Potential HIPAA Violation Leads to $750,000 Settlement

The Attorney General for the Commonwealth of Massachusetts reached an agreement with South Shore Hospital over claims the hospital failed to protect confidential health information for hundreds of thousands of consumers. The Attorney General filed the lawsuit under both state information security laws and the federal Health Insurance Portability and Accountability Act (HIPAA).

The problem arose when the hospital shipped three boxes containing more than 400 unencrypted back-up tapes to an off-site vendor. The hospital had contracted with the vendor to erase the tapes and resell them. The tapes contained significant amounts of confidential information such as patients’ names, Social Security numbers, bank account numbers and medical diagnoses. Only one of the three boxes arrived at its intended destination.

To learn more about the settlement, please continue reading at Littler's Healthcare Employment Counsel.

Massachusetts Attorney General Reviews 2010 Data Breach and Data Security Regulations Compliance

Data encryption concept laptop and lockWith the first anniversary of the Massachusetts Data Security Regulations, 201 CMR 17 (pdf) (“Regulations”), coming in March, the International Association of Privacy Professionals (IAPP) recently hosted a panel discussion providing direct access to the Massachusetts Attorney General's Office and the Office of Consumer Affairs and Business Regulation to discuss their investigations to date and their current approach to enforcement. Panelists included Scott Schafer, Chief of the Consumer Protection Division, Massachusetts Attorney General's Office; Shannon Choy-Seymour, Assistant Attorney General, Consumer Protection Division, Massachusetts Attorney General's Office; Jason Egan, Deputy General Counsel, Massachusetts Office of Consumer Affairs and Business Regulation; and Lam Nguyen, Director (Digital Forensics), Stroz Friedberg LLP.

Scott Schafer opened with an overview of the enforcement actions to date and the daily reviews his office conducts. Schafer noted at the outset, the Attorney General’s (AG) current enforcement approach is not audit based due to insufficient resources. However, the AG is receiving a daily average of three to four data breach notifications pursuant to Massachusetts General Laws Ch. 93H (the “Notice Law”), and each breach report is closely reviewed. According to Schafer, the AG’s Office is looking for warning signals that may indicate noncompliance with the Regulations that would trigger a detailed investigation. Some of the circumstances likely to trigger a detailed investigation include:

  • The reporting entity knew of the breach, but failed to notify affected individuals as required by the Notice Law.
  • A Written Information Security Plan (WISP) cannot be produced.
  • The WISP is inadequate, or had significant gaps because of a lack of due diligence in the risk assessment process.
  • The compromised data was stored or maintained in circumstances not compliant with the “reasonable” security required by the Regulations.
  • Unfairness or deception around the purpose for which the data was originally collected.
  • Collected data that was subsequently used for purposes not disclosed to consumers, or where the collection itself is not disclosed leading to unfairness or deception to Massachusetts residents.

Shannon Choy-Seymour stated that she typically will ask to review a business’ WISP if the notification of security breach submitted to the AG revealed non-compliance with the Regulations. According to Choy-Seymour, she takes into account the size and scope of the business in question and the sensitivity of the data compromised when deciding whether to ask the business to submit its WISP. The AG recognizes that achieving full compliance may be a longer process for small businesses. In particular, Choy-Seymour stated the WISP must identify who is in charge of the businesses’ information security program, demonstrate the required risk assessment to create a reasonable plan, and include employee training. Further, “reasonable” steps toward compliance with the relevant policies should be evident, and when in place can reduce the risk of enforcement actions even if full compliance has not yet been achieved.

Continue Reading...

EEOC Meeting Keeps Spotlight on Employers' Use of Credit History

The EEOC’s decision to dedicate its first public meeting in more than a year, held on October 20, 2010, to employers’ use of credit history as an employment screening tool magnified the recent focus of legislators and regulators on that topic. As discussed in several recent posts, four states EEOC Seal— Hawaii, Illinois, Oregon, and Washington — have recently imposed significant restrictions on employers’ use of credit history for employment purposes. Similar legislation is pending in more than fifteen states, and federal legislation, which would impose restrictions even broader than existing state laws, is pending in Congress. In light of these legislative developments, the EEOC meeting was particularly significant for two reasons.

First, none of the participants, comprising representatives of consumer and business interests as well as two academics, were able to cite a single study that proved or disproved the existence of a specific link between any particular credit profile and poor job performance or a propensity to engage in dishonest or criminal conduct. In fact, the two academics’ prepared statements emphasized the dearth of empirical data in this area.

For employers, the absence of reliable studies highlights the need to tread cautiously when using credit history to make employment decisions. Jumping to conclusions not supported by empirical data could, for example, result in the rejection of an applicant whose financial difficulties might actually have motivated the applicant to exceed expectations. In addition, the employer could open itself to allegations that its purported reliance on credit history was a subterfuge for discrimination against the rejected applicant.

Continue Reading...

New California Law Illustrates Challenges of Background Check Compliance for Employers

Background checks seem to be a hot topic in state legislatures these days. In the past six months, for example, several states — including Illinois, Massachusetts, Oregon, and most recently California — have enacted laws bearing upon the process of checking the backgrounds of job applicants and employees. Under the new California law (pdf), effective January 1, 2012, background check authorizations must include the “Internet Web site address . . . where the consumer may find information about the investigative reporting agency’s privacy practices.” This seemingly trivial change is endemic to the challenges that employers confront in the area of background check compliance.

No case of which we are aware addresses the question whether an employer’s background check procedures must comply with only the law of the state(s) in which the employer is located, only the law of the state where the applicant or employee resides, or both. The question is far from academic. Even employers located in a single state routinely advertise positions on a company-sponsored web site, or through third-party web sites, accessible to applicants in all fifty states. Further, given the high unemployment rate and the general mobility of the U.S. workforce, job applicants for virtually any position could reside in any state.

In light of these factors, the most conservative employer — even if located in a single state — would conduct background screening in a manner that complies with the laws of all fifty states. However, as noted above, state legislatures are enacting new restrictions on, or requirements for, pre-employment background checks at an accelerated rate. In addition to the challenge of remaining up to date with this surge of legislation, employers face the difficulty of generating compliance forms that are not encyclopedic and that applicants of all educational levels can easily comprehend.

Continue Reading...

UPDATE: U.S. Supreme Court's Decision in NASA Case Could Have Significant Implications for Private Employers

NOTE: This entry updates our previous post on October 4, 2010.

Magnifying glass and bindersYesterday, the U.S. Supreme Court heard oral argument in a case challenging NASA’s background checks of “low risk” private contractors working at the agency’s Jet Propulsion Laboratory (JPL). At first blush, the case does not appear to be particularly relevant to private employers given that NASA is a public employer and, as the oral argument revealed, the appeal will turn principally on the Supreme Court’s interpretation of the federal constitutional right to information privacy applicable only to public employers. Deeper consideration suggests, however, that the Court’s decision could have significant implications for private sector employers.

The case arises from NASA’s decision to unilaterally amend its contract with the California Institute of Technology (“Caltech”) — which operates JPL for NASA — to require that all JPL employees working at JPL undergo broad background checks. After NASA rejected Caltech’s objections to the background check policy, Caltech adopted a policy — not required by NASA — that all JPL employees who did not successfully complete the background check process and receive a federal identification badge would be deemed to have voluntarily resigned their Caltech employment. JPL employees who work at JPL sought to enjoin implementation of NASA’s background check policy.

Continue Reading...

GINA Becomes Effective November 21, 2009: Are You Ready?

Four centrifuge tubes of fifteen milliliter volume in a rack in a science laboratory

The Genetic Information Nondiscrimination Act (GINA) takes effect on November 21, 2009. How does GINA impact employers? GINA does the following: (a) prohibits employers from discriminating against an employee based upon genetic information, (b) places broad restrictions on an employer’s deliberate acquisition of genetic information, (c) mandates confidentiality for genetic information that employers lawfully collect; (d) strictly limits disclosure of such information, and (e) prohibits retaliation against employees who complain about genetic discrimination.

Some of the more obvious violations of this new law occur when an employer requires a worker to take a genetic test or fires the worker based on information about such a test. However, employers can run afoul of GINA in a number of other ways they may not anticipate because the Act broadly defines “genetic information” to include not only genetic test results but also any information about the manifestation of a disease or disorder in a family member, such family medical history. For example, employers should tell health care providers who conduct post-offer, pre-employment medical examinations not to disclose to the employer the results of any family medical history or other genetic information. This example highlights the attention employers must now pay to GINA, violations of which subject employers to the same remedies as violations of Title VII of the Civil Rights Act of 1964.

Continue Reading...

Massachusetts Agency Revises Information Security Regulations -- Yet Again

Image by Producer

In what appears to be an on-going effort to find the right balance between information security and burdens on businesses, Massachusetts’ Office of Consumer Affairs and Business Regulation (OCABR) has materially revised—for a second time—regulations that were initially promulgated in October 2008, and has extended the compliance deadline for a third time. We have discussed the regulations in detail in prior blog posts. Consequently, we will only focus on the most recent revisions, which are described below:

  • New Compliance Deadline: The compliance deadline has been extended from January 1, 2010, until March 1, 2010.
  • Third-Party Service Providers: While the regulations still require that employers expressly address information security in their contracts with vendors who create or receive personal information on the employer’s behalf, employers now have until March 1, 2012, to negotiate amendments to vendor agreements entered into before the March 1, 2010 compliance deadline. Vendor agreement entered after that date must require that vendors implement and maintain “appropriate security measures to protect [Massachusetts] personal information” in a manner that is consistent with the regulations and applicable federal law.
Continue Reading...

Meeting the Compliance Challenges of a Reinvigorated HIPAA and the Genetic Information Non-Discrimination Act of 2009

                       

 On July 23, 2009, Littler Mendelson hosted a webinar, entitled “Meeting the Compliance Challenges of a Reinvigorated HIPAA and the Genetic Information Non-Discrimination Act of 2009.” Participants asked several questions to which we could not respond because of time. Below are the questions and the answers:

Q: Could you give a real life example of how an employer might experience an internal HIPAA violation?

A: We explained during the webinar that not all employee health information is protected by HIPAA. In fact, the universe of employee health information which HIPAA protects is relatively small. Protected health information (PHI) is limited to individually identifiable health information created or received by, or on behalf of, a group health, dental, or vision plan; health care reimbursement flexible spending account; employee assistance program; long-term care plan; or pharmacy benefits plan. HIPAA would be violated when, for example, a benefits administrator notices that an employee has submitted claims to an employer’s health plan for services related to an abortion, AIDS, or cancer and gossips with the employee’s manager about the employee’s condition. 

Continue Reading...

Massachusetts Regulatory Agency Revises the Massachusetts Data Security Breach Regulations and Further Extends Compliance Deadline

On Thursday, February 12, 2009, Massachusetts’ Office of Consumer Affairs and Business Regulation (OCABR) publicly disclosed key changes to the controversial Massachusetts data security breach regulations, 201 CMR 17.00. Taking into account testimony heard from business associations and employers at a public hearing last month, OCABR has further delayed the implementation deadline and somewhat loosened employers’ obligations with respect to third-party service providers and mandatory encryption requirements.

Highlights of the amendments to the regulations are:

Effective Date: Previously set to go into effect on May 1, 2009, the compliance date has been delayed until January 1, 2010.

Third-Party Service Providers: The original regulations required all employers to obtain: (a) by May 1, 2009, contractual assurances from their third-party vendors having access to Massachusetts residents’ personal information that the vendors are capable of safeguarding this information; and (b) by January 1, 2010, written certifications from each vendor that it has adopted a comprehensive information security program in compliance with Massachusetts regulations (201 CMR 17.00 et seq.).
 

Continue Reading...

Contemporaneous Announcements of Obama's Cybersecurity Agenda and of the "Biggest Security Breach Ever" Should Highlight for Employers the Message of National Data Privacy Day

Today — January 28, 2009 — is National Data Privacy Day, which, according to a January 2009 Resolution of the House of Representatives, “constitutes an international collaboration and a nationwide and statewide effort to raise awareness about data privacy and the protection of personal information on the Internet.” This reference to “international collaboration” is not precatory. Canada and the 27 Member States of the European Union also are seeking to focus attention on data privacy today by celebrating their own National Data Privacy Day. In light of two recent events that preceded National Data Privacy Day by only one week, HR departments should take note.

On January 22, 2009, Barack Obama’s first full day as President, he outlined, on the Whitehouse.gov website, his plan to enhance the nation’s cybersecurity. Two central planks of that plan will have a direct impact on employers. First, the plan calls on private industry to “secure personal data stored . . . on private systems” and to institute a “common standard for securing such data.” Second, the plan would create national standards for corporate security breach notification. Put simply, federal data protection and security breach notification legislation is on the way; it is just a matter of time. Such legislation most likely would have the beneficial effect of relieving multi-state employers from the burdens of complying with a patchwork of state data protection and security breach notification laws. Federal legislation, however, also would bring the substantial resources and enforcement power of the federal government to an area of the law that has, to date, seen only fledgling enforcement by the states.
 

Continue Reading...

New Massachusetts Regulations Impose Substantial Obligations on Human Resources Departments to Safeguard Employees' Personal Information

New Massachusetts regulations, effective January 1, 2009, are a clarion call for corporate human resources departments to join the war on identity theft. The regulations mandate the development and implementation of a "written, comprehensive information security program" to safeguard the information of Massachusetts employees and consumers. Such a program rarely will be fully effective without the involvement of human resources professionals and in-house employment counsel.

While these regulations apply only to organizations with Massachusetts employees, even employers without a Massachusetts presence should consider implementing a similar program. These regulations likely will be a model for other jurisdictions and could become the standard against which all information security programs are measured. Continue reading. . .

Connecticut Becomes Only the Second State to Mandate an Employee Data Protection Policy

With the State of Connecticut reeling from a series of massive security breaches that have exposed the personal information of hundreds of thousands of state residents, Connecticut's Governor and General Assembly joined forces in mid-June to make Connecticut only the second state (after Michigan) to mandate that private employers publish a policy on the protection of employee Social Security numbers (SSNs). The new Connecticut law — entitled, "An Act Concerning the Confidentiality of Social Security Numbers" (the "Act"), and effective October 1, 2008 — also imposes on private employers a statutory duty to safeguard, and properly dispose of, personal information more broadly defined. Continue reading. . .

What Does The Crazy Quilt of Security Breach Laws Mean for Employers as Massachusetts Becomes the 39th State to Enact One?

On August 3, 2007, Governor Deval Patrick enrolled Massachusetts as the 39th member in the soon-to-be nationwide club of states with laws requiring notice of a security breach.  While these laws vary — sometimes materially — from one another, they share a common thread: at a minimum, they require employers to notify employees (and customers) when an unauthorized person acquires unencrypted, computerized “personal information,” creating a risk of identity theft.  In all 39 states that have adopted this law, “personal information” includes (again at a minimum) the affected individual’s first name or initial and last name plus social security number, driver’s license number, or credit card, debit card, or financial account number in combination with any required security code. 

Here are five key points for employers to consider as they confront these statutes.

  •  Be Prepared.  Responding to a security incident can create a pressure cooker, especially when the personal information of senior corporate executives is among the compromised data.  Identify the members of your incident response team — typically from HR, IT, Legal, and Public Relations — and do a dry run of how your organization would respond if, for example, a payroll database had been stored on a stolen laptop.
  • Train  HR Professionals.  In the employment context, a security breach can take many forms — a misdirected e-mail, a CD lost by a courier service, a stolen BlackBerry, or a successful hack are just a few examples.  HR employees and others who work with personal information should  be trained that these types of occurrences, which in the past might not have been taken seriously, now pose compliance risks.  The training should help employees identify a possible security breach, list the type of information which should be reported, and explain to whom the report should be made.
  • Determine Your Notice Obligations.  When a breach does occur, consult knowledgeable counsel (whether in-house or outside) to determine the organization’s obligations under all potentially applicable notice laws.  To do so, counsel will need to know all the facts related to the incident, the states of residence of affected employees, and the number of affected employees in each state.  In some circumstances, a security breach may not trigger a legal obligation to notify  — for example, the theft of a hard copy (as opposed to computerized) payroll spreadsheet -- but the employer still may decide to provide notice as an employee relations matter.
  • Help Your Employees.  Employees may view themselves as innocent victims when their employer suffers a security breach and  expect their employer to protect them and foot the bill. Providing free access to a credit monitoring service is the most commonly offered form of assistance.  Employers may want to consider a new service offered by MyIDentityIQ, Inc. and National ID Recovery: 1-877-252-9891.  This service not only alerts employees to possible misuse of their personal information (like credit monitoring), it also provides fully managed identity theft recovery services for employees after their personal information has been misused.
  • Learn From Your Mistakes.  After the storm subsides, figure out what went wrong, what you did right, and how you can adjust your security incident response plan (or put one in place) to improve your response the next time around.

More Businesses Demanding Background Checks And Drug Tests Of Vendor Employees, Creating New Privacy And Data Protection Challenges

More and more businesses — especially those in highly regulated industries such as banking, telecommunications, and health care — are engaging in “vendor management” as they implement increasingly rigorous information security programs.  Confirming the trustworthiness of vendors’ employees who are permitted on premises or who are authorized access to sensitive information is a cornerstone of such programs.  Consequently, these businesses are starting to make a variety of demands in contract negotiations and requests for proposals (RFPs) for background checks and drug-testing of vendor employees.

The demands vary based upon the industry and the company.  At a minimum, these businesses require their vendors to certify that employees who will be working on the customer’s account have successfully completed a background check and a drug screen.  At the other end of the spectrum, businesses specify the contents of background and drug screens and demand the right to audit the results or even conduct their own background checks and drug tests of the vendor’s employees.

These demands put vendors “between a rock and a hard place.”  On the one hand, vendors want to maintain strong relationships with valued customers and win contracts with new customers.  On the other hand, turning over background checks and drug test results to a customer can raise red flags with the vendor’s workforce regarding their privacy.  And, if not properly handled, the issue can mushroom into an employee relations nightmare and expose the vendor to privacy-based claims.  The problem is particularly acute for vendors who have not previously required current employees, or even job applicants, to submit to background checks or drug tests.

Here are three of the steps vendors might consider to avoid this catch 22:

Continue Reading...