Workplace Privacy Counsel : San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

On August 4, we posted about uncertainty created by the U.S. Department of Health and Human Services' (HHS) decision to withdraw its interim final regulations addressing security breach notification for breaches that involve protected health information (PHI) subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Since that time, HHS updated its website to state that, "[u]ntil such time as a new final rule is issued, the Interim Final Rule that became effective on September 23, 2009, remains in effect." This means that the harm standard embodied in the Interim Final Rule is still in effect and that, until further notice, employers and providers must conduct the risk assessment discussed in our July 30 blog post. 

This entry was written by Philip L. Gordon.

Photo credit: cosmonaut

• Email This
• Print
• Share Link

While HIPAA’s recently enhanced penalty provisions and newly enacted security breach notification requirements have each received a significant amount of attention, the connection between them and its significant implications for employers and health care providers subject to HIPAA have not. Most significantly, because of the enhanced penalties, it is critical that covered entities conduct a careful and documented risk assessment before deciding not to provide notice of a security incident.

HIPAA’s recently promulgated security breach notification regulations require notice only if (a) there has been access to, or acquisition, use or disclosure of, protected health information (PHI) in violation of the HIPAA Privacy Rule; and (b) that violation “poses a significant risk of financial, reputational or other harm” to the subjects of the PHI. In the preamble to the security breach regulations, the U.S. Department of Health and Human Services (HHS) takes the position that a covered entity “will need to perform a risk assessment” to determine whether the second element of the notification standard has been satisfied. Besides identifying four factors that covered entities might consider in conducting this risk assessment, HHS provides no other guidance on how to assess risk. HHS does emphasize, however, that “[c]overed entities and business associates must document their risk assessments, so their they can demonstrate, if necessary, that no breach notification was required.” In other words, covered entities should expect that if HHS ever challenges a decision not to provide notice of a security breach, HHS’ first request will be for production of the covered entity’s risk assessment that decision.

The decision whether to provide notice of a security breach could be momentous for a covered entity. Under HIPAA’s security breach notification regulations, if the incident involves more than five hundred individuals in the same state, the covered entity would be required to report the breach to HHS, which will post the report on its Web site and notify “prominent media outlets,” which may choose to publicize the breach. As a result, notification of even a relatively small breach could expose the covered entity to class action litigation, damaging media coverage, and collateral damage to patient or employee relationships, in addition to the cost of providing notice and incident response services to affected individuals. Given these potential adverse consequences, a covered entity often will have an overriding interest in finding that a HIPAA violation did not create a material risk of harm and, therefore, does not require notification.

• Email This
• Print
• Share Link

The U.S. Department of Health and Human Services (HHS) published on July 14, 2010, a voluminous Notice of Proposed Rulemaking (NPRM), containing dozens of proposed amendments to three sets of Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations: the Privacy Rule; the Security Rule; and the Enforcement Rule. The proposed amendments are directed principally at implementing the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which amended HIPAA and wen into effect on February 17, 2010. A careful review of the NPRM for its impact on employers who sponsor HIPAA-covered plans reveals that, if the proposed changes were adopted, employers would be required to revise their business associate agreements, their HIPAA notice of privacy practices, and their policies for responding to access requests. The NPRM also provides employers with a roadmap for avoiding civil monetary penalties. To learn more about the NPRM and its implications for employers, please continue reading Littler's ASAP, What Do Employers with HIPAA-Covered Health Plans Really Need to Know About Recently Proposed Revisions to HIPAA Regulations?, by Philip L. Gordon.

• Email This
• Print
• Trackbacks
• Share Link

A visiting cardiothoracic surgeon from China, working as a researcher at UCLA School of Medicine, became the first person sentenced to prison for unauthorized access to medical records in violation of HIPAA. The few criminal convictions for HIPAA violations to date have involved monetary gain, such as a hospice worker’s use of patient records to commit identity theft or the sale of a celebrity’s medical records to a tabloid. This most recent conviction is remarkable because money was not a factor and the viewing of celebrity records was only part of the illegal conduct. According to court records, the criminal prosecution also was based on the researcher’s review of his immediate supervisor’s and former co-workers’ medical records.

Random curiosity — a/k/a snooping — poses a risk of criminal HIPAA violations not only at hospitals and health care providers. Virtually every employer has some form of medical information subject to HIPAA in their paper files or on their information systems because HIPAA applies to self-insured group health, dental, vision, pharmacy benefit, and long-term care plans; health care reimbursement flexible spending accounts; and employee assistance programs. Consequently, an employee who reviews a co-worker’s explanation of benefits while waiting for a benefits administrator to finish a call or a human resources manager who accesses a third-party administrator’s portal to review claims information unrelated to any job duties arguably is now at risk of criminal prosecution.

• Email This
• Print
• Trackbacks
• Share Link

The Genetic Information Nondiscrimination Act (GINA) takes effect on November 21, 2009. How does GINA impact employers? GINA does the following: (a) prohibits employers from discriminating against an employee based upon genetic information, (b) places broad restrictions on an employer’s deliberate acquisition of genetic information, (c) mandates confidentiality for genetic information that employers lawfully collect; (d) strictly limits disclosure of such information, and (e) prohibits retaliation against employees who complain about genetic discrimination.

Some of the more obvious violations of this new law occur when an employer requires a worker to take a genetic test or fires the worker based on information about such a test. However, employers can run afoul of GINA in a number of other ways they may not anticipate because the Act broadly defines “genetic information” to include not only genetic test results but also any information about the manifestation of a disease or disorder in a family member, such family medical history. For example, employers should tell health care providers who conduct post-offer, pre-employment medical examinations not to disclose to the employer the results of any family medical history or other genetic information. This example highlights the attention employers must now pay to GINA, violations of which subject employers to the same remedies as violations of Title VII of the Civil Rights Act of 1964.

• Email This
• Print
• Trackbacks
• Share Link

Less than one week after a state court judge halted New York state’s emergency regulation requiring mandatory H1N1 flu shots for most health care workers, Governor Paterson announced that the State Health Commissioner is suspending the requirement due to a limited supply of vaccine - approximately 23% of the anticipated amount. Available vaccines will instead be used for populations most at risk of serious illness or death, e.g., pregnant women and young people between the ages of 6 months and 24 years.

This entry was written by Philip L. Gordon.

• Email This
• Print
• Trackbacks
• Share Link

In response to the swine flu pandemic sweeping the nation, New York in August 2009 became the only state in the United States to adopt an emergency regulation requiring most health care workers who come into contact with patients to get annual vaccinations for both seasonal and swine flu (H1N1) by no later than November 30, 2009. The regulation, issued by the New York State Commissioner of Health, provides a limited exemption for workers with “medical contraindications,” but not for those with a religious or ideological opposition to the vaccination.

In response to the emergency regulation, several unions and other groups filed suit in New York, challenging the mandatory vaccinations and the authority of the New York State Health Commissioner to institute mandatory vaccinations.

• Email This
• Print
• Trackbacks
• Share Link

Today, the Department of Labor issued regulations to enforce Title I of the Genetic Information Non-Discrimination Act of 2008 (GINA). Title I regulates self-insured group health plans and health insurance issues, among others. Title I prohibits group health plans from "collecting" any "genetic information." "Collection" means requesting, requiring or purchasing. "Genetic information" includes a family medical history. Title II of GINA, which governs employment discrimination based on genetic information, has parallel provisions but the EEOC has not yet issued regulations. The anticipated regulations, however, likely will track those issued by the Department of Labor.

One of the examples in the Title I regulations states as follows:

Issuer A acquires Issuer B. Issuer A requests Issuer B's records and tells Issuer B that it does not want to receive any genetic information and that Issuer B should remove all genetic information from the production. Issuer B gathers the requested medical records and removes all medical information but inadvertently produces some family medical histories. Issuer A does not violate GINA's prohibition on collection because its receipt of the family medical histories falls within the incidental collection exception to the general prohibition.

• Email This
• Print
• Trackbacks
• Share Link

The Health Information Technology for Economic and Clinical Health Act (HITECH Act), one small legislative portion of the massive economic stimulus bill enacted on February 17, 2009, mandates that employers and health care providers provide notice of any “breach” of “unsecured” protected health information (PHI) to affected individuals; the U.S. Department of Health and Human Services (HHS); and, in certain circumstances, “prominent media outlets.” The quoted terms and many others in the HITECH Act are either undefined or raise a multitude of unanswered questions. HHS has recently published interim final regulations and accompanying commentary that clarifies many of the Act’s ambiguities.

For an in-depth discussion and guidance on this development, see Littler ASAP, Employers and Health Care Providers Receive New Guidance on HIPAA Security Breach Notification, by Philip L. Gordon.

• Email This
• Print
• Trackbacks
• Share Link

 On July 23, 2009, Littler Mendelson hosted a webinar, entitled “Meeting the Compliance Challenges of a Reinvigorated HIPAA and the Genetic Information Non-Discrimination Act of 2009.” Participants asked several questions to which we could not respond because of time. Below are the questions and the answers:

Q: Could you give a real life example of how an employer might experience an internal HIPAA violation?

A: We explained during the webinar that not all employee health information is protected by HIPAA. In fact, the universe of employee health information which HIPAA protects is relatively small. Protected health information (PHI) is limited to individually identifiable health information created or received by, or on behalf of, a group health, dental, or vision plan; health care reimbursement flexible spending account; employee assistance program; long-term care plan; or pharmacy benefits plan. HIPAA would be violated when, for example, a benefits administrator notices that an employee has submitted claims to an employer’s health plan for services related to an abortion, AIDS, or cancer and gossips with the employee’s manager about the employee’s condition. 

• Email This
• Print
• Trackbacks
• Share Link

Even a brief posting of private information on an Internet site amounts to “publicity per se” sufficient to support a civil action for invasion of privacy, according to a three judge panel of the Minnesota Court of Appeals in Yath v. Fairview Clinics, filed June 23, 2009. Candace Yath was a patient at the defendant clinic, where she sought testing for sexually transmitted diseases because she had a new sex partner. She was observed there by a clinic employee, Tek, who was an acquaintance. Tek later (and in violation of clinic policy) accessed Yath’s medical file, learning of Yath’s new sex partner (Yath was at the time married but estranged from her husband) and that Yath had been diagnosed with a sexually transmitted disease. Tek informed a second person, also an acquaintance (and relative) of Yath about the medical file information. Word soon spread to a group of people, including Yath’s husband.

One month later a web page appeared at MySpace.com bearing the title “Rotten Candy,” and including a photo of Yath and the contents of her medical file. The MySpace page asserted that “Rotten Candy” has a sexually transmitted disease, had recently cheated on her husband and was addicted to plastic surgery. After learning about the Internet posting, the clinic manager investigated. When the manager first accessed the webpage, it listed only six “friends,” indicating that at least six persons had accessed the page. When the manager tried again to access the web page, one or two days later, the webpage had been removed.

• Email This
• Print
• Trackbacks
• Share Link

On June 18, Philip Gordon will present at the International Association of Privacy Professionals (IAPP) Practical Privacy Series on the topic "On the Cutting Edge: The Top Five Developments for 2009" (You may register for the event here). Below, Mr. Gordon answers questions about some of the top HR privacy concerns that every organization is confronting.

IAPP: With so much focus on safeguarding customer information, why is HR privacy even an issue?

Gordon: HR privacy should be a major concern of every organization for several reasons. Virtually all class-action litigation involving the compromise of customers’ personal data has been unsuccessful because of the absence of any actual damages. By contrast, privacy violations involving employee personal data often do result in cognizable injuries, including loss of employment and emotional distress. The risk of significant damages is particularly high in the employment context because employers maintain not only the full range of personal identifiers but also financial information and very sensitive health information. In addition, security breaches involving employee personal data can have a negative impact on employee morale, and employees, unlike consumers, can easily express their disgruntlement to senior management. While the potential exposure is high, developments in technology and recently enacted legislation have complicated employer’s compliance obligations, further increasing their exposure to liability.

IAPP: Could you provide some examples of recent developments that have a significant impact on HR privacy compliance and employers’ exposure to liability for privacy violations?

Gordon: Employers are struggling to find the right approach for addressing text messaging in the workplace and the variety of Web 2.0 communications platforms. Unlike e-mail, text messaging almost always is transmitted through, and stored at, a third-party service provider. The laws governing access to electronic communications stored at a service provider impose substantial restrictions on employers. These restrictions do not apply when accessing communications stored on the corporate network. Social networking is particularly challenging for employers, especially as employees form their own networks, because personal profiles often blur the line between “private” and work life while, at the same time, permitting employees to communicate messages that senior management views as contrary to the organization’s interests.

On the legal side, we have the passage in February 2009 of significant amendments to HIPAA, which will have an impact on every employer that sponsors a HIPAA-covered benefit plan. In November, the Genetic Information Non-Discrimination Act of 2009 (GINA) will become effective. GINA will raise significant compliance challenges because the Act defines “genetic information” to include several categories of information that most privacy and HR professionals might not think of as “genetic” in nature, such as certain FMLA certifications. I will cover these technological and legal developments at the Practical Privacy Series in a presentation entitled, “On the Cutting Edge: The Top Five Developments For 2009.”

• Email This
• Print
• Trackbacks
• Share Link

The swine flu pandemic means that employers need information about employees who have swine flu, or who have been exposed to it, but what exactly can employers ask, and what are their obligations when they get an answer? Here are some answers to these and other frequently asked questions about the intersection between swine flu and workplace privacy.

Q: Is it a HIPAA violation to require employees to disclose whether they have swine flu, have symptoms of swine flu, or have been exposed to swine flu?

A: No. HIPAA does not apply to questions that an employer asks employees about their health. In the workplace, HIPAA applies only to individually identifiable health information created or received by, or on behalf of, the employer in its capacity as the administrator of a HIPAA-covered plan, such as self-insured group health, dental or vision plans; a health care reimbursement flexible spending account; or an employee assistance program. Put more succinctly, HIPAA applies only to individually identifiable health information created or received to administer a HIPAA-covered plan.

Q: Does any other law apply to an employer’s efforts to obtain information about whether an employee is, or maybe, infected with swine flu?

A: In certain circumstances described below, the Americans with Disabilities Act (ADA) will apply.

Q: Can an employer require that employees with symptoms of swine flu be tested?

A: Yes. Under the ADA, an employer who reasonably believes, based on an individualized assessment, that an employee has symptoms of swine flu can require that the employee undergo medical testing to determine whether the employee, in fact, is infected. Before requiring testing, the employer should be familiar with the symptoms of swine flu and have sufficient information to confirm that the employee has those symptoms. Any required testing must be limited to a test for swine flu. In addition, the employer is required to pay any costs associated with the test. The employer must treat the test results as confidential.

Note: The answer above is based upon the conservative assumption that the ADA’s restrictions on medical examinations of current employees applies regardless of whether swine flu is a “disability" as defined by the ADA. We are taking this conservative approach based on EEOC guidance which defines a "medical examination" as "a procedure or test that seeks information about an individual's physical or mental impairments or health" and provides as an example, "blood, urine, saliva, and hair analyses to detect disease or genetic markers." This definition would encompass the nasal swab test for swine flu. A court might find the EEOC’s guidance to be overbroad to the extent that it encompasses medical tests, like the test for swine flu, directed exclusively at discerning the presence of a temporary condition that is not subject to protection under the ADA.

• Email This
• Print
• Trackbacks
• Share Link

Transgender individuals have good reason to be concerned about expressing their gender identity in the workplace. According to recent studies, at least one in five transgender individuals reports experiencing employment discrimination. A review of six studies conducted between 1996 and 2006 showed the following concerning reports of mistreatment in the workplace based on gender identity:

• 13%-56% of transgender individuals had been fired;
• 13%-47% had been denied employment;
• 22%-31% had been harassed, either verbally or physically, in the workplace; and
• 19% had been denied a promotion due to their transgender status.

Most employees choose whether, when, and to whom they disclose certain personal information at work. However, transgender individuals who decide to transition from one gender to another while remaining with their current employer do not have the same luxury. This largely is due to the inherently public nature of the transition. Indeed, an employee who intends to undergo a gender transition generally is required to live full-time in their new gender role for at least a year before becoming eligible to undergo sex reassignment and reconstruction surgery (if they so choose to have surgery, which many do not). During this time frame, transgender individuals often seek a variety of medical treatments, including hormone therapy, as well as change their names, modify their identity documents, and other procedures. As a result, employers and co-workers necessarily, but often reluctantly, become involved in a transitioning employee’s gender transition. While a gender transition is an inherently private process, it necessarily becomes known to co-workers at some point by the very nature of the “transition.”

• Email This
• Print
• Trackbacks
• Share Link

Employers have good reason to re-evaluate their HIPAA compliance efforts. Recent enforcement actions by the U.S. Department of Health and Human Services (HHS) that resulted in large settlement payments signal more pronounced efforts to enforce HIPAA’s compliance requirements. These enforcement actions were driven by publicly disclosed security breaches that brought compliance lapses to HHS’ attention.

Recent amendments to the HIPAA Privacy Rule, enacted as part of the massive federal economic stimulus legislation, will fuel this “breach-driven enforcement.” Under existing law, the HIPAA Privacy Rule contains no security breach notification requirement. Effective February 17, 2010, however, employers will be required to take the following steps when they learn that the “unsecured” protected health information (PHI) of participants in HIPAA-covered plans has been subjected to unauthorized access, use or disclosure:

• Notify major media outlets and HHS if a breach involves 500 or more plan participants
• Notify affected individuals within 60 days of becoming aware of the breach
• Provide in the notice to individuals, at a minimum, five specific categories of information
• Deliver the notice by first-class mail to each affected individual’s last known address

This notice obligation applies regardless of whether the employer or a third-party service provider, such as a benefits administrator, pharmacy benefits manager, or insurance broker is responsible for the breach.
 

• Email This
• Print
• Trackbacks
• Share Link

Title II of the Genetic Information Nondiscrimination Act of 2008 (GINA) goes into effect for employers of 15 or more employees on November 21, 2009. On March 2, 2009, the EEOC issued its proposed regulations for public comment. The proposed regulations attempt to clarify the definition of genetic information and provide guidance both on the limitations on acquisition of genetic information and ways to limit disclosure of genetic information acquired. As some of these regulations may change employers' practices, employers should make sure that human resources personnel and managers are familiar with the provisions of Title II of GINA before the effective date.

For more information about this development, see Littler ASAP "Proposed Regulations Under Federal Genetic Information Nondiscrimination Act (GINA) Suggest Employer Action Now" by Margaret Hart Edwards, a shareholder in Littler's San Francisco office.

• Email This
• Print
• Trackbacks
• Share Link

Revised regulations, published on November 17, 2008, to enforce the Family and Medical Leave Act (FMLA) create a complex and detailed framework governing employees’ leave for their own, or a family member’s, serious health condition. Central to the regulatory scheme is the requirement that an employee seeking leave submit, at the employer’s request, a “complete and sufficient certification” from a health care provider. The certification must establish that the employee qualifies for FMLA leave. The regulations also permit employers to require submission of a fitness-for-duty certification before an employee returns from leave for the employee’s own serious health condition.

The certification process creates privacy challenges for employers because certification forms will reveal sensitive health information about employees and their family members. Under the revised regulations, the employer may require that the employee provide the following information in the certification: (a) a description of medical facts sufficient to support the request for leave, including, as necessary, a description of symptoms, diagnosis, hospitalization, doctors visits, use of medication, and referrals for further evaluation or treatment; and (b) if an employee is requesting leave for himself, facts sufficient to show that the employee can not perform essential job functions; or (c) if an employee is requesting leave because of a family member’s condition, facts sufficient to show that the family member needs medical care and the employee’s assistance.

Given the sensitive nature of the information contained in these certifications, the revised regulations mandate privacy protections for the forms. The certifications must be maintained in a confidential medical file, separate from the general personnel file. Only employees and third-party vendors responsible for administering the leave process may access the certifications. Supervisors and managers may be advised only of necessary work restrictions and accommodations. Consistent with long-established practice for handling employee medical files, these requirements are relatively straightforward; now for the twists.
 

• Email This
• Print
• Trackbacks
• Share Link

On April 25, 2008, the House passed H.R. 493, The Genetic Information Nondiscrimination Act of 2008 (GINA), a bill that President Bush is expected to sign barring private employers from engaging in genetic discrimination. On first read, I have spotted at least one potential trap for unsuspecting employers if the bill is enacted as drafted.

Section 206(b) of the Act permits disclosure of "genetic information" in only very limited circumstances, which do not include responding to a subpoena or a civil discovery request. Employment litigators, particularly on the defense side, commonly subpoena personnel files, including all medical information from a plaintiff's former employers -- for example, to test a plaintiff's allegation that the defendant/current employer's alleged actions caused emotional distress. Under the bill, as written, an employer who inadvertently produces "genetic information" in response to such a subpoena would violate the Act because the statute does not require a knowing disclosure to support a claim.

The possibility of an inadvertent disclosure of "genetic information" is not hypothetical. As defined in the House bill, that term encompasses "the manifestation of a disease or disorder in family members" of an employee, which could include, for example, an FMLA certification stating that an employee needs FMLA leave because a spouse or child has sickle-cell anemia or Tay-Sachs disease.

If the bill is enacted as written, employers should strongly consider screening all medical information upon receipt to determine whether that information might fall within the broad definition of "genetic information." If so, the information should be filed separately from all other medical information with a note that the information should not be produced except in response to a court order.
 

For a more detailed discussion of this Act, please see Littler ASAP: Genetic Antidiscrimination Law Creates New Compliance Challenges for Employers by Philip L. Gordon and Jennifer L. Mora.

• Email This
• Print
• Trackbacks
• Share Link

• Email This
• Print
• Trackbacks (1)
• Share Link

The rumors are flying: The TV news ran a story last night on the evacuation and de-contamination of the local public school after one of the football players missed Saturday’s game because of infection with the MRSA Superbug.  One of your employees happens to have a son on the football team, and she called in sick on the Monday after the game.  Employees who work in the area of her cubicle have “petitioned” HR not to let the mother return to work until she has submitted written documentation from her physician that she is not infected or contagious.  Where does HR even start to unravel the privacy concerns of the mother and her child, and how should those concerns be weighed against the health interests of the mother’s co-workers? 

The legal analyses related to this issue are among the most complex in the area of workplace privacy, involving the interplay of the Americans with Disabilities Act (ADA); the Family and Medical Leave Act (FMLA); the Health Insurance Portability and Accountability Act of 1996 (HIPAA); state privacy statutes, such as California’s Confidentiality of Medical Information Act; state common law; and, at least in California, state constitutional law. 

Before wading into this quagmire, HR professionals should consider the following guidelines for balancing the privacy interests of potentially infected workers and the health interests of co-workers.

• Email This
• Print
• Trackbacks
• Share Link