Workplace Privacy Counsel : San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

In its press release, HHS cryptically explains that the agency withdrew the regulations “to allow for further consideration, given the Department’s experience to date in administering the regulations.” The agency established no deadline for issuing new regulations, stating only that it “intend[s] to publish a final rule in the Federal Register in the coming months.” The agency also provided no guidance concerning its enforcement of the HITECH Act’s security breach notification requirements — which remain in effect despite the absence of regulations — while covered entities await the final rule’s publication.

The impetus behind the HHS’s withdrawal may have been opposition from Congress and from privacy and patient advocacy groups to the “harm standard” contained in the now-withdrawn regulations. Under that standard, a covered entity that discovered unauthorized access to, or acquisition, use or disclosure of, PHI was not required to provide notice of security breach unless the unauthorized conduct “pose[d] a significant risk of financial, reputational or other harm” to the subject of the information. Opponents of the “harm standard” contended that it added an unwarranted gloss to the HITECH Act’s plain language and was not sufficiently protective of patients’ and plan participants’ rights.

If HHS were to eliminate the “harm standard” in its to-be-issued final regulations, the upshot for employers and health care providers would be significant as just one example demonstrates. It is not uncommon for an employee in the health care sector who is involved in a dispute with her employer over performance to take patient records for possible future use in a lawsuit alleging that the employer’s discipline or termination was unfounded and resulted from discrimination. The employee’s acquisition of patient records potentially to advance her own claims of discrimination is an unauthorized acquisition of PHI. Were HHS to issue final regulations that omit a harm standard, health care employers in this situation likely would be required to provide notice of security breach even if the employer never used or disclosed the copied documents and ultimately returned or properly destroyed them. In short, elimination of the “harm standard” could dramatically increase not only the number of notices that employers and health care providers will be required to provide but also the attendant out-of-pocket expense and potential damage to business reputation.

The problem now for employers and health care providers during “the coming months” before HHS publishes a final rule is whether to analyze a security incident with or without a harm standard, a decision which often will be dispositive of the question whether notice will be necessary. On the one hand, HHS itself found — at least at one time — that the HITECH Act’s security breach notification requirement properly could be construed to include a harm standard, and the agency’s cryptic press release does not expressly or implicitly point to the “harm standard” as the reason for withdrawing the interim final regulations. On the other hand, the HITECH Act does not expressly include a harm standard, and given the opposition to the “harm standard,” one fairly can surmise that the final rule to be issued by HHS will not include a harm standard. At least until HHS issues additional clarification of its withdrawal or publishes the final rule, each employer and health care provider confronted by a security incident involving PHI will need to make its own judgment call on whether to ignore the harm standard and potentially “over-notify,” or to apply the standard to justify a decision not to provide notice but run the risk of an enforcement action.

This entry was written by Philip L. Gordon.

During a presentation at the Massachusetts Information Security Summit on January 27, the chief of the consumer protection division for Massachusetts’ Office of the Attorney General, which will be responsible for enforcing the regulations, suggested that his office will not be conducting compliance audits. Rather, the office will select potential targets for enforcement from security breach notifications. Under Massachusetts law, such notifications must be sent to affected Massachusetts residents and to the Attorney General’s Office when unencrypted Massachusetts personal information has been acquired or used by an unauthorized person in a manner that creates a substantial risk of identity theft or fraud.

Given that the loss and theft of portable devices is one of the likeliest causes of a security breach and in light of these regulators’ recent statements, employers can substantially reduce the risk of an enforcement inquiry or action by focusing particular attention on those devices. Policies to consider include the following:

• Prohibit employees from storing personal information on a laptop except in those limited circumstances, such as the need to work on an airplane, where the information can not be accessed through a secure, remote connection to the corporate server;
• In the limited circumstances where employees can permissibly store personal information on a laptop, require the installation of disk-based encryption and the deletion of the personal information from the laptop when the business purpose has been accomplished;
• Train employees not to store any personal information on a hand-held device and to immediately report the loss or theft of a hand-held device so that the company can send a “kill signal” that will delete all information from the device;
• Train employees to save an e-mail or attachment containing personal information to the network server and permanently delete the e-mail from their e-mail inbox, thereby eliminating the ability to access those e-mails from a hand-held device; and
• Multi-state employers should consider applying these steps to all employees, not just those located in Massachusetts. 

This entry was written by Philip L. Gordon.
 

On October 16, 2009, New York State Supreme Court Justice Thomas J. McNamara issued a temporary restraining order in one of the lawsuits filed in Albany, proscribing the mandatory vaccination. The New York State Commissioner of Health and the New York State Hospital Review and Planning Council plan to vigorously defend the suit and the Commissioner’s authority to mandate vaccinations. The court scheduled an October 30 hearing regarding whether the restraining order should be lifted.

The temporary restraining order prohibits enforcement of New York’s mandatory vaccination law, but does not prevent employers from voluntarily offering influenza vaccinations to their employees. In addition, the temporary restraining order does not apply to employers outside the health care sector or to health care employers outside of New York. Nonetheless, employers should be cautious before implementing a mandatory immunization requirement. The EEOC recently issued guidance suggesting that mandatory immunizations might violate the ADA in certain circumstances. We will be publishing shortly additional recommendations in light of the EEOC’s recent guidance.

This entry was written by Philip L. Gordon.

The Key Point: This hypothetical suggests by negative implication that acquiring companies must make a point of telling the acquired company not to provide the acquiring company with any "genetic information" when the acquired company turns over personnel records to the acquiring company. If the acquiring company fails to do so and receives any family medical histories — for example, one given in connection with a health risk assessment, the acquiring company has "collected" genetic information, apparently in violation of GINA. Notably, GINA does not include an exception for collection with the consent of the individual, so it appears that obtaining the subject employee's authorization would not defeat potential liability.

The Labor Department’s regulations go into effect on December 7, 2009.

This entry was written by Philip L. Gordon.

For further information and analysis, see "Genetic Antidiscrimination Law Creates New Compliance Challenges for Employers" by Philip L. Gordon and Jennifer L. Mora and "Proposed Regulations Under Federal Genetic Information Nondiscrimination Act (GINA) Suggest Employer Action Now" by Margaret Hart Edwards.

The new deadlines apply to three different sections of the regulations and are set forth below:

Written Information Security Program: The general deadline to comply with the regulations is now May 1, 2009. This means that by May 1, businesses must have developed and implemented what the regulations refer to as “a comprehensive, written information security program” to safeguard all personal information kept in paper and electronic format.

Third-Party Service Providers: By May 1, 2009, companies must be able to demonstrate that they have taken steps to verify that third-party service providers with access to the personal information of their clients, customers or employees have the capacity to protect such information. In addition, on or before January 1, 2010, businesses must obtain written certifications that such third-party service providers have established written, comprehensive information security programs designed to protect personal information.

Encryption: Businesses are now required to encrypt all personal information stored on laptops by May 1, 2009, and to ensure that all other portable devices (including PDAs, memory sticks, DVDs, etc.) are encrypted by January 1, 2010.

This entry was co-authored by Jennifer Bombard McGovern.