New Compliance Obligations Under the Federal Fair Credit Reporting Act

Posted on June 16, 2010 by Privacy and Data Protection Practice Group

The Fair and Accurate Credit Transactions Act of 2003 (FACTA) is best known for allowing consumers to annually request and obtain one free credit report from each of the nationwide consumer credit reporting companies, as well as creating new compliance obligations designed to reduce identity theft. However, the FACTA also amended the Fair Credit Reporting Act (FCRA) to, among other things, require federal agencies to implement new rules designed to increase the "accuracy" and "integrity" of information that "furnishers" provide to consumer reporting agencies. Consistent with this directive, on July 1, 2009, the Federal Trade Commission (FTC) and several other federal agencies issued a joint Final Rule that imposes additional regulatory requirements on businesses, including employers, that provide consumer information to consumer reporting agencies. The final rule is effective July 1, 2010.

To learn more about the joint Final Rule and its implications for employers, please continue reading Littler's ASAP, The Deadline is Fast Approaching: Effective July 1, 2010, Employers Have New Compliance Obligations Under the Federal Fair Credit Reporting Act, by Rod M. Fliegel and Jennifer L. Mora.

Tags: , , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

Jail Time for Physician's HIPAA Violation Highlights Need to Redouble Compliance Efforts

Posted on June 8, 2010 by Privacy and Data Protection Practice Group

stethoscope and laptopA visiting cardiothoracic surgeon from China, working as a researcher at UCLA School of Medicine, became the first person sentenced to prison for unauthorized access to medical records in violation of HIPAA. The few criminal convictions for HIPAA violations to date have involved monetary gain, such as a hospice worker’s use of patient records to commit identity theft or the sale of a celebrity’s medical records to a tabloid. This most recent conviction is remarkable because money was not a factor and the viewing of celebrity records was only part of the illegal conduct. According to court records, the criminal prosecution also was based on the researcher’s review of his immediate supervisor’s and former co-workers’ medical records.

Random curiosity — a/k/a snooping — poses a risk of criminal HIPAA violations not only at hospitals and health care providers. Virtually every employer has some form of medical information subject to HIPAA in their paper files or on their information systems because HIPAA applies to self-insured group health, dental, vision, pharmacy benefit, and long-term care plans; health care reimbursement flexible spending accounts; and employee assistance programs. Consequently, an employee who reviews a co-worker’s explanation of benefits while waiting for a benefits administrator to finish a call or a human resources manager who accesses a third-party administrator’s portal to review claims information unrelated to any job duties arguably is now at risk of criminal prosecution.

While the employee may bear the brunt of the criminal prosecution, the employee’s unauthorized conduct exposes the employer on at least three different levels. First, the U.S. Department of Health & Human Services (HHS) could pursue civil penalties against the employer. Since the Health Information Technology for Economic and Clinical Health (HITECH) Act supplemented HIPAA, effective February 17, 2010, civil penalties for HIPAA violations have been substantially enhanced. While HHS has yet to promulgate regulations construing the statutory penalty provisions, the minimum penalty for an employee’s unauthorized access to patient plan participant records apparently would be $1,000 per record reviewed if the employer had implemented measures to prevent the unauthorized access and $10,000 per record reviewed where the employer had failed to implement adequate protections. Second, although the federal courts unanimously agree that HIPAA provides no private right of action, the patient or plan participant whose records were viewed without authorization could assert common law, privacy-based claims, alleging vicarious liability on the employer’s part for the employee’s unauthorized access. Finally, the unauthorized access likely would constitute a security breach under HIPAA’s new security breach notification requirements. Were the snooping employee to access the records of 500 or more patients or plan participants, the employer would be required to notify not only the voyeur’s victims but also HHS and prominent media outlets in the state where the victims are located.

The jailing of the Chinese researcher highlights the fact that providers and employers no longer can be complacent about HIPAA compliance. Both health care providers and employers offering HIPAA-covered health benefits should revisit and, if necessary, update the policies they adopted when HIPAA first went into effect more than six years ago. Compliance efforts should focus, in particular, on preventing the types of conduct most likely to trigger security breach notification obligations, such as unauthorized access to and disclosures of health information and the loss or theft of equipment containing health information in unencrypted form. While technologies such as encryption and data loss prevention software can go a long way towards to reducing risk, providers should consider robust and frequent training programs that convey the message there is no such thing as “a littler harmless snooping” when it comes to patients’ and plan participants’ medical records.

This entry was written by Philip L. Gordon.
Tags: , , , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

Caveat Employer: Let the Employer Beware of Employee Endorsements on Social Media Websites

Posted on January 5, 2010 by Employment Litigation Practice Group

Employers already face concerns about how to handle employees trash-talking about them on blogs, Facebook and other social media. Now, employers must be cautious of the converse — employee endorsements of their employers’ products and services on social media websites. The Federal Trade Commission (FTC) recently issued updated guidelines aimed at protecting consumers from misleading endorsements and advertising. As these guidelines make clear, employers whose employees use social media like blogs or Facebook to comment on their employer’s products or services face potential liability, even where the employer has not authorized or ratified the employee’s remarks.

The FTC’s revised Guides Concerning the Use of Endorsements and Testimonials in Advertising, published in the Federal Register at 16 C.F.R. Part 255 (the “guidelines”), address the application of Section 5 of the FTC Act (the “Act”) – which prohibits unfair or deceptive acts or practices and unfair competition in or affecting commerce -- to the use of endorsements and testimonials in advertising.

In the guidelines, the FTC identifies the general principles it will apply when evaluating whether endorsements and testimonials, including those given by employees about their employers’ products and services, are deceptive. The guidelines provide specific examples, and suggest that employees endorsing their employer’s products or services have a duty to disclose to their audience their relationship to an employer at the time they give the endorsement or testimonial. To be an endorsement or testimonial subject to these guidelines, the posting must be a message “that consumers are likely to believe reflects the opinions, beliefs, findings, or experiences of a party other than the sponsoring advertiser, even if the views expressed by that party are identical to those of the sponsoring advertiser. The party whose opinions, beliefs, findings, or experience the message appears to reflect will be called the endorser...” 16 C.F.R. Part 255.01(b).

The duty of disclosure applies even when the employee’s endorsement appears on a site that is not maintained by the employer or employee (such as a popular “bulletin board”) and the statement itself is not misleading. See 16 C.F.R. Part 255.5 (entitled “Disclosure of material connections”), Example 8. Failure to make such disclosure may expose the employer to liability under the Act.

If employees make misleading statements about the employer’s products and services that result in injury to consumers, the FTC may bring an enforcement action against the employer. The FTC reports that it has brought enforcement actions against employers “whose failure to establish or maintain appropriate internal procedures” had resulted in consumer injury, but the FTC suggested in comments on the guidelines that it would be unlikely to take action against an employer for the conduct of a single “rogue” employee whose conduct violated an adequate company policy.

Additionally, because postings on blogs and Facebook pages can reach wide audiences, employers may be vulnerable to large-scale liability like class-action lawsuits by consumers and/or legal action by state attorneys general.

In view of this latest possible exposure to employers from employees’ use of blogs and social websites, employers should consider reviewing their electronic communications or social media policies to ensure: (1) that they have policies addressing the use of the company’s name, trademarks, and other proprietary information in blogs and other social media; and (2) that these policies include either prohibitions or appropriate guidance regarding references to company products or services. Such prohibitions and/or guidance should no longer be limited to criticisms of the employer and its products and/or services. Endorsements, if permitted at all, should be limited to truthful and verifiable statements, or should be subject to prior approval by management. And in either event, such statements must be accompanied by an employee’s written disclosure of the employment relationship so that consumers can fairly weigh the testimonial.

This entry was written by Lisa Brauner.

Tags: , , , , , , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

Meeting the Compliance Challenges of a Reinvigorated HIPAA and the Genetic Information Non-Discrimination Act of 2009

Posted on July 31, 2009 by Philip Gordon

                       

 On July 23, 2009, Littler Mendelson hosted a webinar, entitled “Meeting the Compliance Challenges of a Reinvigorated HIPAA and the Genetic Information Non-Discrimination Act of 2009.” Participants asked several questions to which we could not respond because of time. Below are the questions and the answers:

Q: Could you give a real life example of how an employer might experience an internal HIPAA violation?

A: We explained during the webinar that not all employee health information is protected by HIPAA. In fact, the universe of employee health information which HIPAA protects is relatively small. Protected health information (PHI) is limited to individually identifiable health information created or received by, or on behalf of, a group health, dental, or vision plan; health care reimbursement flexible spending account; employee assistance program; long-term care plan; or pharmacy benefits plan. HIPAA would be violated when, for example, a benefits administrator notices that an employee has submitted claims to an employer’s health plan for services related to an abortion, AIDS, or cancer and gossips with the employee’s manager about the employee’s condition. 

Q: Do the HIPAA security breach requirements that you discussed during the webinar apply to employers who have fully insured plans or only to employers who have self-insured plans?

A: Most employers with fully insured plans receive only summary health information and enrollment and disenrollment information from the health insurer. This information is considered protected health information (PHI); however, given the very small amount of PHI that an employer with a fully insured plan receives, the likelihood of a breach involving that information is low. Also, because the insurance company that provides the health insurance is not acting as the employer’s agent, the insurance company, not the employer, would be required to provide the notice for a breach of PHI maintained by the insurer. Fully insured employers should keep in mind that if they do offer a health care reimbursement flexible spending account, they are likely to have a significant amount of PHI on-site, and if a third-party administrator suffers a breach, the employer would be ultimately responsible for ensuring that the plan participants are notified.

Q: How do the HIPAA regulations define the term “business associate,” and what are the requirements for the employer or health care provider if a business associate experiences a security breach?

A: A business associate is a vendor who provides services for a health plan or health care provider using PHI. Some examples of business associates include billing services, debt collection agencies, third-party administrators, insurance brokers, pharmacy benefits managers, accountants, attorneys, and auditors. An employer or health care provider can disclose PHI to a business associate without the subject’s prior authorization but only if there is a written agreement (known as a “business associate agreement”) in place with the business associate. The business associate agreement is required to include at a minimum certain provisions listed in the HIPAA regulations that are intended to protect the confidentiality of PHI and ensure that individuals can exercise their HIPAA-mandated rights with respect to their PHI.

If a business associate experiences a breach, the business associate is required to notify the employer/health plan or the health care provider and identify the plan participants or patients whose PHI has been compromised. Employers and health care providers should consider supplementing this statutory notice requirement through contractual provisions in the business associate agreement that require the business associate to provide additional information about the breach, such as the date it occurred, the date it was discovered, what happened, what steps the business associate took to end the breach, and what steps the business associate will take to prevent a recurrence.

Q: Should we have a business associate agreement with the company that we use to shred protected health information (PHI)? Also, our payroll provider houses information on contributions for our healthcare reimbursement flexible spending account. Should we have a business associate agreement with them?

A: Your organization should have a business associate agreement with that shredding company. Information on contributions to a health care reimbursement flexible spending account is PHI, so your organization also should have a business associate agreement with the payroll provider.

Q: Is de-identified protected health information (PHI) subject to the breach notification requirements?

A: No. Once PHI has been de-identified, the information no longer is protected by HIPAA. As a result, a security breach involving de-identified PHI does not trigger a breach notification obligation. You should note, however, that HIPAA establishes a very high standard for de-identification. The regulations require the removal of all identifiers — including, for example, residential address, telephone number, e-mail address, Social Security number, driver’s license number, health insurance number, and medical records number — not only of the employee or patient but also of the employer and family members.

Q: Does the Genetic Information Non-Discrimination Act of 2009 (GINA) to permit the collection of family medical history for a health risk assessment that is part of an employee wellness program?
 

A: As we discussed during the webinar, family medical history is “genetic information” subject to GINA. Under GINA, an employer generally is prohibited from deliberately acquiring genetic information, including family medical history. However, GINA does have an exception that permits the collection of genetic information for an employer-provided wellness program. The following requirements must be met for this exception to apply: (a) the employee provides prior, knowing, voluntary, written authorization; (b) only the employee and the license health care professional or certified genetic counselor receives the results of the health risk assessment; (c) the results of the health risk assessment are used only for purposes of the wellness program; and (d) the results are not provided to the employer.

This entry was written by Philip L. Gordon.
 

 
Tags: , , , , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

New Data Security Breach Laws in Alaska and South Carolina Take Effect July 1, 2009

Posted on June 16, 2009 by Privacy and Data Protection Practice Group

On Wednesday, July 1, 2009, the recently enacted Alaska and South Carolina notice of security breach laws will take effect. Alaska and South Carolina join forty-three other jurisdictions with notice of security breach laws. Some of the key provisions of these laws are described below.

The “Trigger Event”

Both laws require businesses to provide notice of security breaches when an unauthorized person acquires unencrypted computerized “personal information.” Alaska is one of six states that also requires notice in response to the unauthorized acquisition of paper records containing personal information. Under both laws, personal information includes the affected individual’s first name or initial and last name, plus social security number, driver’s license number, or credit or debit card or financial account number in combination with any required security code.

The “Harm Requirement”

In Alaska, notice is not required, if, after an investigation and notice to the Attorney General, the business determines that there is not a reasonable likelihood of harm to the consumer. Likewise, the South Carolina law does not require businesses to notify residents if illegal use of the information has not occurred, or is not reasonably likely to occur, or if use of the information does not create a material risk of harm to the resident.

Required Notices To Third Parties

If an entity is required to notify 1,000 or more Alaska residents, it also must provide the three national credit bureaus (such as TransUnion®, Experian®, and Equifax®) with the timing, distribution, and content of the notices to state residents.

If a business is required to notify 1,000 or more South Carolina residents of a security breach, that entity must notify the Consumer Protection Division of the South Carolina Department of Consumer Affairs as well as the national credit bureaus.

Penalties

Both statutes provide stiff penalties for businesses that fail to provide the required notice to affected individuals. In Alaska, offending business are subject to a civil penalty of up to $500 per resident not notified, with the total penalty capped at $50,000. Moreover, the offending business may be held liable for any actual economic damages suffered by affected individuals as a result of the failure to provide notice.

In South Carolina, businesses that fail to provide notice to affected individuals are subject to civil lawsuits by residents who are injured. Injured individuals may also recover attorneys’ fees and court costs, if successful. Moreover, the law permits the Department of Consumer Affairs to administratively fine knowing and willful violators $1,000 for each resident whose information was accessible by reason of the breach.

Scope Of Alaska’s New Law

In addition to the notice of security breach law, Alaska enacted a comprehensive statute involving protection of social security numbers, care of records, disposal of records and security freezes.

This entry was written by Katherine Dix.
Tags: , , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

Newly Enacted HIPAA Security Breach Notification Requirements Raise New Risks For Employers

Posted on March 4, 2009 by Philip Gordon

Employers have good reason to re-evaluate their HIPAA compliance efforts. Recent enforcement actions by the U.S. Department of Health and Human Services (HHS) that resulted in large settlement payments signal more pronounced efforts to enforce HIPAA’s compliance requirements. These enforcement actions were driven by publicly disclosed security breaches that brought compliance lapses to HHS’ attention.

Recent amendments to the HIPAA Privacy Rule, enacted as part of the massive federal economic stimulus legislation, will fuel this “breach-driven enforcement.” Under existing law, the HIPAA Privacy Rule contains no security breach notification requirement. Effective February 17, 2010, however, employers will be required to take the following steps when they learn that the “unsecured” protected health information (PHI) of participants in HIPAA-covered plans has been subjected to unauthorized access, use or disclosure:

• Notify major media outlets and HHS if a breach involves 500 or more plan participants
• Notify affected individuals within 60 days of becoming aware of the breach
• Provide in the notice to individuals, at a minimum, five specific categories of information
• Deliver the notice by first-class mail to each affected individual’s last known address

This notice obligation applies regardless of whether the employer or a third-party service provider, such as a benefits administrator, pharmacy benefits manager, or insurance broker is responsible for the breach.
 

As a result of the new law, employers should amend their business associates agreements to include the following terms:

• The business associate’s representation that it is in compliance with the HIPAA Security Rule’s principal requirements (required under the new law);
• A requirement that the business associate promptly notify the employer of any breach;
• A requirement that the business associate’s notice include detailed information about the breach, such as contact information for all affected individuals, a description of the breach, and the steps that have been taken to mitigate the harm and prevent a recurrence;
• A requirement that the business associate indemnify the employer for all expenses incurred by the employer when responding to any security breach caused by the business associate’s actions or inaction;
• A requirement limiting the business associate’s use and disclosure of, and requests for PHI, to a “limited data set,” unless a greater amount of PHI is the minimum necessary to accomplish the purposes of the use, disclosure or request (required under the new law). 

For a more detailed discussion of these developments, please see “Recent Enforcement Actions and Significant Amendments to the HIPAA Privacy Rule Compel Employers to Revisit Their HIPAA Compliance Efforts” by Philip L Gordon.

 
Tags: , , , , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link