Workplace Privacy Counsel : San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

Approximately one month after sending this e-mail, Messier quit his position with Thrivent, apparently not on good terms, and he began looking for another job. When three consecutive prospective employers rejected Messier after contacting Thrivent for a reference check, Messier hired a reference checking company to call Thrivent, posing as a prospective employer, and inquire about Messier. In response to this inquiry, Messier’s former supervisor at Thrivent stated that Messier “has medical conditions where he gets migraines. I had no issue with that. But he would not call us. It was the letting us know.” Representing Messier, the EEOC took the position that Thrivent’s response violated the ADA’s confidentiality requirement because the ADA protects medical information learned by an employer through any job-related inquiry.

The Seventh Circuit rejected the EEOC’s position based on the ADA’s plain language. More specifically, the ADA’s confidentiality provision, by its plain terms, applies only to medical inquiries. By contrast, when Messier wrote the November 1, 2006 e-mail to his supervisor at Thrivent, Messier was responding to a generalized inquiry about “what was going on,” not to a medical inquiry. Consequently, Messier voluntarily disclosed that he had suffered a severe migraine, and the ADA did not prohibit Thrivent from re-disclosing that information.

The Seventh Circuit’s ruling is significant because employers can receive information about the medical condition of employees from a variety of sources, particularly with the explosion of self-disclosure in social media. By contrast, the ADA permits employers to make medical inquiries of current employees, or to require employees to undergo a medical examination, only: (a) when an employer has objective evidence to question whether an employee can perform essential job functions; (b) when necessary to evaluate an employee’s request for an accommodation; or (c) when necessary to determine whether an employee poses a direct threat of harm to himself or others.

In other words, like HIPAA, the ADA protects only a subset of employee health information that an employer might receive during the course of the employment relationship. As to this subset, the ADA’s confidentiality provision imposes on the employer a legal obligation to keep the information confidential, maintain it separately from the general personnel file, and limit access to those with a need to know. The Seventh Circuit’s ruling makes it easier for employers to establish policies and procedures to satisfy these legal compliance obligations because the decision narrows and specifically identifies the scope of employee health information that is subject to the ADA’s confidentiality requirement.

The Seventh Circuit’s rejection of the EEOC’s broad reading of ADA confidentiality, of course, does not mean that an employer should be careless with employees’ health information not protected by the ADA or HIPAA. State law, such as California’s Confidentiality of Medical Information Act, may still apply. But even when state law provides no protection, disclosing employees’ health information to those without a need to know exposes the employer to the risk that the information will be used improperly and has the potential to create tension and undercut employee morale. To reduce these risks, employers should remind managers who may receive voluntary disclosures of employee health information to limit their disclosure of that information to those with a need to know.

Photo credit: hoch2wo photo & design

Notably, the case did not involve an alleged HIPAA violation at all. Although in-house physicians are health care providers as defined by the HIPAA Privacy Rule, they are not “covered” health care providers required to comply with the Privacy Rule. Only providers who use HIPAA-mandated electronic codes to bill insurance companies and government welfare programs for services are subject to HIPAA. Because virtually all in-house physicians are paid a salary and do not bill for their services, HIPAA does not apply to them, contrary to common misconceptions of HIPAA’s scope.

The ADA’s confidentiality requirement, by contrast, does apply to in-house physicians. The ADA requires that employers separately file employees’ medical information and maintain it as confidential. The ADA carves out only three narrow exceptions to the confidentiality requirement. Employee medical information may be disclosed to managers to the limited extent necessary for them to accommodate an employee with a disability or otherwise be made aware of work restrictions, to first aid and safety personnel who need to know about a disability that might require emergency treatment, and to government officials responsible for enforcing the ADA.

The court in the General Dynamics case read the ADA’s confidentiality requirement to apply not only to disclosures to third parties outside the company (except in the limited circumstances described above), but also to intra-corporate disclosures. More to the point, if the complaint’s allegations turned out to be true, the in-house physician would have violated the ADA because her disclosure of Blanco’s medical information was not necessary for managers in General Dynamics’ Labor Relations Department to accommodate Blanco or to address a work restriction, and the other two exceptions obviously did not apply.

The General Dynamics decision is particularly remarkable because the court held that the ADA protects even false medical information provided by an applicant or employee to an employer. The court explained its reasoning as follows:
 

The ADA clearly protects the confidentiality of Mr. Blanco’s response [to the medical questionnaire] if truthful, and the ADA still protects its confidentiality if not. In other words, there is no prevarication exception to the ADA’s confidentiality mandate for employment entrance examinations, much less for information the company doctor perceives is inaccurate. It is the information, accurate or not, that the statute protects.

(emphasis supplied). While the court acknowledged that this ruling could be troublesome for employers, such as General Dynamics, whose employees operate heavy machinery or are exposed to workplace hazards made even riskier by a disability, the court concluded that it was bound to apply the ADA’s plain language and leave the policymaking to Congress.

The second recent decision establishes a critical limitation on what might otherwise seem like a boundless protection in light of the General Dynamics case. In the second case, Thrivent Financial for Lutherans (Thrivent) had hired a temporary IT consultant, named Messier, through Omni Resources (Omni). When Messier, a typically reliable employee, was “no-call, no-show” for work, Thrivent asked Omni for an explanation. Messier’s manager at Omni sent Messier an e-mail asking him to call because he “need[ed] to know what’s going on.” Messier responded with a lengthy e-mail to both his Omni and Thrivent managers, explaining that he had missed work because of a severe migraine and providing them with a lengthy explanation of his medical history related to migraines. The Thrivent manager later disclosed this information to a reference check company hired by Messier who suspected the Thrivent manager of re-disclosing his medical information. The EEOC, taking up Messier’s cause, sued Thrivent for violating the ADA’s confidentiality requirement.

The critical dispute between the parties revolved around whether the ADA protected Messier’s medical information in the first instance. The EEOC took the position that the ADA protects any health information provided by an employee in response to an employer-initiated inquiry, such as the inquiry by the Omni manager into the reason for Messier’s absence. Thrivent responded that the ADA protects only information that an employee is required to provide in response to a permissible medical examination or disability-related inquiry, such as a mandatory post-offer, pre-hire medical examination or a request for medical documentation to support a request for an accommodation. Because Messier had volunteered health information in response to the Omni manager’s generalized inquiry into the reasons for Messier’s absence, the ADA did not apply.

The court rejected the EEOC’s broad reading and adopted Thrivent’s narrower construction. The court reasoned as follows:

[A]n employee’s disclosure is voluntary if the disclosure is not preceded by any request or demand for medical information by the employer. Which party initiates the conversation that leads to a disclosure is not relevant; which party initiates or requests the employee’s actual disclosure of medical information is determinative.

Applying this standard to Omni’s inquiry, the court concluded that the ADA’s protections did not attach to Messier’s medical information because Omni had not asked Messier for medical information and Messier could have been absent from work for a “vast number of reasons” unrelated to his health.

HIPAA was not a factor in this case because information received by an employer in its capacity as employer is not subject to HIPAA’s protections. HIPAA applies only to individually identifiable health information created or received by or on behalf of the employer in its capacity as the administrator of a HIPAA-covered plan. Such plans are limited to group health, dental, vision, long-term care, pharmacy benefits, health care reimbursement flexible spending accounts, and employee assistance programs.

This pair of cases provides important guidance for employers on the boundaries of the ADA’s confidentiality requirement. They also reveal, by negative implication, the relatively narrow boundaries of HIPAA’s privacy protection in the employment context. Employers who have not developed policies and procedures for handling employee medical information not protected by HIPAA should consider doing so to ensure that in-house medical staff, HR professionals and managers understand when the ADA protects employee medical information, how that information may be lawfully used, and to whom it may be lawfully disclosed.

Photo credit: hoch2wo photo & design

While HHS does not reveal the negotiations leading to the $1 million settlement amount, the enhanced HITECH penalties likely figured prominently in the discussion. The HITECH Act gives HHS substantial discretion in deciding what constitutes a single violation. In this situation, HHS likely took the position that there were at least 192 violations, one for each patient whose PHI was lost. In addition, HITECH permits HHS to impose a penalty of up to $50,000 per violation capped at $1.5 million annually for the same violation. Thus, the negotiations over the penalty likely centered around where the settlement should fall in the range between $100 per violation (the minimum penalty) and approximately $7,800 per violation (i.e., $1.5 million divided by 192). The negotiations resulted in a settlement amount of approximately $5,200 per violation. The lesson to be drawn is that the HITECH penalty scheme provides HHS with the leverage to negotiate a substantial settlement payment even for incidents involving a relatively small number of individuals. The fact that the lost records revealed an HIV/AIDS diagnosis, highly sensitive information, for at least some of the 192 affected patients also likely had an impact on HHS’ settlement position.

The settlement between HHS and the hospital also reveals, at least implicitly, HHS’ position that it is unacceptable for employees to remove paper or electronic records containing PHI from a covered entity’s physical premises without taking precautions to safeguard those records. More specifically, the settlement agreement requires that the hospital implement policies and procedures aimed at safeguarding any PHI that leaves the hospital’s premises, including the encryption of any laptop or USB drive containing PHI that is taken off-site. In addition, the hospital must: (a) distribute these policies to all members of its workforce; (b) review and, as necessary, update the policies annually; (c) train all employees with access to PHI in the policies; and (d) review the training annually or as necessary.

Employers and providers can take away several lessons from this incident. First, even innocent mistakes that compromise PHI could result in substantial penalties or settlements. Second, covered entities should implement and enforce policies and procedures that restrict the removal of PHI from their premises and that require strict safeguards for PHI, such as encryption, when it is taken off-site. Third, HHS likely will inquire into the training that has been provided to workforce members whenever an incident involves the loss or theft of PHI that was taken off-site. As a result, that training should be thorough, well documented, and updated as necessary to remain consistent with existing policies, new legal requirements, and evolving best practices.

Photo credit: AtnoYdur

What are the take-aways here? First, although to date HHS’s enforcement efforts in the area of information security have received virtually all of the press attention, HHS takes seriously the obligation of covered entities to ensure that plan participants and patients are able to exercise their rights under HIPAA (consisting of the right to receive a notice of privacy practices, the right to access protected health information (PHI), the right to amend PHI, the right to an accounting of disclosures of PHI, the right to request restrictions on the use and disclosure of PHI, and the right to communicate by alternative means or in an alternative location). Second, employers and providers should have written policies and procedures in place so that employees responsible for implementing HIPAA know how to respond properly and in a timely manner to requests to exercise HIPAA rights. Finally, it is never too late to respond to a request. If, for some reason, a covered entity does not timely respond to a request to exercise HIPAA rights, the covered entity can “stop the running of the penalty meter” by responding to the request as promptly as possible.

As the NPD reveals, the lion's share of the penalty imposed on Cignet — $3 million to be precise — resulted from Cignet’s failure to cooperate in HHS’s investigation. HHS’s press release announcing the penalty emphasizes that Cignet did not respond to a letter demand for the complainants’ patient records, did not respond to a subpoena issued by HHS until after a court ordered Cignet to do so, and “made no effort to resolve the complaints through informal means.”

When calculating this portion of the penalty, HHS counted as a separate violation each day from the deadline in the letter demand for producing the complainants’ medical records until the day that Cignet produced the records in response to the court’s order. HHS then multiplied that penalty by 41 for each complainant.

In choosing to impose the maximum penalty of $50,000 per violation for conduct constituting “willful neglect,” HHS noted in the NPD that Cignet’s failure to produce the records sooner had interfered with some complainants’ ability to obtain health care and had forced HHS to seek a court order to obtain patient records that, under the HIPAA Privacy Rule, Cignet was required to produce within 30 days of the request. HHS also noted that Cignet had produced in response to the subpoena medical records of 4,500 patients whose information the agency had not even requested. But for the $1.5 million annual cap in the HITECH Act on penalties resulting from willful neglect, the penalty imposed on Cignet would have exceeded $150 million.

More lessons learned: HHS had not imposed any civil monetary penalties to date, in large part, because the agency has been willing to work with covered entities to resolve complaints informally. When responding to an inquiry from HHS, covered entities should carefully evaluate whether the complaint can be resolved informally. When informal resolution is not possible, covered entities need to carefully toe the line between respectful disagreement coupled with good faith participation in HHS’s formal dispute resolution process and “willful neglect,” i.e., a failure to respond to HHS’s lawful and reasonable demands. An incidental lesson learned from Cignet’s apparent production of every patient record in its possession in response to the subpoena for 41 patient files is the need to scrupulously safeguard the PHI of plan participants and patients whose information is not implicated by the investigation, even when producing PHI to HHS.

The penalty imposed on Cignet is a window into the “worst-case scenario” for covered entities responding to a HIPAA complaint. While the reasons for Cignet’s non-responsiveness remain unknown, the implications could not be more resounding.

However, HIPAA’s enhanced penalties substantially increase the potential exposure to a covered entity that decides not to provide notification without first conducting and documenting a credible assessment of the risk to individuals arising from the security incident. Under the new penalty scheme, HHS must impose a penalty upon finding that a covered entity’s HIPAA violation resulted from “willful neglect.” “Willful neglect” means “conscious, intentional failure or reckless indifference to the obligation to comply with the regulation that is the target of the complaint." HHS likely would find that failing to notify individuals of a security breach without conducting a risk assessment or basing a decision on a superficial risk assessment constitutes “willful neglect.”

A finding by HHS of “willful neglect” would trigger exposure to substantial penalties. In that case, the penalty would ranger from a minimum of $10,000 per violation to a maximum of $50,000 per violation if the violation (i.e., the failure to notify affected individuals of the security breach) is corrected within 30 days of notice from HHS, and a minimum of $50,000 per violation and a maximum of $1.5 million per violation if the violation is left uncorrected. Moreover, HIPAA’s amended enforcement provisions, and recently proposed regulations construing those amendments, provide HHS with substantial discretion in determining what constitutes a violation. If HHS were to determine, in the context of a security breach, that each person who did not timely receive a notice is one violation, or that one violation is each day that notice to affected individuals was improperly delayed, the potential penalties could run into the millions of dollars. While to date, HHS has not imposed a single civil monetary penalty, the agency’s statutory authority to impose multi-million dollar penalties provides it with substantial leverage in negotiating settlements with alleged violators of HIPAA. HHS recently demonstrated its new-found muscle when it announced, on July 27, 2010, a $1 million settlement with a covered entity that allegedly did not properly dispose of PHI.

By contrast, a covered entity that conducts a credible risk assessment in good faith likely would have no exposure for any penalties. The recently proposed revisions to HIPAA’s Enforcement Rule bar HHS from imposing a penalty if the covered entity demonstrates that the violation did not result from willful neglect and was promptly corrected after the covered entity knew, or should have known, of the violation. This means that if a covered entity based a decision not to provide notice on a credible risk assessment, it likely would have no exposure for a civil monetary penalty, even if HHS were to disagree with the entity’s decision. Thus, HHS would have no leverage to extract a monetary settlement — as long as the covered entity provided notice to affected individuals promptly after being informed of HHS’ disagreement with the results of the covered entity’s risk assessment.

Because security incidents typically are investigated and evaluated under substantial time pressure, covered entities should consider obtaining, and familiarizing themselves with, a risk assessment tool before they are confronted with a security incident. One example of such a risk assessment tool is a software application called RADAR (Risk Assessment, Documentation and Reporting) recently released by ID Experts, a firm specializing in comprehensive data breach solutions for healthcare. More information about RADAR is available here.

This entry was written by Philip L. Gordon.

Photo credit: Randy Plett 
 

While the employee may bear the brunt of the criminal prosecution, the employee’s unauthorized conduct exposes the employer on at least three different levels. First, the U.S. Department of Health & Human Services (HHS) could pursue civil penalties against the employer. Since the Health Information Technology for Economic and Clinical Health (HITECH) Act supplemented HIPAA, effective February 17, 2010, civil penalties for HIPAA violations have been substantially enhanced. While HHS has yet to promulgate regulations construing the statutory penalty provisions, the minimum penalty for an employee’s unauthorized access to patient plan participant records apparently would be $1,000 per record reviewed if the employer had implemented measures to prevent the unauthorized access and $10,000 per record reviewed where the employer had failed to implement adequate protections. Second, although the federal courts unanimously agree that HIPAA provides no private right of action, the patient or plan participant whose records were viewed without authorization could assert common law, privacy-based claims, alleging vicarious liability on the employer’s part for the employee’s unauthorized access. Finally, the unauthorized access likely would constitute a security breach under HIPAA’s new security breach notification requirements. Were the snooping employee to access the records of 500 or more patients or plan participants, the employer would be required to notify not only the voyeur’s victims but also HHS and prominent media outlets in the state where the victims are located.

The jailing of the Chinese researcher highlights the fact that providers and employers no longer can be complacent about HIPAA compliance. Both health care providers and employers offering HIPAA-covered health benefits should revisit and, if necessary, update the policies they adopted when HIPAA first went into effect more than six years ago. Compliance efforts should focus, in particular, on preventing the types of conduct most likely to trigger security breach notification obligations, such as unauthorized access to and disclosures of health information and the loss or theft of equipment containing health information in unencrypted form. While technologies such as encryption and data loss prevention software can go a long way towards to reducing risk, providers should consider robust and frequent training programs that convey the message there is no such thing as “a littler harmless snooping” when it comes to patients’ and plan participants’ medical records.

This entry was written by Philip L. Gordon.

Q: Do the HIPAA security breach requirements that you discussed during the webinar apply to employers who have fully insured plans or only to employers who have self-insured plans?

A: Most employers with fully insured plans receive only summary health information and enrollment and disenrollment information from the health insurer. This information is considered protected health information (PHI); however, given the very small amount of PHI that an employer with a fully insured plan receives, the likelihood of a breach involving that information is low. Also, because the insurance company that provides the health insurance is not acting as the employer’s agent, the insurance company, not the employer, would be required to provide the notice for a breach of PHI maintained by the insurer. Fully insured employers should keep in mind that if they do offer a health care reimbursement flexible spending account, they are likely to have a significant amount of PHI on-site, and if a third-party administrator suffers a breach, the employer would be ultimately responsible for ensuring that the plan participants are notified.

Q: How do the HIPAA regulations define the term “business associate,” and what are the requirements for the employer or health care provider if a business associate experiences a security breach?

A: A business associate is a vendor who provides services for a health plan or health care provider using PHI. Some examples of business associates include billing services, debt collection agencies, third-party administrators, insurance brokers, pharmacy benefits managers, accountants, attorneys, and auditors. An employer or health care provider can disclose PHI to a business associate without the subject’s prior authorization but only if there is a written agreement (known as a “business associate agreement”) in place with the business associate. The business associate agreement is required to include at a minimum certain provisions listed in the HIPAA regulations that are intended to protect the confidentiality of PHI and ensure that individuals can exercise their HIPAA-mandated rights with respect to their PHI.

If a business associate experiences a breach, the business associate is required to notify the employer/health plan or the health care provider and identify the plan participants or patients whose PHI has been compromised. Employers and health care providers should consider supplementing this statutory notice requirement through contractual provisions in the business associate agreement that require the business associate to provide additional information about the breach, such as the date it occurred, the date it was discovered, what happened, what steps the business associate took to end the breach, and what steps the business associate will take to prevent a recurrence.

Q: Should we have a business associate agreement with the company that we use to shred protected health information (PHI)? Also, our payroll provider houses information on contributions for our healthcare reimbursement flexible spending account. Should we have a business associate agreement with them?

A: Your organization should have a business associate agreement with that shredding company. Information on contributions to a health care reimbursement flexible spending account is PHI, so your organization also should have a business associate agreement with the payroll provider.

Q: Is de-identified protected health information (PHI) subject to the breach notification requirements?

A: No. Once PHI has been de-identified, the information no longer is protected by HIPAA. As a result, a security breach involving de-identified PHI does not trigger a breach notification obligation. You should note, however, that HIPAA establishes a very high standard for de-identification. The regulations require the removal of all identifiers — including, for example, residential address, telephone number, e-mail address, Social Security number, driver’s license number, health insurance number, and medical records number — not only of the employee or patient but also of the employer and family members.

Q: Does the Genetic Information Non-Discrimination Act of 2009 (GINA) to permit the collection of family medical history for a health risk assessment that is part of an employee wellness program?
 

A: As we discussed during the webinar, family medical history is “genetic information” subject to GINA. Under GINA, an employer generally is prohibited from deliberately acquiring genetic information, including family medical history. However, GINA does have an exception that permits the collection of genetic information for an employer-provided wellness program. The following requirements must be met for this exception to apply: (a) the employee provides prior, knowing, voluntary, written authorization; (b) only the employee and the license health care professional or certified genetic counselor receives the results of the health risk assessment; (c) the results of the health risk assessment are used only for purposes of the wellness program; and (d) the results are not provided to the employer.

This entry was written by Philip L. Gordon.