Workplace Privacy Counsel : San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

In its press release, HHS cryptically explains that the agency withdrew the regulations “to allow for further consideration, given the Department’s experience to date in administering the regulations.” The agency established no deadline for issuing new regulations, stating only that it “intend[s] to publish a final rule in the Federal Register in the coming months.” The agency also provided no guidance concerning its enforcement of the HITECH Act’s security breach notification requirements — which remain in effect despite the absence of regulations — while covered entities await the final rule’s publication.

The impetus behind the HHS’s withdrawal may have been opposition from Congress and from privacy and patient advocacy groups to the “harm standard” contained in the now-withdrawn regulations. Under that standard, a covered entity that discovered unauthorized access to, or acquisition, use or disclosure of, PHI was not required to provide notice of security breach unless the unauthorized conduct “pose[d] a significant risk of financial, reputational or other harm” to the subject of the information. Opponents of the “harm standard” contended that it added an unwarranted gloss to the HITECH Act’s plain language and was not sufficiently protective of patients’ and plan participants’ rights.

If HHS were to eliminate the “harm standard” in its to-be-issued final regulations, the upshot for employers and health care providers would be significant as just one example demonstrates. It is not uncommon for an employee in the health care sector who is involved in a dispute with her employer over performance to take patient records for possible future use in a lawsuit alleging that the employer’s discipline or termination was unfounded and resulted from discrimination. The employee’s acquisition of patient records potentially to advance her own claims of discrimination is an unauthorized acquisition of PHI. Were HHS to issue final regulations that omit a harm standard, health care employers in this situation likely would be required to provide notice of security breach even if the employer never used or disclosed the copied documents and ultimately returned or properly destroyed them. In short, elimination of the “harm standard” could dramatically increase not only the number of notices that employers and health care providers will be required to provide but also the attendant out-of-pocket expense and potential damage to business reputation.

The problem now for employers and health care providers during “the coming months” before HHS publishes a final rule is whether to analyze a security incident with or without a harm standard, a decision which often will be dispositive of the question whether notice will be necessary. On the one hand, HHS itself found — at least at one time — that the HITECH Act’s security breach notification requirement properly could be construed to include a harm standard, and the agency’s cryptic press release does not expressly or implicitly point to the “harm standard” as the reason for withdrawing the interim final regulations. On the other hand, the HITECH Act does not expressly include a harm standard, and given the opposition to the “harm standard,” one fairly can surmise that the final rule to be issued by HHS will not include a harm standard. At least until HHS issues additional clarification of its withdrawal or publishes the final rule, each employer and health care provider confronted by a security incident involving PHI will need to make its own judgment call on whether to ignore the harm standard and potentially “over-notify,” or to apply the standard to justify a decision not to provide notice but run the risk of an enforcement action.

This entry was written by Philip L. Gordon.

Employers are required only to explain how current plan participants can obtain a copy of their HIPAA notice of privacy practices. Employers are not required to redistribute their privacy notice, although they can do so to satisfy the requirement. Employers also can provide the triennial reminder through an e-mail blast with a link to the notice on the corporate intranet or with contact information for an internal employee or a business associate’s representative who can provide a paper copy of the notice. Another alternative would be to include information about the privacy notice with enrollment information that is distributed during the employer’s annual open enrollment season.

This entry was written by Philip L. Gordon.

The matter might have ended there but for the hospital’s termination of its contract with the pathology group that worked in the lab. The pathologists allege that the contract termination constituted retaliation for their pushing the hospital to disclose the incident. It appears that after the contract termination, the pathologists reported the incident to government officials.

While we do not question the motives of the New Hampshire pathologists, this incident demonstrates the importance for employers of documenting any decision not to provide security breach notification when a security incident occurs. Under many state security breach notification laws as well as HIPAA’s new security breach notification requirements, notice is required only if a security incident poses a material risk of harm to the individuals whose information has been compromised. Whether a material risk of harm exists often is a judgment call.

An employee who is aware of a security incident and a related decision not to provide notice could easily second guess that decision after being disciplined or terminated. As in the New Hampshire incident, a complaint about a decision not to notify could trigger an investigation by federal or state authorities months or years after the incident occurred. Without contemporaneous and thorough documentation of the decision-making process, an employer could have difficulty responding to an investigator’s demands for an explanation of the decision not to notify affected individuals or, where required, state or federal agencies.

This entry was written by Philip L. Gordon

On October 16, 2009, New York State Supreme Court Justice Thomas J. McNamara issued a temporary restraining order in one of the lawsuits filed in Albany, proscribing the mandatory vaccination. The New York State Commissioner of Health and the New York State Hospital Review and Planning Council plan to vigorously defend the suit and the Commissioner’s authority to mandate vaccinations. The court scheduled an October 30 hearing regarding whether the restraining order should be lifted.

The temporary restraining order prohibits enforcement of New York’s mandatory vaccination law, but does not prevent employers from voluntarily offering influenza vaccinations to their employees. In addition, the temporary restraining order does not apply to employers outside the health care sector or to health care employers outside of New York. Nonetheless, employers should be cautious before implementing a mandatory immunization requirement. The EEOC recently issued guidance suggesting that mandatory immunizations might violate the ADA in certain circumstances. We will be publishing shortly additional recommendations in light of the EEOC’s recent guidance.

This entry was written by Philip L. Gordon.

The more challenging question for employers is when, if ever, should an employer offer microchipping as part of a purely voluntary program.  Before answering that question, it is important to understand that the chip itself contains no personal information.  Instead, the chip contains an encrypted identification number which is linked to a database, such as medical records stored at a hospital or for a health care provider.  A signal emitted by the device transmits the number which then is used to access information corresponding to the person in whom the chip has been implanted.

Employees who might consider, and benefit from, voluntary implantation include:

• Employees with a medical condition, such as epilepsy or diabetes, that could render them unconscious and in need of emergency medical attention;
• Employees who are at a heightened risk of significant memory loss, such as those with Alzheimer’s disease, who might wander off-site;
• Employees, such as commercial pilots, miners and oil rig workers, at a heightened risk of a serious injury that could render them unconscious;
• Employees who need access to highly secured areas of a facility (albeit only as a voluntary alternative to some other form of identification; and
• Employees who travel to parts of the world where there is a high risk of being kidnapped and who prefer not to carry badges that reveal corporate affiliation.

Employers and employees may be surprised that there actually are some potentially beneficial and sensible uses of microchipping.  Microchipping highlights the need for  employers and employees to get past the initial, knee-jerk reaction against workplace technologies that can be invasive of privacy, such as Global Position Systems (GPS) and camera phones.  Rather, employers should focus on implementing such technology within the framework of policies and procedures that minimize or eliminate unnecessary intrusions while reaping the technology’s benefits.