Workplace Privacy Counsel : San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

Telework is primarily an arrangement established to facilitate the accomplishment of work. Private employers, like federal agencies, retain the discretion and obligation to determine employee eligibility for telework subject to business-related needs. For private employers this guide is a gem; it provides guidance on the policies and procedures that the federal government considers necessary to address the risks and rewards of a remote workforce.

With respect to privacy and information security, the Telework Guide provides guidance on the proper handling of confidential information and training on appropriate safeguards for customer and employee information. The Telework Guide states, under the section entitled “Safeguarding Information and Data,” that “[e]mployees must take responsibility for the security of the data and other information they handle while teleworking.”

Interestingly, the basis of the work relationship is a “Telework Agreement.” Each eligible employee authorized to telework enters into a written agreement with his/her supervisor which includes an interactive telework training program provided to eligible employees and their managers. The program must be successfully completed by employees before entering into the written telework agreement.

Private employers will benefit from the guidance provided in The Telework Guide. Although the Guide applies only to federal employers, there are strong parallels between telework in the private and public sectors, particularly when it comes to safeguarding sensitive customer and employee information.

Notably, the case did not involve an alleged HIPAA violation at all. Although in-house physicians are health care providers as defined by the HIPAA Privacy Rule, they are not “covered” health care providers required to comply with the Privacy Rule. Only providers who use HIPAA-mandated electronic codes to bill insurance companies and government welfare programs for services are subject to HIPAA. Because virtually all in-house physicians are paid a salary and do not bill for their services, HIPAA does not apply to them, contrary to common misconceptions of HIPAA’s scope.

The ADA’s confidentiality requirement, by contrast, does apply to in-house physicians. The ADA requires that employers separately file employees’ medical information and maintain it as confidential. The ADA carves out only three narrow exceptions to the confidentiality requirement. Employee medical information may be disclosed to managers to the limited extent necessary for them to accommodate an employee with a disability or otherwise be made aware of work restrictions, to first aid and safety personnel who need to know about a disability that might require emergency treatment, and to government officials responsible for enforcing the ADA.

The court in the General Dynamics case read the ADA’s confidentiality requirement to apply not only to disclosures to third parties outside the company (except in the limited circumstances described above), but also to intra-corporate disclosures. More to the point, if the complaint’s allegations turned out to be true, the in-house physician would have violated the ADA because her disclosure of Blanco’s medical information was not necessary for managers in General Dynamics’ Labor Relations Department to accommodate Blanco or to address a work restriction, and the other two exceptions obviously did not apply.

The General Dynamics decision is particularly remarkable because the court held that the ADA protects even false medical information provided by an applicant or employee to an employer. The court explained its reasoning as follows:
 

The ADA clearly protects the confidentiality of Mr. Blanco’s response [to the medical questionnaire] if truthful, and the ADA still protects its confidentiality if not. In other words, there is no prevarication exception to the ADA’s confidentiality mandate for employment entrance examinations, much less for information the company doctor perceives is inaccurate. It is the information, accurate or not, that the statute protects.

(emphasis supplied). While the court acknowledged that this ruling could be troublesome for employers, such as General Dynamics, whose employees operate heavy machinery or are exposed to workplace hazards made even riskier by a disability, the court concluded that it was bound to apply the ADA’s plain language and leave the policymaking to Congress.

The second recent decision establishes a critical limitation on what might otherwise seem like a boundless protection in light of the General Dynamics case. In the second case, Thrivent Financial for Lutherans (Thrivent) had hired a temporary IT consultant, named Messier, through Omni Resources (Omni). When Messier, a typically reliable employee, was “no-call, no-show” for work, Thrivent asked Omni for an explanation. Messier’s manager at Omni sent Messier an e-mail asking him to call because he “need[ed] to know what’s going on.” Messier responded with a lengthy e-mail to both his Omni and Thrivent managers, explaining that he had missed work because of a severe migraine and providing them with a lengthy explanation of his medical history related to migraines. The Thrivent manager later disclosed this information to a reference check company hired by Messier who suspected the Thrivent manager of re-disclosing his medical information. The EEOC, taking up Messier’s cause, sued Thrivent for violating the ADA’s confidentiality requirement.

The critical dispute between the parties revolved around whether the ADA protected Messier’s medical information in the first instance. The EEOC took the position that the ADA protects any health information provided by an employee in response to an employer-initiated inquiry, such as the inquiry by the Omni manager into the reason for Messier’s absence. Thrivent responded that the ADA protects only information that an employee is required to provide in response to a permissible medical examination or disability-related inquiry, such as a mandatory post-offer, pre-hire medical examination or a request for medical documentation to support a request for an accommodation. Because Messier had volunteered health information in response to the Omni manager’s generalized inquiry into the reasons for Messier’s absence, the ADA did not apply.

The court rejected the EEOC’s broad reading and adopted Thrivent’s narrower construction. The court reasoned as follows:

[A]n employee’s disclosure is voluntary if the disclosure is not preceded by any request or demand for medical information by the employer. Which party initiates the conversation that leads to a disclosure is not relevant; which party initiates or requests the employee’s actual disclosure of medical information is determinative.

Applying this standard to Omni’s inquiry, the court concluded that the ADA’s protections did not attach to Messier’s medical information because Omni had not asked Messier for medical information and Messier could have been absent from work for a “vast number of reasons” unrelated to his health.

HIPAA was not a factor in this case because information received by an employer in its capacity as employer is not subject to HIPAA’s protections. HIPAA applies only to individually identifiable health information created or received by or on behalf of the employer in its capacity as the administrator of a HIPAA-covered plan. Such plans are limited to group health, dental, vision, long-term care, pharmacy benefits, health care reimbursement flexible spending accounts, and employee assistance programs.

This pair of cases provides important guidance for employers on the boundaries of the ADA’s confidentiality requirement. They also reveal, by negative implication, the relatively narrow boundaries of HIPAA’s privacy protection in the employment context. Employers who have not developed policies and procedures for handling employee medical information not protected by HIPAA should consider doing so to ensure that in-house medical staff, HR professionals and managers understand when the ADA protects employee medical information, how that information may be lawfully used, and to whom it may be lawfully disclosed.

Photo credit: hoch2wo photo & design

The European guidance is especially noteworthy for multi-national employers. Although this guidance, as its title suggests, deals almost exclusively with tracking consumers, the guidance contains a short section—which received scant public attention—that squarely addresses tracking employees. The guidance explains that it is unlawful for employers in the E.U. to track their employees unless “it is demonstrably necessary to supervise the exact locations of employees for a legitimate [business] purpose.” Even then, continuous monitoring generally is impermissible, and employees must be able to turn off location tracking during non-work hours. The guidance also discourages employers from using vehicle tracking devices to monitor the behavior of employees by, for example, recording the vehicle’s speed. Given this guidance, multinational employers should closely scrutinize the nature and scope of any location-tracking program before implementing it in the European Union.

The U.S. Supreme Court’s decision next term in U.S. v. Maynard also could have an impact on U.S. employers. As we explained in our blog post on the D.C. Circuit’s decision that is subject to Supreme Court review, a ruling that law enforcement’s 24/7 use of surreptitious location tracking violates the Fourth Amendment arguably could be used to support a claim against employers that engage in 24/7 location tracking without notice to employees. The rationale for such a decision likely would be that continuous tracking establishes a pattern of activity over a period of time which reveals private information about the target of the tracking, such as whether the person is a recovering alcoholic as reflected by regular visits to Alcoholics Anonymous meetings, is considering pregnancy as suggested by weekly trips to a fertility clinic, or is having an extra-marital affair. Despite the distinctions between Fourth Amendment standards and the elements of the common law tort of invasion of privacy, this rationale likely would apply with equal force in the common law context.

Finally, while the Congressional activity to date has focused on consumer privacy, it would not require a substantial leap in legislative drafting to extend the coverage of these bills to location tracking of employees. Alternatively, state legislators, taking the cue from Congress, might implement state-specific requirements, which could result in an unwanted patchwork of requirements for multi-state employers.

While U.S. employers currently are subject to virtually no regulation when tracking employees, the keen focus on the issue in Europe, in the criminal context, and in the consumer sphere very well may spill over to the U.S. workplace. Employers that use, or that are considering using, location tracking in their workplaces should continue to monitor these developments closely.

Photo credit: binabina

In its press release, HHS cryptically explains that the agency withdrew the regulations “to allow for further consideration, given the Department’s experience to date in administering the regulations.” The agency established no deadline for issuing new regulations, stating only that it “intend[s] to publish a final rule in the Federal Register in the coming months.” The agency also provided no guidance concerning its enforcement of the HITECH Act’s security breach notification requirements — which remain in effect despite the absence of regulations — while covered entities await the final rule’s publication.

The impetus behind the HHS’s withdrawal may have been opposition from Congress and from privacy and patient advocacy groups to the “harm standard” contained in the now-withdrawn regulations. Under that standard, a covered entity that discovered unauthorized access to, or acquisition, use or disclosure of, PHI was not required to provide notice of security breach unless the unauthorized conduct “pose[d] a significant risk of financial, reputational or other harm” to the subject of the information. Opponents of the “harm standard” contended that it added an unwarranted gloss to the HITECH Act’s plain language and was not sufficiently protective of patients’ and plan participants’ rights.

If HHS were to eliminate the “harm standard” in its to-be-issued final regulations, the upshot for employers and health care providers would be significant as just one example demonstrates. It is not uncommon for an employee in the health care sector who is involved in a dispute with her employer over performance to take patient records for possible future use in a lawsuit alleging that the employer’s discipline or termination was unfounded and resulted from discrimination. The employee’s acquisition of patient records potentially to advance her own claims of discrimination is an unauthorized acquisition of PHI. Were HHS to issue final regulations that omit a harm standard, health care employers in this situation likely would be required to provide notice of security breach even if the employer never used or disclosed the copied documents and ultimately returned or properly destroyed them. In short, elimination of the “harm standard” could dramatically increase not only the number of notices that employers and health care providers will be required to provide but also the attendant out-of-pocket expense and potential damage to business reputation.

The problem now for employers and health care providers during “the coming months” before HHS publishes a final rule is whether to analyze a security incident with or without a harm standard, a decision which often will be dispositive of the question whether notice will be necessary. On the one hand, HHS itself found — at least at one time — that the HITECH Act’s security breach notification requirement properly could be construed to include a harm standard, and the agency’s cryptic press release does not expressly or implicitly point to the “harm standard” as the reason for withdrawing the interim final regulations. On the other hand, the HITECH Act does not expressly include a harm standard, and given the opposition to the “harm standard,” one fairly can surmise that the final rule to be issued by HHS will not include a harm standard. At least until HHS issues additional clarification of its withdrawal or publishes the final rule, each employer and health care provider confronted by a security incident involving PHI will need to make its own judgment call on whether to ignore the harm standard and potentially “over-notify,” or to apply the standard to justify a decision not to provide notice but run the risk of an enforcement action.

This entry was written by Philip L. Gordon.

According to a report issued last week by the School District’s attorney and recent news reports, the School District installed a program called Theft Tracker on more than 2,000 laptops issued to students. When activated, the program records the laptop’s Internet address, captures an image of anything on the computer’s screen, and takes a Webcam photo every fifteen minutes until the program is deactivated. Theft Tracker downloaded all captured information and images to the School District’s server and erased them from the laptop’s memory. The program reportedly was responsible for taking 56,000 photographs. Approximately two-thirds were related to six laptops that actually had been stolen. The local police relied on at least some of those photos to recover the stolen laptops. Many of the remaining pictures, however, were taken because School District employees forgot to deactivate Theft Tracker after students reported that they found laptops that had been reported stolen.

Since the story broke, the School District has found itself at the center of a maelstrom. At least one student has sued the School District, alleging invasion of privacy. The FBI is investigating for potential criminal conduct. Congress held hearings on surreptitious surveillance, and Senator Arlen Specter proposed the "Surreptitious Video Surveillance Act," to extend the Federal Wiretap Act to video surveillance without prior notice. Editorialists and the media have hammered the School District. What went wrong?

According to one news report and the School District’s attorney, the School District made several mistakes:

• The School District did not have written policies and procedures regulating the use of Theft Tracker.
• Parents and students were not provided with an explanation of the program and not required to consent to its use.
• Students were asked to sign a policy that related only to use of the School District’s own network and did not mention school-issued laptops.
• There was no written policy concerning disclosure to law enforcement authorities of information obtained through Theft Tracker

In addition, the School District apparently conducted no legal analysis before implementing Theft Tracker to identify and assess the potential legal risks.

Employers who consider implementing a program like Theft Tracker or otherwise want to activate Webcams on company-issued laptops should learn the lessons of Lower Merion School District’s disastrous foray into webcam use. The employer must first have a detailed understanding of the technology’s capabilities and subject the technology to a rigorous legal review. If, for example, the technology is capable of recording audio, its use could constitute unlawful wiretapping, especially in states where consent is not a defense unless all parties to the communication have consented. Running afoul of the two-party consent laws is easy especially when family members, house guests, and others who have not consented to the use of the technology could be recorded. Similarly, non-employees could easily be photographed without their knowledge or consent, potentially giving rise to a claim for invasion of privacy.

If an employer determines that the benefits of the technology outweigh the risks, it still should implement detailed, written policies and procedures concerning the technology’s use to mitigate those risks. The guidelines should address at least the following: (1) identification of the employees authorized to activate the program; (2) identification of the management-level employees that must approve activation of the program; (3) circumstances in which the program may be activated; (4) the duration of the monitoring; (5) security for the fruits of the monitoring; (6) identification of the employees permitted to access the fruits of the monitoring; (7) how the fruits of the monitoring may be used; (8) when the fruits of the monitoring may be disclosed to law enforcement; and (9) how long the fruits of the monitoring will be retained.

The employer also should provide employees with full and fair notice of how the technology will be used and obtain the employee’s affirmative consent to its use. The notice should include, at a minimum, an explanation of the technology, the circumstances in which it will be activated, how the fruits of the monitoring may be used, and to whom they may be disclosed. Employers should beware that even after taking all of these precautions, use of webcams might be illegal in certain non-U.S. countries, such as the member states of the European Union.
 

This entry was written by Philip L. Gordon.

Although there are some differences in the privacy standards applicable to public sector and private employers, the standards are sufficiently similar that the Supreme Court’s decision likely will provide important guidance for employers on at least three issues. First, the law is relatively well settled that private employers can review any communications stored on a corporate e-mail server when the employer notifies employees of the monitoring, typically through an electronic resources policy. Quon is one of the first cases to address whether the same rule applies when the employee’s communication is transmitted through a third-party service provider under contract with the employer. The issue has gained increasing importance as an increasingly large number of employees use text messaging during the work day. (A case currently under consideration by the New Jersey Supreme Court, Stengart v. Loving Care, addresses an employee’s privacy expectations in copies of e-mail stored on a company-issued laptop that were sent through the employee’s personal e-mail account to her attorney.)

Second, the Supreme Court’s decision likely will address how a formal employment policy that otherwise would defeat an employee’s privacy expectation could be countermanded by an informal representation to a specific employee. Here, private employers likely will receive guidance on the types of informal statements that could be sufficient to countermand a formal policy as well as the degree of authority of the person making the informal statement necessary to override the formal policy.

Third, the Supreme Court also granted review on the question whether the senders of text messages to the SWAT officer had a reasonable expectation that his government employer would not read them. This question raises an issue that often is overlooked in cases revolving around an employer’s review of employee e-mail, i.e., the privacy interests of the sender. Without further development, it is difficult to anticipate the extent to which the Supreme Court’s ruling on this issue might affect private employers and what that affect might be.

Notably, the Supreme Court denied the service provider’s request for review of the Ninth Circuit’s ruling that the provider violated the federal Stored Communications Act by disclosing the SWAT officer’s text messages to the Department without his consent. Under the Act, a communications service provider, such as an ISP or cell phone provider, generally cannot disclose stored communications without the sender’s or recipient’s consent. An exception permits disclosure to the subscriber — the Department in the Quon case — when the provider is a “remote computing service.” The Ninth Circuit ruled that a “remote computing service” is akin to an electronic filing cabinet. Because the provider in the Quon case was a facilitator of communications, it was not a “remote computing service” and, therefore, could not take advantage of the exception. With the growing prevalence of “cloud computing” services, the proper definition of a “remote computing service” has become increasingly important. The Supreme Court’s decision to forego review of this issue leaves the Ninth Circuit’s ruling on this issue intact.

At bottom, Quon reflects the dynamic nature of the law governing technology in the workplace as communications technology rapidly moves beyond e-mail, and societal expectations change.

This entry was written by Philip L. Gordon

Photo credit: Niklas Bildhauer