Workplace Privacy Counsel : San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

The EEOC had a deadline of May 21, 2009, to issue final regulations interpreting GINA’s employment-related provisions. With the Act’s effective date less than one week away, the EEOC still had not published final regulations. Further guidance on GINA’s requirements will be provided when the EEOC issues its final regulations. In the meantime, employers will find below a number of suggestions for complying with GINA.

Have You Taken These Steps to Comply with GINA Yet?

• Train human resources personnel, managers and recruiters about compliance with GINA, especially the provisions generally prohibiting deliberate acquisition of genetic information.

• Post a new EEO nondiscrimination poster prohibiting information based on genetic information.

• Revise EEO policies to include prohibitions against discrimination based on genetic information and associated retaliation.

• Discontinue requests to applicants and employees for family medical history except in the limited circumstances permitted in connection with a wellness or disease management program. (See Littler’s recent ASAP, which explains this exception.)

• Whenever requesting an employee to have medical professionals provide documentation, such as in connection with a fitness-for-duty exam or a request for a reasonable accommodation or leave, add a statement that family medical history or other genetic information should not be provided.

• Inventory personnel records--such as FMLA certifications seeking leave for the serious illness of a family member--that contain genetic information about an employee, store those records in a confidential medical file, and strictly limit access to those with a need to know.

• Implement procedures to prevent the disclosure of genetic information in response to a subpoena or civil discovery and to permit disclosure only when specifically required to comply with a court order. 

This entry was written by Ilyse Schuman and Philip Gordon.

Photo by Jonathan Lenz.

The Key Point: This hypothetical suggests by negative implication that acquiring companies must make a point of telling the acquired company not to provide the acquiring company with any "genetic information" when the acquired company turns over personnel records to the acquiring company. If the acquiring company fails to do so and receives any family medical histories — for example, one given in connection with a health risk assessment, the acquiring company has "collected" genetic information, apparently in violation of GINA. Notably, GINA does not include an exception for collection with the consent of the individual, so it appears that obtaining the subject employee's authorization would not defeat potential liability.

The Labor Department’s regulations go into effect on December 7, 2009.

This entry was written by Philip L. Gordon.

For further information and analysis, see "Genetic Antidiscrimination Law Creates New Compliance Challenges for Employers" by Philip L. Gordon and Jennifer L. Mora and "Proposed Regulations Under Federal Genetic Information Nondiscrimination Act (GINA) Suggest Employer Action Now" by Margaret Hart Edwards.

Q: Do the HIPAA security breach requirements that you discussed during the webinar apply to employers who have fully insured plans or only to employers who have self-insured plans?

A: Most employers with fully insured plans receive only summary health information and enrollment and disenrollment information from the health insurer. This information is considered protected health information (PHI); however, given the very small amount of PHI that an employer with a fully insured plan receives, the likelihood of a breach involving that information is low. Also, because the insurance company that provides the health insurance is not acting as the employer’s agent, the insurance company, not the employer, would be required to provide the notice for a breach of PHI maintained by the insurer. Fully insured employers should keep in mind that if they do offer a health care reimbursement flexible spending account, they are likely to have a significant amount of PHI on-site, and if a third-party administrator suffers a breach, the employer would be ultimately responsible for ensuring that the plan participants are notified.

Q: How do the HIPAA regulations define the term “business associate,” and what are the requirements for the employer or health care provider if a business associate experiences a security breach?

A: A business associate is a vendor who provides services for a health plan or health care provider using PHI. Some examples of business associates include billing services, debt collection agencies, third-party administrators, insurance brokers, pharmacy benefits managers, accountants, attorneys, and auditors. An employer or health care provider can disclose PHI to a business associate without the subject’s prior authorization but only if there is a written agreement (known as a “business associate agreement”) in place with the business associate. The business associate agreement is required to include at a minimum certain provisions listed in the HIPAA regulations that are intended to protect the confidentiality of PHI and ensure that individuals can exercise their HIPAA-mandated rights with respect to their PHI.

If a business associate experiences a breach, the business associate is required to notify the employer/health plan or the health care provider and identify the plan participants or patients whose PHI has been compromised. Employers and health care providers should consider supplementing this statutory notice requirement through contractual provisions in the business associate agreement that require the business associate to provide additional information about the breach, such as the date it occurred, the date it was discovered, what happened, what steps the business associate took to end the breach, and what steps the business associate will take to prevent a recurrence.

Q: Should we have a business associate agreement with the company that we use to shred protected health information (PHI)? Also, our payroll provider houses information on contributions for our healthcare reimbursement flexible spending account. Should we have a business associate agreement with them?

A: Your organization should have a business associate agreement with that shredding company. Information on contributions to a health care reimbursement flexible spending account is PHI, so your organization also should have a business associate agreement with the payroll provider.

Q: Is de-identified protected health information (PHI) subject to the breach notification requirements?

A: No. Once PHI has been de-identified, the information no longer is protected by HIPAA. As a result, a security breach involving de-identified PHI does not trigger a breach notification obligation. You should note, however, that HIPAA establishes a very high standard for de-identification. The regulations require the removal of all identifiers — including, for example, residential address, telephone number, e-mail address, Social Security number, driver’s license number, health insurance number, and medical records number — not only of the employee or patient but also of the employer and family members.

Q: Does the Genetic Information Non-Discrimination Act of 2009 (GINA) to permit the collection of family medical history for a health risk assessment that is part of an employee wellness program?
 

A: As we discussed during the webinar, family medical history is “genetic information” subject to GINA. Under GINA, an employer generally is prohibited from deliberately acquiring genetic information, including family medical history. However, GINA does have an exception that permits the collection of genetic information for an employer-provided wellness program. The following requirements must be met for this exception to apply: (a) the employee provides prior, knowing, voluntary, written authorization; (b) only the employee and the license health care professional or certified genetic counselor receives the results of the health risk assessment; (c) the results of the health risk assessment are used only for purposes of the wellness program; and (d) the results are not provided to the employer.

This entry was written by Philip L. Gordon.
 

IAPP: You mentioned employee health information in your initial response. How are the issues involving such information any different today than they were in the recent past?

Gordon: Russell Chapman’s presentation at the Practical Privacy Series, “Privacy Issues in Employer Wellness Initiatives,” will highlight the new challenges. The soaring cost of employee health benefits has put significant pressure on employers to encourage a healthier workforce. One look at the complex regulations in this area makes it clear that this laudable goal is much more easily enunciated than achieved. Government regulators have, to some extent, handcuffed employers in these offerings to protect employee privacy and to prevent discrimination against employees who can not, or do not want to, become exercise junkies. Russ is an expert in employee benefits law, and he will walk attendees through the legal complexities that employers are confronting as they implement wellness initiatives to trim health care costs.

IAPP: Over the past few years, “electronic discovery” has become a privacy issue. Could you explain how electronic discovery and privacy intersect in the employment context?

Gordon: Getting access to a former employee’s personal electronic information—their home computer, personal e-mail account, text messages, or social networking profile—often can be the difference between an employer’s success and defeat in employment litigation. Plaintiffs’ lawyers also have become increasingly aggressive in pursuing the electronic information of co-workers and supervisors who are not directly involved in the events that triggered the lawsuit, but whose statements and actions might provide useful evidence in support of the plaintiff’s claims. In many situations, the employer or the employee tries to limit the scope of electronic discovery by invoking the privacy interests of the employee to whom the information relates. The HR Practical Privacy Series will include a panel of three widely recognized experts in the area of electronic discovery—Becky Burr, a partner at WilmerHale; Laura Kibbee, formerly in-house counsel at Pfizer and now a senior vice president at the e-discovery consulting firm, EPIQ Systems; and Paul Weiner, national director of e-discovery at Littler Mendelson. The panel will delve into not just the domestic privacy issues raised by electronic discovery, but also the difficulties that multinational employers are confronting. In one recent case, for example, a French lawyer was subjected to criminal sanctions in France for conducting discovery ordered by a U.S. court. Multi-national employers are caught between a rock and a hard place in this area. This panel discussion, “e-Discovery and Privacy: How Domestic and Global Employers Can Manage the Ultimate ‘Catch-22’” will provide practical solutions to these difficult issues.

IAPP: As you noted above, security breaches involving employee data can have significant ramifications for the organization, what steps can employers take to reduce the risk of these breaches and how best can employers respond when a breach occurs?

Gordon: Organizations often can leverage the policies, procedures, and practices implemented to safeguard consumer privacy to prevent a compromise of HR data. The problem, for many organizations, is that employee data is not viewed as falling within the chief privacy officer’s jurisdiction and human resources professionals generally do not have the same level of expertise in privacy and information security issues as the CPO. Ken DeJarnette, a leading privacy consultant with Deloitte, will address how to eliminate this silo effect at the Practical Privacy Series in the presentation “Leveraging Your Existing Customer Privacy Program for HR Data and Processes.”

As many studies and anecdotal evidence suggest, even the best information security programs fail from time to time. My experience handling dozens of employee breaches has highlighted several important distinctions from consumer breaches. Frequently, my client contacts are themselves put at risk by the compromise, often raising the level of engagement and concern. Employee breaches typically implicate Social Security numbers, a fact which is particularly concerning because SSNs can be used for different types of identity theft so the cancellation of credit accounts is not enough to protect affected employees. As a result, employees tend to take advantage of services offered by the employer at a higher rate than consumers in breaches involving credit card numbers. Employers also may have a longer-term communications issue. While a consumer may sever a customer relationship, I have yet heard of an employee quitting over a security breach. That does not mean that employees are not disgruntled over the breach, with potential ramifications for the workplace. Peter McCorkell, senior counsel at Wells Fargo, and Rick Dakin, founder and president of the security consulting firm Coalfire Systems, will address the unique challenges of responding to an employee breach in their presentation at the Practical Privacy Series, “Investigating and Responding to an HR Data Breach.”

What does that mean for an employer who receives notice that an employee intends to transition from one gender to another over the course of several weeks or months? More importantly, how does an employer reconcile this very public transition with potential state and federal laws protecting confidential medical information, which requires employers to maintain private information about an employee, and protect against potential common law claims like invasion of privacy?  This is made more difficult by the very nature of the public transition for transgender employees. For all practical purposes, it is somewhat similar to when an employee discloses to limited individuals that she is pregnant.  Employers must not and should not disclose this fact (that is private until the pregnant employee begins “to show”) to others who do not need to know or confirm this information to colleagues. And while such information may inherently or eventually become public due to an employee’s appearance, it necessarily is up to the employee to decide when and to whom to disclose such information.  

Such is the case with an employee who announces an intention to change gender. An employee’s transgender status, where the employee is in the process of transitioning, and especially the employee’s medical condition and/or plans for future medical procedures, must be treated as private and confidential. The decision of with whom and when a transgender employee shares such information should be left to the employee’s discretion. Medical information also may be received by employers in a variety of ways and circumstances. Depending on the nature of that information and how it is received, the information may be protected under federal laws, such as the Health Insurance Portability and Accountability Act (HIPAA), Genetic Information Discrimination Act (GINA), or the Americans with Disabilities Act (ADA) (which does excludes transgender status from the definition of disability, but protects most medical information of current employees). Regardless, out of sheer courtesy to the employee, the information should not be disseminated or the discussion of office chatter.

In addition to privacy concerns, employers should be aware that more and more cases are expanding the boundaries of discrimination under Title VII, and most particularly the definition of “sex.” In September 2008, the federal court of the District of Columbia ruled that the Library of Congress discriminated against Diane Schroer on the basis of “sex.” Schroer v. Billington, 577 F. Supp. 2nd 293 (D.D.C. 2008). While dressed in traditionally masculine clothing and interviewing under her previous male name, Schroer was offered a job as a Terrorism Research Analyst with the Congressional Research Service, a division of the Library of Congress. After the job offer, but before starting and before undergoing sex reassignment surgery, Schroer informed the Library of Congress that she was under a doctor’s care for gender dysphoria. Schroer informed her future employer that, consistent with her treatment, she was about to change her name, begin dressing in traditionally feminine attire, and presenting herself full-time as a woman. The job offer was rescinded one day after Schroer disclosed her plans to transition. This groundbreaking decision was the first time a court has ruled that discriminating against someone for changing gender is sex discrimination under Title VII. While case law usually develops a bit slower, the Employment Non-Discrimination Act (ENDA) still is on the horizon. With a new administration and Congress, most predict that the version of ENDA likely to be introduced will add to Title VII express protections for gender identity or expression (in addition to sexual orientation). 

So, how does an employer manage to maintain this balance while also fostering a non-discriminatory work environment where all employees are treated with trust and respect? Some helpful guidelines include:

• Amend your Equal Employment Opportunity policy to prohibit discrimination based on gender identity or expression. (Several states, most recently New Hampshire and Washington, have passed bills protecting individuals on the basis of gender identity or expression. See also Jurisdictions with Explicitly Trans-Inclusive Discrimination Laws.)
• Be prepared to address questions and requests from employees who notify you of their intent to transition to a different gender.
• Write and implement a detailed policy and procedures suited to your own workplace environment to aid management, and the transitioning employee when a transgender employee decides to transition on the job.
• Do not make decisions about how to respond to certain requests from a transitioning individual based on where an employee is in the transition process.
• Keep in mind, at all times, that transitioning to a new gender is much more intense and intimate than simply ”changing one’s name” and dressing differently; this process truly is life-altering.

This entry was authored by Denise Visconti, a shareholder in Littler's San Diego office.

So what may be the lurking pitfalls for compliance with GINA? Apart from adding another string to the web of medical privacy laws, employers should be aware of the proverbial “fine print” . The Senate version of GINA defines “genetic information” as much more than just DNA tests or chromosome analyses. Rather, “genetic information” extends to include the simple “occurrence of a disease or disorder” in the spouse, children, or any blood relative of the employee or his or her child or spouse. The House version of the Act appears only slightly less expansive. What documents might your company have that encompasses information under such a sweeping definition? Moreover, while genetic screening may soon raise issues of federal compliance, it is not apparent that GINA would have preemptive effect over state law. Now might be a good time to confirm compliance with (or become aware of) your state’s laws on genetic screening.