Workplace Privacy Counsel : San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

The matter might have ended there but for the hospital’s termination of its contract with the pathology group that worked in the lab. The pathologists allege that the contract termination constituted retaliation for their pushing the hospital to disclose the incident. It appears that after the contract termination, the pathologists reported the incident to government officials.

While we do not question the motives of the New Hampshire pathologists, this incident demonstrates the importance for employers of documenting any decision not to provide security breach notification when a security incident occurs. Under many state security breach notification laws as well as HIPAA’s new security breach notification requirements, notice is required only if a security incident poses a material risk of harm to the individuals whose information has been compromised. Whether a material risk of harm exists often is a judgment call.

An employee who is aware of a security incident and a related decision not to provide notice could easily second guess that decision after being disciplined or terminated. As in the New Hampshire incident, a complaint about a decision not to notify could trigger an investigation by federal or state authorities months or years after the incident occurred. Without contemporaneous and thorough documentation of the decision-making process, an employer could have difficulty responding to an investigator’s demands for an explanation of the decision not to notify affected individuals or, where required, state or federal agencies.

This entry was written by Philip L. Gordon

Q: Do the HIPAA security breach requirements that you discussed during the webinar apply to employers who have fully insured plans or only to employers who have self-insured plans?

A: Most employers with fully insured plans receive only summary health information and enrollment and disenrollment information from the health insurer. This information is considered protected health information (PHI); however, given the very small amount of PHI that an employer with a fully insured plan receives, the likelihood of a breach involving that information is low. Also, because the insurance company that provides the health insurance is not acting as the employer’s agent, the insurance company, not the employer, would be required to provide the notice for a breach of PHI maintained by the insurer. Fully insured employers should keep in mind that if they do offer a health care reimbursement flexible spending account, they are likely to have a significant amount of PHI on-site, and if a third-party administrator suffers a breach, the employer would be ultimately responsible for ensuring that the plan participants are notified.

Q: How do the HIPAA regulations define the term “business associate,” and what are the requirements for the employer or health care provider if a business associate experiences a security breach?

A: A business associate is a vendor who provides services for a health plan or health care provider using PHI. Some examples of business associates include billing services, debt collection agencies, third-party administrators, insurance brokers, pharmacy benefits managers, accountants, attorneys, and auditors. An employer or health care provider can disclose PHI to a business associate without the subject’s prior authorization but only if there is a written agreement (known as a “business associate agreement”) in place with the business associate. The business associate agreement is required to include at a minimum certain provisions listed in the HIPAA regulations that are intended to protect the confidentiality of PHI and ensure that individuals can exercise their HIPAA-mandated rights with respect to their PHI.

If a business associate experiences a breach, the business associate is required to notify the employer/health plan or the health care provider and identify the plan participants or patients whose PHI has been compromised. Employers and health care providers should consider supplementing this statutory notice requirement through contractual provisions in the business associate agreement that require the business associate to provide additional information about the breach, such as the date it occurred, the date it was discovered, what happened, what steps the business associate took to end the breach, and what steps the business associate will take to prevent a recurrence.

Q: Should we have a business associate agreement with the company that we use to shred protected health information (PHI)? Also, our payroll provider houses information on contributions for our healthcare reimbursement flexible spending account. Should we have a business associate agreement with them?

A: Your organization should have a business associate agreement with that shredding company. Information on contributions to a health care reimbursement flexible spending account is PHI, so your organization also should have a business associate agreement with the payroll provider.

Q: Is de-identified protected health information (PHI) subject to the breach notification requirements?

A: No. Once PHI has been de-identified, the information no longer is protected by HIPAA. As a result, a security breach involving de-identified PHI does not trigger a breach notification obligation. You should note, however, that HIPAA establishes a very high standard for de-identification. The regulations require the removal of all identifiers — including, for example, residential address, telephone number, e-mail address, Social Security number, driver’s license number, health insurance number, and medical records number — not only of the employee or patient but also of the employer and family members.

Q: Does the Genetic Information Non-Discrimination Act of 2009 (GINA) to permit the collection of family medical history for a health risk assessment that is part of an employee wellness program?
 

A: As we discussed during the webinar, family medical history is “genetic information” subject to GINA. Under GINA, an employer generally is prohibited from deliberately acquiring genetic information, including family medical history. However, GINA does have an exception that permits the collection of genetic information for an employer-provided wellness program. The following requirements must be met for this exception to apply: (a) the employee provides prior, knowing, voluntary, written authorization; (b) only the employee and the license health care professional or certified genetic counselor receives the results of the health risk assessment; (c) the results of the health risk assessment are used only for purposes of the wellness program; and (d) the results are not provided to the employer.

This entry was written by Philip L. Gordon.
 

IAPP: You mentioned employee health information in your initial response. How are the issues involving such information any different today than they were in the recent past?

Gordon: Russell Chapman’s presentation at the Practical Privacy Series, “Privacy Issues in Employer Wellness Initiatives,” will highlight the new challenges. The soaring cost of employee health benefits has put significant pressure on employers to encourage a healthier workforce. One look at the complex regulations in this area makes it clear that this laudable goal is much more easily enunciated than achieved. Government regulators have, to some extent, handcuffed employers in these offerings to protect employee privacy and to prevent discrimination against employees who can not, or do not want to, become exercise junkies. Russ is an expert in employee benefits law, and he will walk attendees through the legal complexities that employers are confronting as they implement wellness initiatives to trim health care costs.

IAPP: Over the past few years, “electronic discovery” has become a privacy issue. Could you explain how electronic discovery and privacy intersect in the employment context?

Gordon: Getting access to a former employee’s personal electronic information—their home computer, personal e-mail account, text messages, or social networking profile—often can be the difference between an employer’s success and defeat in employment litigation. Plaintiffs’ lawyers also have become increasingly aggressive in pursuing the electronic information of co-workers and supervisors who are not directly involved in the events that triggered the lawsuit, but whose statements and actions might provide useful evidence in support of the plaintiff’s claims. In many situations, the employer or the employee tries to limit the scope of electronic discovery by invoking the privacy interests of the employee to whom the information relates. The HR Practical Privacy Series will include a panel of three widely recognized experts in the area of electronic discovery—Becky Burr, a partner at WilmerHale; Laura Kibbee, formerly in-house counsel at Pfizer and now a senior vice president at the e-discovery consulting firm, EPIQ Systems; and Paul Weiner, national director of e-discovery at Littler Mendelson. The panel will delve into not just the domestic privacy issues raised by electronic discovery, but also the difficulties that multinational employers are confronting. In one recent case, for example, a French lawyer was subjected to criminal sanctions in France for conducting discovery ordered by a U.S. court. Multi-national employers are caught between a rock and a hard place in this area. This panel discussion, “e-Discovery and Privacy: How Domestic and Global Employers Can Manage the Ultimate ‘Catch-22’” will provide practical solutions to these difficult issues.

IAPP: As you noted above, security breaches involving employee data can have significant ramifications for the organization, what steps can employers take to reduce the risk of these breaches and how best can employers respond when a breach occurs?

Gordon: Organizations often can leverage the policies, procedures, and practices implemented to safeguard consumer privacy to prevent a compromise of HR data. The problem, for many organizations, is that employee data is not viewed as falling within the chief privacy officer’s jurisdiction and human resources professionals generally do not have the same level of expertise in privacy and information security issues as the CPO. Ken DeJarnette, a leading privacy consultant with Deloitte, will address how to eliminate this silo effect at the Practical Privacy Series in the presentation “Leveraging Your Existing Customer Privacy Program for HR Data and Processes.”

As many studies and anecdotal evidence suggest, even the best information security programs fail from time to time. My experience handling dozens of employee breaches has highlighted several important distinctions from consumer breaches. Frequently, my client contacts are themselves put at risk by the compromise, often raising the level of engagement and concern. Employee breaches typically implicate Social Security numbers, a fact which is particularly concerning because SSNs can be used for different types of identity theft so the cancellation of credit accounts is not enough to protect affected employees. As a result, employees tend to take advantage of services offered by the employer at a higher rate than consumers in breaches involving credit card numbers. Employers also may have a longer-term communications issue. While a consumer may sever a customer relationship, I have yet heard of an employee quitting over a security breach. That does not mean that employees are not disgruntled over the breach, with potential ramifications for the workplace. Peter McCorkell, senior counsel at Wells Fargo, and Rick Dakin, founder and president of the security consulting firm Coalfire Systems, will address the unique challenges of responding to an employee breach in their presentation at the Practical Privacy Series, “Investigating and Responding to an HR Data Breach.”

Q: Can an employer require that employees who test positive for swine flu disclose the test results to the employer?

A: Yes. Under the ADA, an employer may require that an employee disclose health information bearing upon whether the employee poses a direct threat to the health or safety of himself or others. Because an employee with swine flu in the workplace would expose others to contagion and may aggravate the employee’s own illness, the employer can require disclosure. However, the employer must treat the positive test result as confidential.

There is one subtle distinction here: While the ADA applies when an employer requires that an employee be tested for swine flu, the ADA does not apply when the employer states that employees who have voluntarily had themselves tested for swine flu must share the results of the test for swine flu. The distinction is important because an employer that mishandles information protected by the ADA could be subject to a claim for violation of that statute which includes a fee-shifting position, whereas an employer who mishandles information not subject to the ADA might be subject only to a common law claim, which does not include fee-shifting.

Q: Can an employer require that an employee disclose whether he or she has been exposed to others who have tested positive for swine flu?

A: Yes. This inquiry does not require the employee to disclose any medical information about the employee.

Q: What can an employer tell co-workers about an employee who has been sent for testing, or who has tested positive, for swine flu?

A: The ADA requires that employers maintain the confidentiality of health information received from an employee in response to an employer-mandated disclosure. Consequently, an employer can not disclose to co-workers the identity of employees who have revealed symptoms of, or who have received a positive test result for, swine flu. An employer can tell co-workers who were exposed to the infected employee, without disclosing the infected employee’s identity, that these employees may have been exposed to swine flu and should monitor themselves for symptoms of swine flu.

As noted above, the ADA does not apply to a policy requiring that employees who have voluntarily undergone testing for swine flu disclose a positive test result. Nonetheless, as a practical matter, employers should treat as confidential the information received from employees pursuant to such a policy to encourage self-reporting.

Q: What can an employer tell managers or supervisors about an employee who has been sent home or has not been permitted to return to work because the employee is infected with swine flu or is demonstrating symptoms of swine flu?

A: The ADA generally prohibits an employer from disclosing an employee’s health condition to managers or supervisors. An employer can, however, tell a manager that the employee has been placed on leave for non-disciplinary reasons and for an indefinite period of time. The employer also can state that it will work with the manager to get the employee’s work covered and will inform the manager when the employee’s return date is known.

Q: What should an employer do when a manager or co-workers figure out that a specific employee has tested positive for swine flu even though the employer does not identify the employee — for example, because of the small size of the workforce?

A: An employer can not stop a manager or co-worker from speculating about why an employee has taken or been placed on leave. All an employer can do is take reasonable steps to protect the confidentiality of the positive test result by not identifying the employee by name and by avoiding, to the extent reasonably feasible, making other references that would permit a manager or co-workers to guess that an employee has been infected.

For additional insight and analysis, see Littler's ASAP, Swine Flu: Preparing the Workplace for a Pandemic, by Donald Benson and Steve McCown.

Littler is hosting a complimentary webinar to discuss in more detail action plans and issues that employers must consider. To register, please click here.

What does that mean for an employer who receives notice that an employee intends to transition from one gender to another over the course of several weeks or months? More importantly, how does an employer reconcile this very public transition with potential state and federal laws protecting confidential medical information, which requires employers to maintain private information about an employee, and protect against potential common law claims like invasion of privacy?  This is made more difficult by the very nature of the public transition for transgender employees. For all practical purposes, it is somewhat similar to when an employee discloses to limited individuals that she is pregnant.  Employers must not and should not disclose this fact (that is private until the pregnant employee begins “to show”) to others who do not need to know or confirm this information to colleagues. And while such information may inherently or eventually become public due to an employee’s appearance, it necessarily is up to the employee to decide when and to whom to disclose such information.  

Such is the case with an employee who announces an intention to change gender. An employee’s transgender status, where the employee is in the process of transitioning, and especially the employee’s medical condition and/or plans for future medical procedures, must be treated as private and confidential. The decision of with whom and when a transgender employee shares such information should be left to the employee’s discretion. Medical information also may be received by employers in a variety of ways and circumstances. Depending on the nature of that information and how it is received, the information may be protected under federal laws, such as the Health Insurance Portability and Accountability Act (HIPAA), Genetic Information Discrimination Act (GINA), or the Americans with Disabilities Act (ADA) (which does excludes transgender status from the definition of disability, but protects most medical information of current employees). Regardless, out of sheer courtesy to the employee, the information should not be disseminated or the discussion of office chatter.

In addition to privacy concerns, employers should be aware that more and more cases are expanding the boundaries of discrimination under Title VII, and most particularly the definition of “sex.” In September 2008, the federal court of the District of Columbia ruled that the Library of Congress discriminated against Diane Schroer on the basis of “sex.” Schroer v. Billington, 577 F. Supp. 2nd 293 (D.D.C. 2008). While dressed in traditionally masculine clothing and interviewing under her previous male name, Schroer was offered a job as a Terrorism Research Analyst with the Congressional Research Service, a division of the Library of Congress. After the job offer, but before starting and before undergoing sex reassignment surgery, Schroer informed the Library of Congress that she was under a doctor’s care for gender dysphoria. Schroer informed her future employer that, consistent with her treatment, she was about to change her name, begin dressing in traditionally feminine attire, and presenting herself full-time as a woman. The job offer was rescinded one day after Schroer disclosed her plans to transition. This groundbreaking decision was the first time a court has ruled that discriminating against someone for changing gender is sex discrimination under Title VII. While case law usually develops a bit slower, the Employment Non-Discrimination Act (ENDA) still is on the horizon. With a new administration and Congress, most predict that the version of ENDA likely to be introduced will add to Title VII express protections for gender identity or expression (in addition to sexual orientation). 

So, how does an employer manage to maintain this balance while also fostering a non-discriminatory work environment where all employees are treated with trust and respect? Some helpful guidelines include:

• Amend your Equal Employment Opportunity policy to prohibit discrimination based on gender identity or expression. (Several states, most recently New Hampshire and Washington, have passed bills protecting individuals on the basis of gender identity or expression. See also Jurisdictions with Explicitly Trans-Inclusive Discrimination Laws.)
• Be prepared to address questions and requests from employees who notify you of their intent to transition to a different gender.
• Write and implement a detailed policy and procedures suited to your own workplace environment to aid management, and the transitioning employee when a transgender employee decides to transition on the job.
• Do not make decisions about how to respond to certain requests from a transitioning individual based on where an employee is in the transition process.
• Keep in mind, at all times, that transitioning to a new gender is much more intense and intimate than simply ”changing one’s name” and dressing differently; this process truly is life-altering.

This entry was authored by Denise Visconti, a shareholder in Littler's San Diego office.

The aspect of the revised regulations that poses the greatest risk of a privacy violation by employers relates to the permissible process for “authenticating” and “clarifying” certifications. The regulations specify that only the following categories of employees may request authentication or clarification: a health care provider, a human resources professional, a leave administrator, or a management official. The regulations expressly bar a direct supervisor from performing these functions. To avoid violating this requirement, employers should (a) designate those employees permitted to conduct follow-up concerning FMLA certification, (b) inform supervisors that only the designated employees may conduct such follow-up, and (c) where consistent with internal practice, direct employees to submit certifications only to the designated individuals.

In addition, the designated employees should be trained on two key points. First, the designated employee must obtain a HIPAA-compliant authorization from the employee who submitted the certification before contacting that employee’s health care provider. The designated employee should submit the authorization to the provider before requesting any medical information. The regulations permit an employer to deny a leave request if the employee refuses to execute an authorization.

Second, the designated employee must limit communications with the provider to “authentication” and “clarification” as defined in the revised regulations. Authentication is limited to asking the provider to confirm that the provider, or someone with the provider’s authorization, furnished the information contained in the certification. The regulations restrict “clarification” to asking a provider to explain (a) illegible handwriting, or (b) the meaning of a response to a question in the certification form. Requests for clarification must be restricted to the condition of the employee or family member for which leave is being requested.

While employers can not obtain information from an employee’s provider for authentication or clarification without the employee’s prior authorization, the revised regulations bar employers from demanding that an employee sign an authorization for leave-related purposes before the employee submits a certification to the employer. Consequently, employers should train human resources professionals and others involved in the certification process not to make such a demand.

Finally, certifications revealing a family member’s serious health condition almost always will constitute “genetic information” subject to the confidentiality requirements of the Genetic Information Non-Discrimination Act of 2008 (GINA) because GINA defines “genetic information” to include “the manifestation of a disease or disorder in family members.” While GINA’s confidentiality provisions parallel the FMLA’s, GINA permits disclosure of “genetic information” in the context of litigation in much narrower circumstances. More specifically, “genetic information” may be disclosed only in response to a court order and only if, after the disclosure, the employer informs the family member of the information that was disclosed. The practical effect of this restriction is that employers producing a medical file in response to a third-party subpoena must take extra care to remove from the production any FMLA certification that reveals the medical condition of a family member of the employee to whom the subpoena relates. Employers are most likely to confront this situation when the subsequent employer of a former employee has to defend claims brought by the responding organization’s former employee.
 

Under the HIPAA Privacy Rule, the deceased have virtually the same privacy rights as the living.  In other words, a deceased employee’s protected health information generally can not be disclosed without the authorization of the decedent’s personal representative.  Whether someone can act as a personal representative depends upon applicable state law, which typically limits personal representatives to a current surviving spouse or a court-appointed executor of the deceased’s estate.  Employers often will be required to confer with the personal representative before responding to a request for the dead employee’s medical records — even if the request comes from someone close to the decedent, such as a child or an attorney representing the employee in litigation against the employer.

These guidelines would apply regardless of the type of infection — MRSA, Hepatitis A, TB, HIV, etc.

1.      Investigate:  Learn the facts; do not rely on rumors.

2.      Interview The Possibly Infected  Employee:  If the facts indicate that an employee might be infected with the MRSA Superbug, designate a manager with the appropriate level of responsibility to get more information directly from the employee.

3.      Consult Counsel On How To Handle An Uncooperative Employee: If the employee refuses to disclose information, consult counsel regarding whether the employee can be required to provide health information before taking any adverse action is against the employee.  If the employee already has been sent home, promptly involve counsel to minimize or resolve any possible liability risks.  

4.      Provide Notice Of Disclosure To A Cooperative Employee:  If an employee voluntarily discloses infection with MRSA, explain that (a) the employer may need to disclose limited information about the employee’s health condition to those with a need to know, such as government health officials and health care providers of co-workers to take precautions against the spread of the infection and to facilitate any needed treatment of others, and (b) the employer will limit disclosure to those with a need to know and then will disclose only the minimum information necessary.

5.      Request Consent To Disclose:  Ask the employee for permission to make the limited disclosures described above.  If the employee refuses to consent, tell the employee that the entity may have no choice but to share information about the infection with others but will do so only to the extent permitted or required by law.

6.      Avoid Identifying The Infected Employee:  When disclosing information about the infected employee, avoid identification by name except when necessary to protect the health of co-workers who might have been infected or as required by law.

7.      Instruct Supervisors On Confidentiality And Retaliation Risks:  Instruct supervisors about the need to maintain the confidentiality of employee health information and provide guidance on how to respond to questions from other employees and supervisors so as to avoid undue panic and concern.  Supervisors should be reminded of the need to avoid any claim of retaliation by the possibly infected employee or his/her family members.  Educate supervisors on the spread of MRSA infections, types of treatment, and the Company’s planned preventative steps.

There is no one-size-fits-all solution to the many complicated privacy issues that a Superbug infection in the workplace can raise.  These guidelines, however, provide a starting point for what most likely will be a tense and fast-moving situation that raises a wide range of benefits issues and employment-related liability risks. 

My colleagues in Littler's Workplace Safety Practice Group, Don Benson and Pete Rice, are OSHA experts who will be presenting a webinar on Wednesday, December 12, 2007, on how to reduce the risks of an MRSA outbreak in your workplace and how to respond when one occurs.