, the Federal Trade Commission (FTC) released a preliminary staff report entitled “Protecting Consumer Privacy in an Era of Rapid Change.” The report advocates a regulatory framework that, if adopted, would modify the FTC’s previous approach toward the privacy issues over which it has jurisdiction. If the FTC were to adopt the new privacy framework, employers would need to focus new and greater attention on training their workforce about privacy and instilling attention to privacy into the business process that their workforce is required to execute.

The FTC is empowered to take action against deceptive or unfair acts or practices. It also has authority to regulate privacy issues through enforcement of statutes regarding specific business sectors, including certain financial institutions, children’s online activities, e-mail marketing, and telemarketing. The Commission’s primary role in workplace privacy arises from the Fair Credit Reporting Act (FCRA), which protects consumers’ sensitive credit, insurance and employment information and, for example, requires an employer to obtain written authorizations from job applicants and employees before obtaining background information about them through third parties and to provide notice to applicants if they decline to hire because of that information.
 

• Print
• Trackbacks
• Share Link

The Equal Employment Opportunity Commission, on Nov. 9, 2010, published its long-awaited regulations implementing those portions of the Genetic Information Non-Discrimination Act of 2008 (GINA) applicable to employers. GINA prohibits employers from discriminating on the basis of genetic information and generally prohibits employers from acquiring or disclosing genetic information. GINA applies to all employers subject to Title VII of the Civil Rights Act of 1964 and adopts Title VII’s enforcement schemes except that disparate claims are not permitted.

Simple as GINA’s general rules might sound, their application to specific factual circumstances can be baffling and counterintuitive. The fundamental challenge for employers lies in the definition of “genetic information,” which is far broader than what common sense would advise, i.e., that genetic information is limited to the results of tests that reveal an employee’s genetic composition or a heightened risk of an inherited disease.

The 10 tips below address those aspects of GINA and the EEOC’s implementing regulations that employers likely will find most challenging and encounter on a recurring basis, and provides practical recommendations on how to handle those challenges.

1) Understand the Definition of “Genetic Information”

As noted above, “genetic information” encompasses far more than the results of a genetic test. Genetic information includes family medical history, and that term is very broadly defined.

• Print
• Share Link

The EEOC’s decision to dedicate its first public meeting in more than a year, held on October 20, 2010, to employers’ use of credit history as an employment screening tool magnified the recent focus of legislators and regulators on that topic. As discussed in several recent posts, four states — Hawaii, Illinois, Oregon, and Washington — have recently imposed significant restrictions on employers’ use of credit history for employment purposes. Similar legislation is pending in more than fifteen states, and federal legislation, which would impose restrictions even broader than existing state laws, is pending in Congress. In light of these legislative developments, the EEOC meeting was particularly significant for two reasons.

First, none of the participants, comprising representatives of consumer and business interests as well as two academics, were able to cite a single study that proved or disproved the existence of a specific link between any particular credit profile and poor job performance or a propensity to engage in dishonest or criminal conduct. In fact, the two academics’ prepared statements emphasized the dearth of empirical data in this area.

For employers, the absence of reliable studies highlights the need to tread cautiously when using credit history to make employment decisions. Jumping to conclusions not supported by empirical data could, for example, result in the rejection of an applicant whose financial difficulties might actually have motivated the applicant to exceed expectations. In addition, the employer could open itself to allegations that its purported reliance on credit history was a subterfuge for discrimination against the rejected applicant.

• Print
• Share Link

Even if your organization already has revised its electronic resources policy — as prior blog posts suggest — to address personal e-mail accounts in light of the New Jersey Supreme Court’s decision in Stengart v. Loving Care Agency and to address text messages in light of the U.S. Supreme Court’s decision in Quon v. City of Ontario, you still should consider revisiting that policy yet again in light of the U.S. Court of Appeals for the Seventh Circuit’s decision on September 9, 2010, in United States v. Szymuszkiewicz (pdf). The court’s decision affirmed the criminal conviction for Federal Wiretap Act violations of an IRS agent who, unbeknownst to his supervisor, activated the supervisor’s Microsoft Outlook autoforwarding feature. As a result, duplicates of the supervisor’s e-mail were automatically forwarded to the IRS agent without the supervisor’s knowledge or consent. The IRS agent received a sentence of eighteen months probation.

The Seventh Circuit’s decision turned principally on whether “auto forwarding” e-mail constitutes an “interception” as defined by the Federal Wiretap Act. The court answered that question in the affirmative because the auto forwarding permitted the IRS agent to obtain the content of e-mail stored in his supervisor’s e-mail inbox.

For employers, the court’s decision highlights the risk of Federal Wiretap Act liability arising from commonplace IT functions. Corporate IT departments routinely activate “auto forwarding” after an employee has left an organization so that a supervisor or co-worker can promptly respond to e-mail intended for the former employee. It also is not uncommon for corporate IT departments to rely on “e-mail journaling” to create a duplicate set of out-going and incoming e-mail for archival purposes. Journaling essentially functions the same as auto forwarding except that the duplicate e-mail content is stored on a server for possible future retrieval rather than being transmitted directly to a third party’s e-mail inbox.

• Print
• Share Link

On August 4, we posted about uncertainty created by the U.S. Department of Health and Human Services' (HHS) decision to withdraw its interim final regulations addressing security breach notification for breaches that involve protected health information (PHI) subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Since that time, HHS updated its website to state that, "[u]ntil such time as a new final rule is issued, the Interim Final Rule that became effective on September 23, 2009, remains in effect." This means that the harm standard embodied in the Interim Final Rule is still in effect and that, until further notice, employers and providers must conduct the risk assessment discussed in our July 30 blog post. 

This entry was written by Philip L. Gordon.

Photo credit: cosmonaut

• Print
• Share Link

While HIPAA’s recently enhanced penalty provisions and newly enacted security breach notification requirements have each received a significant amount of attention, the connection between them and its significant implications for employers and health care providers subject to HIPAA have not. Most significantly, because of the enhanced penalties, it is critical that covered entities conduct a careful and documented risk assessment before deciding not to provide notice of a security incident.

HIPAA’s recently promulgated security breach notification regulations require notice only if (a) there has been access to, or acquisition, use or disclosure of, protected health information (PHI) in violation of the HIPAA Privacy Rule; and (b) that violation “poses a significant risk of financial, reputational or other harm” to the subjects of the PHI. In the preamble to the security breach regulations, the U.S. Department of Health and Human Services (HHS) takes the position that a covered entity “will need to perform a risk assessment” to determine whether the second element of the notification standard has been satisfied. Besides identifying four factors that covered entities might consider in conducting this risk assessment, HHS provides no other guidance on how to assess risk. HHS does emphasize, however, that “[c]overed entities and business associates must document their risk assessments, so their they can demonstrate, if necessary, that no breach notification was required.” In other words, covered entities should expect that if HHS ever challenges a decision not to provide notice of a security breach, HHS’ first request will be for production of the covered entity’s risk assessment that decision.

The decision whether to provide notice of a security breach could be momentous for a covered entity. Under HIPAA’s security breach notification regulations, if the incident involves more than five hundred individuals in the same state, the covered entity would be required to report the breach to HHS, which will post the report on its Web site and notify “prominent media outlets,” which may choose to publicize the breach. As a result, notification of even a relatively small breach could expose the covered entity to class action litigation, damaging media coverage, and collateral damage to patient or employee relationships, in addition to the cost of providing notice and incident response services to affected individuals. Given these potential adverse consequences, a covered entity often will have an overriding interest in finding that a HIPAA violation did not create a material risk of harm and, therefore, does not require notification.

• Print
• Share Link

A visiting cardiothoracic surgeon from China, working as a researcher at UCLA School of Medicine, became the first person sentenced to prison for unauthorized access to medical records in violation of HIPAA. The few criminal convictions for HIPAA violations to date have involved monetary gain, such as a hospice worker’s use of patient records to commit identity theft or the sale of a celebrity’s medical records to a tabloid. This most recent conviction is remarkable because money was not a factor and the viewing of celebrity records was only part of the illegal conduct. According to court records, the criminal prosecution also was based on the researcher’s review of his immediate supervisor’s and former co-workers’ medical records.

Random curiosity — a/k/a snooping — poses a risk of criminal HIPAA violations not only at hospitals and health care providers. Virtually every employer has some form of medical information subject to HIPAA in their paper files or on their information systems because HIPAA applies to self-insured group health, dental, vision, pharmacy benefit, and long-term care plans; health care reimbursement flexible spending accounts; and employee assistance programs. Consequently, an employee who reviews a co-worker’s explanation of benefits while waiting for a benefits administrator to finish a call or a human resources manager who accesses a third-party administrator’s portal to review claims information unrelated to any job duties arguably is now at risk of criminal prosecution.

• Print
• Trackbacks
• Share Link

Perhaps providing the public with an opportunity to identify unanticipated consequences of long-awaited, federal privacy legislation, Reps. Rick Boucher (D-Va.), Chairman of the House Energy and Commerce Subcommittee on Communications, Technology, and the Internet, and Cliff Stearns (R-Fla.), the panel's ranking member, have requested public comment on a privacy bill before formally introducing it. The bill, which has not yet received a title--though apparently is intended to regulate on-line marketers--would impose substantial burdens on virtually every U.S. employer.

At its highest level, the draft bill would require only that on-line retailers who collect annually personal information of more than 5,000 customers provide a privacy notice and obtain opt-out consent from consumers. Upon closer examination, however, the bill would require almost every employer, regardless of size, to provide every employee and apparently every job applicant with a privacy notice and obtain their affirmative opt-in consent to the employer’s collection, use and disclosure of certain categories of personal information.

• Print
• Trackbacks
• Share Link

The Genetic Information Nondiscrimination Act (GINA) takes effect on November 21, 2009. How does GINA impact employers? GINA does the following: (a) prohibits employers from discriminating against an employee based upon genetic information, (b) places broad restrictions on an employer’s deliberate acquisition of genetic information, (c) mandates confidentiality for genetic information that employers lawfully collect; (d) strictly limits disclosure of such information, and (e) prohibits retaliation against employees who complain about genetic discrimination.

Some of the more obvious violations of this new law occur when an employer requires a worker to take a genetic test or fires the worker based on information about such a test. However, employers can run afoul of GINA in a number of other ways they may not anticipate because the Act broadly defines “genetic information” to include not only genetic test results but also any information about the manifestation of a disease or disorder in a family member, such family medical history. For example, employers should tell health care providers who conduct post-offer, pre-employment medical examinations not to disclose to the employer the results of any family medical history or other genetic information. This example highlights the attention employers must now pay to GINA, violations of which subject employers to the same remedies as violations of Title VII of the Civil Rights Act of 1964.

• Print
• Trackbacks
• Share Link

Today, the Department of Labor issued regulations to enforce Title I of the Genetic Information Non-Discrimination Act of 2008 (GINA). Title I regulates self-insured group health plans and health insurance issues, among others. Title I prohibits group health plans from "collecting" any "genetic information." "Collection" means requesting, requiring or purchasing. "Genetic information" includes a family medical history. Title II of GINA, which governs employment discrimination based on genetic information, has parallel provisions but the EEOC has not yet issued regulations. The anticipated regulations, however, likely will track those issued by the Department of Labor.

One of the examples in the Title I regulations states as follows:

Issuer A acquires Issuer B. Issuer A requests Issuer B's records and tells Issuer B that it does not want to receive any genetic information and that Issuer B should remove all genetic information from the production. Issuer B gathers the requested medical records and removes all medical information but inadvertently produces some family medical histories. Issuer A does not violate GINA's prohibition on collection because its receipt of the family medical histories falls within the incidental collection exception to the general prohibition.

• Print
• Trackbacks
• Share Link

The Health Information Technology for Economic and Clinical Health Act (HITECH Act), one small legislative portion of the massive economic stimulus bill enacted on February 17, 2009, mandates that employers and health care providers provide notice of any “breach” of “unsecured” protected health information (PHI) to affected individuals; the U.S. Department of Health and Human Services (HHS); and, in certain circumstances, “prominent media outlets.” The quoted terms and many others in the HITECH Act are either undefined or raise a multitude of unanswered questions. HHS has recently published interim final regulations and accompanying commentary that clarifies many of the Act’s ambiguities.

For an in-depth discussion and guidance on this development, see Littler ASAP, Employers and Health Care Providers Receive New Guidance on HIPAA Security Breach Notification, by Philip L. Gordon.

• Print
• Trackbacks
• Share Link

 On July 23, 2009, Littler Mendelson hosted a webinar, entitled “Meeting the Compliance Challenges of a Reinvigorated HIPAA and the Genetic Information Non-Discrimination Act of 2009.” Participants asked several questions to which we could not respond because of time. Below are the questions and the answers:

Q: Could you give a real life example of how an employer might experience an internal HIPAA violation?

A: We explained during the webinar that not all employee health information is protected by HIPAA. In fact, the universe of employee health information which HIPAA protects is relatively small. Protected health information (PHI) is limited to individually identifiable health information created or received by, or on behalf of, a group health, dental, or vision plan; health care reimbursement flexible spending account; employee assistance program; long-term care plan; or pharmacy benefits plan. HIPAA would be violated when, for example, a benefits administrator notices that an employee has submitted claims to an employer’s health plan for services related to an abortion, AIDS, or cancer and gossips with the employee’s manager about the employee’s condition. 

• Print
• Trackbacks
• Share Link

After a lengthy public comment period and legal challenges, a U.S. Department of Transportation (DOT) drug testing regulation requiring employees of aviation, railroad, motor carrier, mass transit, pipeline and maritime industries who previously failed a drug test to partially disrobe and be directly observed during return-to-work and follow-up tests will go into effect August 31, 2009. Until then, observed collections are required only if a donor is suspected of attempting to adulterate or tamper with a test sample.

The requirement sat in limbo after the U.S. Court of Appeals for the D.C. Circuit, stayed enforcement in November 2008 pending a legal challenge. However, as previously discussed, in May 2009 the court held the regulations valid and lifted the stay on July 1, 2009.

Accordingly, the DOT has announced starting August 31, 2009, employees subject to DOT return-to-work and follow-up testing must be directly observed when providing a urine sample. Additionally, before the collection begins, shirts must be raised above the waist and clothing lowered to expose genitals in order to allow the observer to verify the absence of any cheating devices. 

This entry was written by Nancy N. Delogu.

• Print
• Trackbacks
• Share Link

Transgender individuals have good reason to be concerned about expressing their gender identity in the workplace. According to recent studies, at least one in five transgender individuals reports experiencing employment discrimination. A review of six studies conducted between 1996 and 2006 showed the following concerning reports of mistreatment in the workplace based on gender identity:

• 13%-56% of transgender individuals had been fired;
• 13%-47% had been denied employment;
• 22%-31% had been harassed, either verbally or physically, in the workplace; and
• 19% had been denied a promotion due to their transgender status.

Most employees choose whether, when, and to whom they disclose certain personal information at work. However, transgender individuals who decide to transition from one gender to another while remaining with their current employer do not have the same luxury. This largely is due to the inherently public nature of the transition. Indeed, an employee who intends to undergo a gender transition generally is required to live full-time in their new gender role for at least a year before becoming eligible to undergo sex reassignment and reconstruction surgery (if they so choose to have surgery, which many do not). During this time frame, transgender individuals often seek a variety of medical treatments, including hormone therapy, as well as change their names, modify their identity documents, and other procedures. As a result, employers and co-workers necessarily, but often reluctantly, become involved in a transitioning employee’s gender transition. While a gender transition is an inherently private process, it necessarily becomes known to co-workers at some point by the very nature of the “transition.”

• Print
• Trackbacks
• Share Link

Employers have good reason to re-evaluate their HIPAA compliance efforts. Recent enforcement actions by the U.S. Department of Health and Human Services (HHS) that resulted in large settlement payments signal more pronounced efforts to enforce HIPAA’s compliance requirements. These enforcement actions were driven by publicly disclosed security breaches that brought compliance lapses to HHS’ attention.

Recent amendments to the HIPAA Privacy Rule, enacted as part of the massive federal economic stimulus legislation, will fuel this “breach-driven enforcement.” Under existing law, the HIPAA Privacy Rule contains no security breach notification requirement. Effective February 17, 2010, however, employers will be required to take the following steps when they learn that the “unsecured” protected health information (PHI) of participants in HIPAA-covered plans has been subjected to unauthorized access, use or disclosure:

• Notify major media outlets and HHS if a breach involves 500 or more plan participants
• Notify affected individuals within 60 days of becoming aware of the breach
• Provide in the notice to individuals, at a minimum, five specific categories of information
• Deliver the notice by first-class mail to each affected individual’s last known address

This notice obligation applies regardless of whether the employer or a third-party service provider, such as a benefits administrator, pharmacy benefits manager, or insurance broker is responsible for the breach.
 

• Print
• Trackbacks
• Share Link

Title II of the Genetic Information Nondiscrimination Act of 2008 (GINA) goes into effect for employers of 15 or more employees on November 21, 2009. On March 2, 2009, the EEOC issued its proposed regulations for public comment. The proposed regulations attempt to clarify the definition of genetic information and provide guidance both on the limitations on acquisition of genetic information and ways to limit disclosure of genetic information acquired. As some of these regulations may change employers' practices, employers should make sure that human resources personnel and managers are familiar with the provisions of Title II of GINA before the effective date.

For more information about this development, see Littler ASAP "Proposed Regulations Under Federal Genetic Information Nondiscrimination Act (GINA) Suggest Employer Action Now" by Margaret Hart Edwards, a shareholder in Littler's San Francisco office.

• Print
• Trackbacks
• Share Link

Revised regulations, published on November 17, 2008, to enforce the Family and Medical Leave Act (FMLA) create a complex and detailed framework governing employees’ leave for their own, or a family member’s, serious health condition. Central to the regulatory scheme is the requirement that an employee seeking leave submit, at the employer’s request, a “complete and sufficient certification” from a health care provider. The certification must establish that the employee qualifies for FMLA leave. The regulations also permit employers to require submission of a fitness-for-duty certification before an employee returns from leave for the employee’s own serious health condition.

The certification process creates privacy challenges for employers because certification forms will reveal sensitive health information about employees and their family members. Under the revised regulations, the employer may require that the employee provide the following information in the certification: (a) a description of medical facts sufficient to support the request for leave, including, as necessary, a description of symptoms, diagnosis, hospitalization, doctors visits, use of medication, and referrals for further evaluation or treatment; and (b) if an employee is requesting leave for himself, facts sufficient to show that the employee can not perform essential job functions; or (c) if an employee is requesting leave because of a family member’s condition, facts sufficient to show that the family member needs medical care and the employee’s assistance.

Given the sensitive nature of the information contained in these certifications, the revised regulations mandate privacy protections for the forms. The certifications must be maintained in a confidential medical file, separate from the general personnel file. Only employees and third-party vendors responsible for administering the leave process may access the certifications. Supervisors and managers may be advised only of necessary work restrictions and accommodations. Consistent with long-established practice for handling employee medical files, these requirements are relatively straightforward; now for the twists.
 

• Print
• Trackbacks
• Share Link

While the case is still in the early stages, Sidell v. Structured Settlement Investments, LP et al, Case No. 3:08-cv-00710-VLB (D.Conn 2008), is shaping up to be a case to watch. Recently covered by The New York Times, the lawsuit involves an interesting twist on workplace monitoring; namely, what are the limits on an employer’s access, using its own computer equipment, to an employee’s e-mail stored in an employee’s personal e-mail account. Ultimately, the case may add to the growing list of decisions regulating electronic communications in the workplace. See, e.g., Quon v. Arch Wireless; Scott v. Beth Israel. The Ninth Circuit decision in Quon was discussed in our prior blog entry, Ninth Circuit Ruling Not a Significant Obstacle to Employers' Accessing Text Messages.

According to the complaint, this is what happened: A company closed a branch and fired the office manager. The company claimed that the termination was for cause and explained the facts supporting its decision to the manager. Before the company had changed the locks, the office manager entered his old office, logged on to his computer, and sent an e-mail to his personal attorney regarding his potential claims against the company. The office manager did not log-off from his Yahoo! account, nor did he turn off his computer. As a result, this e-mail remained accessible through the computer in the office manager’s former office. Over the next few weeks while using the same e-mail account, the office manager sent his personal attorney numerous additional e-mails regarding his termination.

• Print
• Trackbacks
• Share Link

The Los Angeles Times reported on June 19, 2008, that the Ninth Circuit’s decision in Quon v. Arch Wireless Operating Co., “sharply limited the ability of employers to obtain e-mails and text messages sent by employees on company-financed accounts.” And many major news outlets echoed this sentiment: "Court Rules Employee Text Messages Are Private," "SF Court Protects Privacy of Work Communications," "Stop Snooping on Email, Court Tells Some Nosy Bosses." However, the assertion of the LA Times reporter, while literally true, is pure hyperbole when viewed in the context of a real-world workplace.

The Ninth Circuit ruled in Quon that a text-message provider, Arch Wireless, violated the federal Stored Communications Act (the “Act”) by disclosing to the City of Ontario Police Department sexually explicit text messages sent by Sgt. Quon using a City-issued text-message pager, even though the City was the subscriber on the service contract. The court explained that the Act prohibits providers of an “electronic communication service” — Internet Service Providers (ISPs) and text messages services, for example — from disclosing stored e-mail or text messages without the consent of the sender or recipient. At first blush, this ruling appears to present a dramatic shift in the balance of power between employers and employees in the spy vs. spy world of workplace monitoring.

Not so fast: Employers can easily and lawfully circumvent the court’s ruling. Employers, for example, can prohibit employees from conducting any company business other than over the corporate network, and they can limit company-issued electronic devices to those, such as a Blackberry, that can be configured to route all communications through the corporate network. Notably, the Ninth Circuit’s decision expressly reaffirmed the well established rule that employers can defeat an employee’s expectation of privacy by distributing a policy unambiguously stating that employees communications using corporate resources will be monitored and are not private.

• Print
• Trackbacks
• Share Link

Philip Gordon will present at the International Association of Privacy Professionals' (IAPP) human resources event on June 17 on the topics "Sex Offenders, Terrorists, And Video Resumes: How Far Can You Go To Get Information About Prospective, Current, And Former Employees?" and "It's 10:00 AM: Do You Know Where Your Employees Are And What They Are Doing?" Below, Mr. Gordon answers questions about workplace privacy.
 
IAPP: The IAPP is sponsoring its first ever Practical Privacy Series on Human Resources (HR) privacy. Why should privacy professionals be concerned about HR privacy?

Philip Gordon: There are many reasons. Here are just a few: First, privacy breaches involving employees are becoming a much more significant risk to organizations. Virtually every security breach involving employees triggers a notice obligation because of the prevalence of Social Security numbers, driver’s license numbers and financial account information in corporate HR departments. Also, sensitive health and disciplinary information can be much more easily disseminated through social networking sites or Web postings, raising the risks of litigation and substantial damages awards.

Second, employees are more likely to respect consumer privacy in an organization that is concerned about employee privacy. Demonstrating a commitment to addressing HR privacy issues establishes a culture that will enhance protection of consumer data.

Third, an employer’s commitment to HR privacy can provide an edge in recruiting and retaining employees, especially younger employees. In April 2007, Littler Mendelson and the Ponemon Institute published a study entitled “Workplace Survey on the Privacy Age Gap.” The study revealed that 85 percent of respondents under the age of 30 believed that their employer’s commitment to employee privacy was important, but only 20 percent believed that their employer was committed to protecting their privacy. Perhaps more to the point, 27 percent of respondents under age 30 said that they would find another job if their employer committed what they perceived to be a privacy violation.

Finally, HR privacy tends to fall into the gap between the chief privacy officer’s and the human resources director’s areas of responsibility. By way of illustration, in the Littler/Ponemon study, two-thirds of respondents said that their employer had a consumer privacy policy, but only 22 percent stated that their employer had an employee privacy policy. Along the same lines, only 6 percent of respondents said that they would contact a privacy professional in their organization if they had a question about workplace privacy.

IAPP: What do you see as some of the cutting-edge issues in the area of HR privacy?

Philip Gordon: Ironically, some of the most cutting-edge issues arise out of relatively public conduct on the Internet, such as social networking and blogging. Many employees perceive their off-duty blogging and social networking as private, but their postings often can have a significant impact on the workplace, for example, when they post photos of themselves with guns or in sexually provocative poses. Another example of this somewhat ironic twist on “privacy” can be seen when employers attempt to introduce location tracking devices into the workplace. The privacy implications of electronic monitoring also are becoming increasingly complex as employees rely more heavily on personal cell phones, PDAs, and Web-based e-mail accounts to conduct company business. Gary Clayton, founder of the Privacy Compliance Group, and I are going to delve into these issues in our presentations at the Practical Privacy Series, respectively entitled “It’s 10 AM: Do You Know Where Your Employees Are and What They Are Doing?” and “Sex Offenders, Terrorists and Video Résumés: How Far Can You Go to Get Information About Employees?”

IAPP: So much of the focus on consumer privacy revolves around data protection. How is data protection implicated in the area of HR Privacy?

Philip Gordon: Organizations tend to have more sensitive information about their employees than about their customers. State notice and data security laws have forced employers to focus more attention on safeguarding employee data. Global employers accustomed to the greater emphasis on employee data protection in the European Union also are turning their attention to employee data protection. Two of the presentations at the HR Practical Privacy Series will focus on these issues. Peter Rabinowitz, Privacy, Governance & Risk Compliance Consultant at PricewaterhouseCoopers, LLP and Lydia Payne-Johnson, CIPP, Financial Services Privacy Consultant at PricewaterhouseCoopers and former CPO at Morgan Stanley, will explain how to conduct an HR privacy risk assessment. Brian O’Conner, former CPO at Eastman Kodak, and Rick Dakin, founder of Coalfire Systems, will present on security incident response when a breach involves employee data.

IAPP: Congress recently put the spotlight on the privacy of employee health information by enacting the Genetic Information Non-Discrimination Act (GINA). What is the current regulatory environment in the area of employee health information privacy and why is it important for privacy professionals to understand that environment?

Philip Gordon: Employee health information is subject to a very complex regulatory environment involving a variety of federal and state laws in addition to GINA. Employers are being inundated with employee health information as the American workforce ages. Employers also are increasingly relying upon drug and alcohol tests to weed out applicants and employees who might pose a threat to sensitive customer and employee data. Understanding the interplay of these health privacy laws and the web of restrictions on drug and alcohol testing is particularly important for employers because breaches of privacy in this area often result in litigation. Nancy Delogu, a partner at Littler Mendelson and a national expert on drug and alcohol testing, will be addressing this complex area of privacy at the Practical Privacy Series in a presentation entitled, “HIPAA, FMLA, ADA, CMIA: How to Handle Employee Health Information and Drug and Alcohol Testing in Compliance with Confidentiality Requirements.”
 

• Print
• Trackbacks
• Share Link

On April 25, 2008, the House passed H.R. 493, The Genetic Information Nondiscrimination Act of 2008 (GINA), a bill that President Bush is expected to sign barring private employers from engaging in genetic discrimination. On first read, I have spotted at least one potential trap for unsuspecting employers if the bill is enacted as drafted.

Section 206(b) of the Act permits disclosure of "genetic information" in only very limited circumstances, which do not include responding to a subpoena or a civil discovery request. Employment litigators, particularly on the defense side, commonly subpoena personnel files, including all medical information from a plaintiff's former employers -- for example, to test a plaintiff's allegation that the defendant/current employer's alleged actions caused emotional distress. Under the bill, as written, an employer who inadvertently produces "genetic information" in response to such a subpoena would violate the Act because the statute does not require a knowing disclosure to support a claim.

The possibility of an inadvertent disclosure of "genetic information" is not hypothetical. As defined in the House bill, that term encompasses "the manifestation of a disease or disorder in family members" of an employee, which could include, for example, an FMLA certification stating that an employee needs FMLA leave because a spouse or child has sickle-cell anemia or Tay-Sachs disease.

If the bill is enacted as written, employers should strongly consider screening all medical information upon receipt to determine whether that information might fall within the broad definition of "genetic information." If so, the information should be filed separately from all other medical information with a note that the information should not be produced except in response to a court order.
 

For a more detailed discussion of this Act, please see Littler ASAP: Genetic Antidiscrimination Law Creates New Compliance Challenges for Employers by Philip L. Gordon and Jennifer L. Mora.

• Print
• Trackbacks
• Share Link

• Print
• Trackbacks (1)
• Share Link

Gary Ross, the military veteran who urged his employer to accommodate his medical use of marijuana, has failed to convince the Supreme Court of California to revive his case.  On January 24, 2008, the Court affirmed (5 - 2) the trial and appellate court decisions that RagingWire Telecommunications was not required to employ Ross, who tested positive for marijuana, even though his use of the drug has been decriminalized under California’s Compassionate Use Act.

As discussed in an earlier posting, Ross argued that his former employer, RagingWire, had discriminated against him under the California Fair Employment and Housing Act by terminating him because of his positive drug test which resulted form his use of marijuana for his disability.  He also alleged that he had been wrongfully discharged as a matter of public policy.  Yesterday’s decision rejects Ross’s disability discrimination claim for one simple reason:  The Compassionate Use Act provides only that individuals who use marijuana pursuant to a recommendation from a health care provider have a defense to criminal prosecution.  Noting that California voters cannot obscure federal laws which state that the drug poses a risk of abuse, the Court concluded that the Compassionate Use Act simply fails to address the rights of employers and employees.  The Court further observed that any effort to enact such a law would likely generate significant controversy, and it declined to read such a requirement into the limited protections of the statute.

• Print
• Trackbacks
• Share Link

Genetic tests are available today for more than 1000 diseases and counting. Individuals can use genetic testing to better identify and manage their risk of developing specific medical conditions before those conditions manifest themselves. For better or worse, such information may also have value to employers desiring to know whether an employee (or candidate) may be genetically inclined to ailments like carpel-tunnel syndrome or long-term illness from exposure to workplace toxins. However, given the fact that 84% of Americans mistrust their employers when it comes to having access to their genetic information, the data are not easy to use. To be sure, the controversy over genetic screening in the workplace is palpable and raises questions such as: Can (or should) genetic information be used in making employment decisions? What qualifies as sensitive “genetic information”? With what level of care must an employer handle genetic information already in its possession? 

While state law may resolve one or more of these questions in nearly 40 states, no federal legislation exists on the topic. That is likely to change soon. In April, the House passed the Genetic Information Nondiscrimination Act (“GINA”) of 2007 (H.R. 493) by a vote of 420-3, and the Senate is nearly certain to follow suit on its companion legislation (S. 358). With President Bush having already endorsed GINA, the debate is turning to what day-to-day effects GINA would have on the workplace. As it stands, GINA would: (1) prohibit employers from purposely acquiring genetic information about employees; (2) prohibit employers from making employment decisions based on an employee’s genetic information or use of genetic testing services; and (3) compel employers to treat genetic information in their possession as “health information” under HIPAA and the rules governing “confidential medical records” under the ADA.                       

• Print
• Trackbacks
• Share Link