Workplace Privacy Counsel : San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

By Philip Gordon

At approximately one-half the length of War and Peace, the recently published Omnibus Final Rule, which modifies the HIPAA Privacy, Security and Enforcement Rules and implements the HIPAA Breach Notification Rule, can overwhelm in-house employment, benefits, and privacy counsel as well as human resources and benefits professionals trying to discern the Rule’s practical implications for employers who sponsor HIPAA-covered plans, which are “covered entities” under HIPAA. Like most HIPAA-related guidance, the Omnibus Final Rule tends to focus on health care providers, with only a small portion of the ample regulatory commentary aimed at the employer community. Moreover, a detailed reading of the Omnibus Final Rule reveals dozens of technical changes with little or no practical impact on employers and numerous granular modifications that may be relevant to employers, if at all, only with limited frequency.

Stepping back from this superabundance of detail, we have identified the following five “big picture” takeaways for employers who sponsor HIPAA-covered plans:

• Print
• Trackbacks
• Share Link

The Equal Employment Opportunity Commission, on Nov. 9, 2010, published its long-awaited regulations implementing those portions of the Genetic Information Non-Discrimination Act of 2008 (GINA) applicable to employers. GINA prohibits employers from discriminating on the basis of genetic information and generally prohibits employers from acquiring or disclosing genetic information. GINA applies to all employers subject to Title VII of the Civil Rights Act of 1964 and adopts Title VII’s enforcement schemes except that disparate claims are not permitted.

Simple as GINA’s general rules might sound, their application to specific factual circumstances can be baffling and counterintuitive. The fundamental challenge for employers lies in the definition of “genetic information,” which is far broader than what common sense would advise, i.e., that genetic information is limited to the results of tests that reveal an employee’s genetic composition or a heightened risk of an inherited disease.

The 10 tips below address those aspects of GINA and the EEOC’s implementing regulations that employers likely will find most challenging and encounter on a recurring basis, and provides practical recommendations on how to handle those challenges.

1) Understand the Definition of “Genetic Information”

As noted above, “genetic information” encompasses far more than the results of a genetic test. Genetic information includes family medical history, and that term is very broadly defined.

• Print
• Share Link

The Genetic Information Nondiscrimination Act (GINA) takes effect on November 21, 2009. How does GINA impact employers? GINA does the following: (a) prohibits employers from discriminating against an employee based upon genetic information, (b) places broad restrictions on an employer’s deliberate acquisition of genetic information, (c) mandates confidentiality for genetic information that employers lawfully collect; (d) strictly limits disclosure of such information, and (e) prohibits retaliation against employees who complain about genetic discrimination.

Some of the more obvious violations of this new law occur when an employer requires a worker to take a genetic test or fires the worker based on information about such a test. However, employers can run afoul of GINA in a number of other ways they may not anticipate because the Act broadly defines “genetic information” to include not only genetic test results but also any information about the manifestation of a disease or disorder in a family member, such family medical history. For example, employers should tell health care providers who conduct post-offer, pre-employment medical examinations not to disclose to the employer the results of any family medical history or other genetic information. This example highlights the attention employers must now pay to GINA, violations of which subject employers to the same remedies as violations of Title VII of the Civil Rights Act of 1964.

• Print
• Trackbacks
• Share Link

Today, the Department of Labor issued regulations to enforce Title I of the Genetic Information Non-Discrimination Act of 2008 (GINA). Title I regulates self-insured group health plans and health insurance issues, among others. Title I prohibits group health plans from "collecting" any "genetic information." "Collection" means requesting, requiring or purchasing. "Genetic information" includes a family medical history. Title II of GINA, which governs employment discrimination based on genetic information, has parallel provisions but the EEOC has not yet issued regulations. The anticipated regulations, however, likely will track those issued by the Department of Labor.

One of the examples in the Title I regulations states as follows:

Issuer A acquires Issuer B. Issuer A requests Issuer B's records and tells Issuer B that it does not want to receive any genetic information and that Issuer B should remove all genetic information from the production. Issuer B gathers the requested medical records and removes all medical information but inadvertently produces some family medical histories. Issuer A does not violate GINA's prohibition on collection because its receipt of the family medical histories falls within the incidental collection exception to the general prohibition.

• Print
• Trackbacks
• Share Link

 On July 23, 2009, Littler Mendelson hosted a webinar, entitled “Meeting the Compliance Challenges of a Reinvigorated HIPAA and the Genetic Information Non-Discrimination Act of 2009.” Participants asked several questions to which we could not respond because of time. Below are the questions and the answers:

Q: Could you give a real life example of how an employer might experience an internal HIPAA violation?

A: We explained during the webinar that not all employee health information is protected by HIPAA. In fact, the universe of employee health information which HIPAA protects is relatively small. Protected health information (PHI) is limited to individually identifiable health information created or received by, or on behalf of, a group health, dental, or vision plan; health care reimbursement flexible spending account; employee assistance program; long-term care plan; or pharmacy benefits plan. HIPAA would be violated when, for example, a benefits administrator notices that an employee has submitted claims to an employer’s health plan for services related to an abortion, AIDS, or cancer and gossips with the employee’s manager about the employee’s condition. 

• Print
• Trackbacks
• Share Link

On June 18, Philip Gordon will present at the International Association of Privacy Professionals (IAPP) Practical Privacy Series on the topic "On the Cutting Edge: The Top Five Developments for 2009" (You may register for the event here). Below, Mr. Gordon answers questions about some of the top HR privacy concerns that every organization is confronting.

IAPP: With so much focus on safeguarding customer information, why is HR privacy even an issue?

Gordon: HR privacy should be a major concern of every organization for several reasons. Virtually all class-action litigation involving the compromise of customers’ personal data has been unsuccessful because of the absence of any actual damages. By contrast, privacy violations involving employee personal data often do result in cognizable injuries, including loss of employment and emotional distress. The risk of significant damages is particularly high in the employment context because employers maintain not only the full range of personal identifiers but also financial information and very sensitive health information. In addition, security breaches involving employee personal data can have a negative impact on employee morale, and employees, unlike consumers, can easily express their disgruntlement to senior management. While the potential exposure is high, developments in technology and recently enacted legislation have complicated employer’s compliance obligations, further increasing their exposure to liability.

IAPP: Could you provide some examples of recent developments that have a significant impact on HR privacy compliance and employers’ exposure to liability for privacy violations?

Gordon: Employers are struggling to find the right approach for addressing text messaging in the workplace and the variety of Web 2.0 communications platforms. Unlike e-mail, text messaging almost always is transmitted through, and stored at, a third-party service provider. The laws governing access to electronic communications stored at a service provider impose substantial restrictions on employers. These restrictions do not apply when accessing communications stored on the corporate network. Social networking is particularly challenging for employers, especially as employees form their own networks, because personal profiles often blur the line between “private” and work life while, at the same time, permitting employees to communicate messages that senior management views as contrary to the organization’s interests.

On the legal side, we have the passage in February 2009 of significant amendments to HIPAA, which will have an impact on every employer that sponsors a HIPAA-covered benefit plan. In November, the Genetic Information Non-Discrimination Act of 2009 (GINA) will become effective. GINA will raise significant compliance challenges because the Act defines “genetic information” to include several categories of information that most privacy and HR professionals might not think of as “genetic” in nature, such as certain FMLA certifications. I will cover these technological and legal developments at the Practical Privacy Series in a presentation entitled, “On the Cutting Edge: The Top Five Developments For 2009.”

• Print
• Trackbacks
• Share Link

Title II of the Genetic Information Nondiscrimination Act of 2008 (GINA) goes into effect for employers of 15 or more employees on November 21, 2009. On March 2, 2009, the EEOC issued its proposed regulations for public comment. The proposed regulations attempt to clarify the definition of genetic information and provide guidance both on the limitations on acquisition of genetic information and ways to limit disclosure of genetic information acquired. As some of these regulations may change employers' practices, employers should make sure that human resources personnel and managers are familiar with the provisions of Title II of GINA before the effective date.

For more information about this development, see Littler ASAP "Proposed Regulations Under Federal Genetic Information Nondiscrimination Act (GINA) Suggest Employer Action Now" by Margaret Hart Edwards, a shareholder in Littler's San Francisco office.

• Print
• Trackbacks
• Share Link

Revised regulations, published on November 17, 2008, to enforce the Family and Medical Leave Act (FMLA) create a complex and detailed framework governing employees’ leave for their own, or a family member’s, serious health condition. Central to the regulatory scheme is the requirement that an employee seeking leave submit, at the employer’s request, a “complete and sufficient certification” from a health care provider. The certification must establish that the employee qualifies for FMLA leave. The regulations also permit employers to require submission of a fitness-for-duty certification before an employee returns from leave for the employee’s own serious health condition.

The certification process creates privacy challenges for employers because certification forms will reveal sensitive health information about employees and their family members. Under the revised regulations, the employer may require that the employee provide the following information in the certification: (a) a description of medical facts sufficient to support the request for leave, including, as necessary, a description of symptoms, diagnosis, hospitalization, doctors visits, use of medication, and referrals for further evaluation or treatment; and (b) if an employee is requesting leave for himself, facts sufficient to show that the employee can not perform essential job functions; or (c) if an employee is requesting leave because of a family member’s condition, facts sufficient to show that the family member needs medical care and the employee’s assistance.

Given the sensitive nature of the information contained in these certifications, the revised regulations mandate privacy protections for the forms. The certifications must be maintained in a confidential medical file, separate from the general personnel file. Only employees and third-party vendors responsible for administering the leave process may access the certifications. Supervisors and managers may be advised only of necessary work restrictions and accommodations. Consistent with long-established practice for handling employee medical files, these requirements are relatively straightforward; now for the twists.
 

• Print
• Trackbacks
• Share Link

On April 25, 2008, the House passed H.R. 493, The Genetic Information Nondiscrimination Act of 2008 (GINA), a bill that President Bush is expected to sign barring private employers from engaging in genetic discrimination. On first read, I have spotted at least one potential trap for unsuspecting employers if the bill is enacted as drafted.

Section 206(b) of the Act permits disclosure of "genetic information" in only very limited circumstances, which do not include responding to a subpoena or a civil discovery request. Employment litigators, particularly on the defense side, commonly subpoena personnel files, including all medical information from a plaintiff's former employers -- for example, to test a plaintiff's allegation that the defendant/current employer's alleged actions caused emotional distress. Under the bill, as written, an employer who inadvertently produces "genetic information" in response to such a subpoena would violate the Act because the statute does not require a knowing disclosure to support a claim.

The possibility of an inadvertent disclosure of "genetic information" is not hypothetical. As defined in the House bill, that term encompasses "the manifestation of a disease or disorder in family members" of an employee, which could include, for example, an FMLA certification stating that an employee needs FMLA leave because a spouse or child has sickle-cell anemia or Tay-Sachs disease.

If the bill is enacted as written, employers should strongly consider screening all medical information upon receipt to determine whether that information might fall within the broad definition of "genetic information." If so, the information should be filed separately from all other medical information with a note that the information should not be produced except in response to a court order.
 

For a more detailed discussion of this Act, please see Littler ASAP: Genetic Antidiscrimination Law Creates New Compliance Challenges for Employers by Philip L. Gordon and Jennifer L. Mora.

• Print
• Trackbacks
• Share Link

• Print
• Trackbacks (1)
• Share Link

Genetic tests are available today for more than 1000 diseases and counting. Individuals can use genetic testing to better identify and manage their risk of developing specific medical conditions before those conditions manifest themselves. For better or worse, such information may also have value to employers desiring to know whether an employee (or candidate) may be genetically inclined to ailments like carpel-tunnel syndrome or long-term illness from exposure to workplace toxins. However, given the fact that 84% of Americans mistrust their employers when it comes to having access to their genetic information, the data are not easy to use. To be sure, the controversy over genetic screening in the workplace is palpable and raises questions such as: Can (or should) genetic information be used in making employment decisions? What qualifies as sensitive “genetic information”? With what level of care must an employer handle genetic information already in its possession? 

While state law may resolve one or more of these questions in nearly 40 states, no federal legislation exists on the topic. That is likely to change soon. In April, the House passed the Genetic Information Nondiscrimination Act (“GINA”) of 2007 (H.R. 493) by a vote of 420-3, and the Senate is nearly certain to follow suit on its companion legislation (S. 358). With President Bush having already endorsed GINA, the debate is turning to what day-to-day effects GINA would have on the workplace. As it stands, GINA would: (1) prohibit employers from purposely acquiring genetic information about employees; (2) prohibit employers from making employment decisions based on an employee’s genetic information or use of genetic testing services; and (3) compel employers to treat genetic information in their possession as “health information” under HIPAA and the rules governing “confidential medical records” under the ADA.                       

• Print
• Trackbacks
• Share Link