New Hampshire Security Incident Demonstrates Importance of Documenting Any Decision to Forego Security Breach Notification

Posted on December 14, 2009 by Privacy and Data Protection Practice Group

The New Hampshire Attorney General and the federal Center for Medicare and Medicaid Services are investigating Wentworth-Douglass Hospital’s decision not to notify patients or the Attorney General of a security incident that occurred more than two years ago. The security incident, which lasted from May 2006 until July 2007, involved a former hospital employee who became disgruntled after being transferred from the pathology lab. The former employee gained unauthorized access to pathology reports on nearly 2,000 occasions and changed reports involving more than 1,100 patients. The hospital investigated the incident and determined that neither New Hampshire’s notice law nor HIPAA required notification.

The matter might have ended there but for the hospital’s termination of its contract with the pathology group that worked in the lab. The pathologists allege that the contract termination constituted retaliation for their pushing the hospital to disclose the incident. It appears that after the contract termination, the pathologists reported the incident to government officials.

While we do not question the motives of the New Hampshire pathologists, this incident demonstrates the importance for employers of documenting any decision not to provide security breach notification when a security incident occurs. Under many state security breach notification laws as well as HIPAA’s new security breach notification requirements, notice is required only if a security incident poses a material risk of harm to the individuals whose information has been compromised. Whether a material risk of harm exists often is a judgment call.

An employee who is aware of a security incident and a related decision not to provide notice could easily second guess that decision after being disciplined or terminated. As in the New Hampshire incident, a complaint about a decision not to notify could trigger an investigation by federal or state authorities months or years after the incident occurred. Without contemporaneous and thorough documentation of the decision-making process, an employer could have difficulty responding to an investigator’s demands for an explanation of the decision not to notify affected individuals or, where required, state or federal agencies.

This entry was written by Philip L. Gordon
Tags: , , , , , ,

New York Suspends Mandatory Flu Shots

Posted on October 23, 2009 by Privacy and Data Protection Practice Group

Less than one week after a state court judge halted New York state’s emergency regulation requiring mandatory H1N1 flu shots for most health care workers, Governor Paterson announced that the State Health Commissioner is suspending the requirement due to a limited supply of vaccine - approximately 23% of the anticipated amount. Available vaccines will instead be used for populations most at risk of serious illness or death, e.g., pregnant women and young people between the ages of 6 months and 24 years.

This entry was written by Philip L. Gordon.

Tags: , , , , ,

New York Judge Halts Mandatory Flu Shots

Posted on October 21, 2009 by Privacy and Data Protection Practice Group

In response to the swine flu pandemic sweeping the nation, New York in August 2009 became the only state in the United States to adopt an emergency regulation requiring most health care workers who come into contact with patients to get annual vaccinations for both seasonal and swine flu (H1N1) by no later than November 30, 2009. The regulation, issued by the New York State Commissioner of Health, provides a limited exemption for workers with “medical contraindications,” but not for those with a religious or ideological opposition to the vaccination.

In response to the emergency regulation, several unions and other groups filed suit in New York, challenging the mandatory vaccinations and the authority of the New York State Health Commissioner to institute mandatory vaccinations.

On October 16, 2009, New York State Supreme Court Justice Thomas J. McNamara issued a temporary restraining order in one of the lawsuits filed in Albany, proscribing the mandatory vaccination. The New York State Commissioner of Health and the New York State Hospital Review and Planning Council plan to vigorously defend the suit and the Commissioner’s authority to mandate vaccinations. The court scheduled an October 30 hearing regarding whether the restraining order should be lifted.

The temporary restraining order prohibits enforcement of New York’s mandatory vaccination law, but does not prevent employers from voluntarily offering influenza vaccinations to their employees. In addition, the temporary restraining order does not apply to employers outside the health care sector or to health care employers outside of New York. Nonetheless, employers should be cautious before implementing a mandatory immunization requirement. The EEOC recently issued guidance suggesting that mandatory immunizations might violate the ADA in certain circumstances. We will be publishing shortly additional recommendations in light of the EEOC’s recent guidance.

This entry was written by Philip L. Gordon.
Tags: , , , , ,

Is "Microchipping" Employees Ever A Viable Option?

Posted on October 3, 2007 by Philip Gordon

The idea of mandatory “microchipping” — the practice of employers requiring employees to have a small computer chip inserted beneath the skin — triggers a high score on virtually any cringe meter.  According to a 2007 study conducted jointly by Littler Mendelson and the Ponemon Institute (“Workplace Survey on the Privacy Age Gap”) more than 90% of respondents, regardless of age, responded that mandatory microchipping by their employer would constitute a privacy violation. 

Mirroring this sentiment, in early September, the California Legislature sent to Governor Schwarzenegger for signature a bill which would prohibit any person from requiring, coercing or compelling “any other individual to undergo the subcutaneous implanting of an identification device.” [UPDATE:  Governor Schwarzenneger signed the bill into law].  An “identification device” is defined as one capable of transmitting personal information by radio frequency (RFID) or other means. 

The only surprise about this bill is that California — the state most protective of individual privacy — is not the first to ban mandatory microchipping legislatively.  North Dakota and Wisconsin grabbed that honor, passing prohibitions on mandatory microchipping in April and May 2006, respectively.  Legislatures in seventeen other states — including Georgia, Michigan and New Jersey — are considering similar laws. 

From the employer’s perspective, these bills are, in a sense, irrelevant.  After all, what employer would dare risk the employee and public relations disaster of forcing employees to accept a microchip?

The more challenging question for employers is when, if ever, should an employer offer microchipping as part of a purely voluntary program.  Before answering that question, it is important to understand that the chip itself contains no personal information.  Instead, the chip contains an encrypted identification number which is linked to a database, such as medical records stored at a hospital or for a health care provider.  A signal emitted by the device transmits the number which then is used to access information corresponding to the person in whom the chip has been implanted.

Employees who might consider, and benefit from, voluntary implantation include:

  • Employees with a medical condition, such as epilepsy or diabetes, that could render them unconscious and in need of emergency medical attention;
  • Employees who are at a heightened risk of significant memory loss, such as those with Alzheimer’s disease, who might wander off-site;
  • Employees, such as commercial pilots, miners and oil rig workers, at a heightened risk of a serious injury that could render them unconscious;
  • Employees who need access to highly secured areas of a facility (albeit only as a voluntary alternative to some other form of identification; and
  • Employees who travel to parts of the world where there is a high risk of being kidnapped and who prefer not to carry badges that reveal corporate affiliation.

Employers and employees may be surprised that there actually are some potentially beneficial and sensible uses of microchipping.  Microchipping highlights the need for  employers and employees to get past the initial, knee-jerk reaction against workplace technologies that can be invasive of privacy, such as Global Position Systems (GPS) and camera phones.  Rather, employers should focus on implementing such technology within the framework of policies and procedures that minimize or eliminate unnecessary intrusions while reaping the technology’s benefits.

There is one caveat with microchipping:  On September 11, 2007, The New York Times wrote about an Associated Press report suggesting that “VeriChip [the maker of the implantable microchip] and federal regulators had ignored or overlooked animal studies raising questions about whether the chip or the process of injecting it might cause cancer in dogs and laboratory rodents.”  Both VeriChip and the Food and Drug Administration denied this report, stating that “there were no controlled scientific studies linking the chips to cancer in dogs or cats and that lab rodents were more prone than humans or other animals to developing tumors from all types of injections.”  An FDA spokeswoman added, “At this time there appears to be no credible cause for concern.”
Tags: , , , , , , ,