What's On Your Mind?

Posted on January 27, 2012 by Joseph Lazzarotti

In recognition of Data Privacy Day (January 28, 2012) and to facilitate a more interactive experience for our readers and subscribers, we want to extend to you the opportunity to tell us what is on your mind in the world of data privacy, social media and information management.

For the last two years, we have brought you developments on a wide range of issues concerning these topics. We realize many of you might like us to report on or provide information concerning certain issues/topics that we have not covered before. If so, please tell us!

To submit a topic, you can email us at informationrisk@jacksonlewis.com, or reach out to us through our Workplace Privacy Report on Facebook and Twitter. Feel free to “Like” our Facebook page and “Follow” us on Twitter by clicking on the corresponding buttons on the right below. If we select your topic, we will reach out to you privately to see if you would like us to identify you in the responsive post.

Of course, what would any communication from a lawyer be without a DISCLAIMER?

We look forward to hearing from you!

Tags: ,

Second Social Media Report From NLRB Acting General Counsel

Posted on January 25, 2012 by Joseph Lazzarotti

Today, the NLRB's Acting General Counsel posted a second report concerning social media issues and the National Labor Relations Act. The cases discussed in this report should provide further guidance to employers struggling with developing strategies for using social media in their business, developing employee policies regulating activity in social media, and enforcing those policies. Look for follow up analysis from us and our Labor partners.

Check out our prior reporting on related developments.

Tags: , , , , ,

Social Media Guide for Hospitals

Posted on January 21, 2012 by Joseph Lazzarotti

The ECRI Institute recently published an excellent summary of key issues for hospitals concerning social media (registration required), a valuable read for any hospital administrator, risk manager or human resources director. ECRI reports that approximately 4,000 U.S. hospitals own social media sites and that number is sure to grow significantly. One of the reasons for this growth will likely be due in significant part to the increasing number of people looking to social media to research health decisions. According to a National Research Corporation survey cited in the summary, 41% of nearly 23,000 respondents said that they used social media for this purpose.

The summary discusses critical areas for healthcare organizations to consider concerning social media, which can be applied to most other industries:

  • Understand the medium - what is social media, what are the different venues (Facebook, LinkedIn, FourSquare etc.), what is the competition doing, what new media is coming.
  • Determine desired uses - promotion of services/sales, recruiting, reputation management, community involvement, education, and so on. 
  • Assess risks - privacy, network security, employment, reputation, regulatory, malpractice, and protecting the brand.
  • Develop policies and procedures - control company message and regulate employee activity.
  • Implement and train and reevaluate - limit the number of employees who can speak for the organization, train employees on legal risks (such as with HR looking up applicant/employee background information on line), determine whether social media plan is producing desired results

Businesses in all industries are "going social," and should be developing a comprehensive plan before doing so. The ECRI summary provides a good starting point for thinking through some of the issues, particularly for those in healthcare.   

Tags: , , , , , , , , , , , ,

Mere Placement of Surveillance Cameras in Restroom Sufficient for Iowa Invasion-of-Privacy Claim

Posted on January 3, 2012 by V. John Ella

An invasion-of-privacy claim against an insurance agent brought by his former employee should proceed even where a surveillance camera placed by the agent in the workplace’s unisex bathroom was faulty, the Iowa Supreme Court has ruled. Koeppel v. Speirs, No. 08-1927.

The district court dismissed the invasion-of-privacy claim on summary judgment because there was no proof that the equipment was operational or that the employer had actually viewed any recordings of the employees. The Court of Appeals reversed the dismissal, and on December 23, 2011, the Iowa Supreme Court affirmed the reversal and remanded the employee’s common law privacy claim to the district court.

The issue before the Iowa Supreme Court was whether an actual "viewing" was a necessary element of an invasion-of-privacy claim involving hidden monitoring equipment. Courts in other states have split on the issue. After analyzing decisions from other states and law review articles on privacy law as well as the origin of the term, "peeping Tom," the Iowa Supreme Court held that an actual viewing was not required. Following the reasoning of a 1964 New Hampshire Supreme Court decision, it concluded an intrusion occurs when the defendant performs an act that has the "potential to impair a person's state of mind and comfort associated with the expectation of privacy."

The Iowa Supreme Court said, "[W]e think it is important to keep in mind that the tort [of invasion of privacy] protects against acts that interfere with a person's mental well-being by intentionally exposing the person in an area cloaked with privacy." It determined that “[a]n electronic invasion occurs under the intrusion on solitude or seclusion component of the tort of invasion of privacy when the plaintiff establishes by a preponderance of evidence that the electronic device or equipment used by a defendant could have invaded privacy in some way.” Thus, under Koeppel, a victim's mental state can be more important to an invasion of privacy claim than what the defendant actually viewed, accessed, or shared. (The employee here also sued for sexual harassment, but that claim was dismissed because an employer with fewer than four employees is not liable for sexual harassment under Iowa law.)

An invasion-of-privacy claim in Iowa, therefore, need not include a showing that the monitoring device was functioning at the time it was discovered or that it was ever used. It is sufficient that the device was capable of functioning.

Tags: , , , ,

School Kids' Data at Risk

Posted on December 17, 2011 by Joseph Lazzarotti

In addition to concerns about social media, school districts across the country need to address a growing interest in the personal data of the students they educate. No, this interest does not stem from a desire to see if kids are reading at the desired level, or if the children have the resources they need to receive an adequate education. Data thieves want this information to commit identity theft. 

As reported by the Huffington Post:

Identity theft in schools is more than theoretical. Last July, Sheyla Diaz, 44, a former Broward County, Florida high school teacher, was sentenced to six months of house arrest for stealing the identities of former students. In 2009, Jonathan E. Kelly, who worked as a police officer for the Palm Beach County School District, was sentenced to eight years in prison for stealing the identities of former students and teachers.

The thieves know that children have pristine credit and that school districts, hampered by substantial budget cuts, may not be doing all they could to safeguard this information. Parents and school districts need to take steps to address this growing risk.

Tags: , , , , , , , ,

Wall Street Journal Article Is Reminder to Employers Concerning NLRB Focus On Social Media

Posted on December 7, 2011 by Joseph Lazzarotti

A Wall Street Journal article on December 2 discusses the National Labor Relations Board's emergence into social media and non-union workplaces. For employers that have not looked at their policies and practices concerning employee activity in social media, this article serves as a good reminder. 

Click here for more information.   

Tags: , ,

The Consumer Fraud and Abuse Act -- Does It Apply To An Employee's Personal Computer?

Posted on November 28, 2011 by Jason C. Gavejian

Many employers often question what recourse is available when faced with the destruction or alteration of company data by former employees.  This question is made more complicated when employees use their own personal computer for work. In addressing this issue, the U.S. District Court for the Northern District of Illinois, Eastern division held that an employee's use of her personal computer to delete e-mails on her employer's computer servers may support an unauthorized access claim under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (“CFAA”).  

Plaintiffs, a group of real estate companies, allege that several of their former employees, on company resources and company time, founded a competing business and stole customers.  Plaintiffs claim that one of the defendants told the others to delete e-mails related to their “scheme”, and then delete them again from the “deleted items” folder.  This “hard delete” made the files hard to retrieve.  

Defendants sought to dismiss the CFAA claims.  Specifically, defendants claimed that “unauthorized access” is impossible because the individual defendant had used her own personal computer for work, and plaintiffs thus lost nothing when she left with it.  Although defendants cited to no cases, some District Courts (Keystone Fruit Marketing, Inc. v. Brownfieldhave concluded that using one’s personal computer will not support a CFAA unauthorized access claim.  Here, the Court found that the CFAA appears to prohibit damaging (not accessing) a computer without authorization and the definition of “protected computer” does not specify whose computer it must be. While the Court ultimately dismissed plaintiffs’ claim as not sufficiently alleged, the Court did rule that plaintiffs may be able to make out a claim against the individual defendant by showing that she impermissibly destroyed files or other data belonging to them. 

Companies must be aware of jurisdictional nuances as they strive to protect themselves.  Stay tuned as we address similar issues in an upcoming series of posts! 

Tags: , , , , , , , , , , , , , ,

Decision on Genetic Information Privacy Issued by Minnesota Supreme Court

Posted on November 17, 2011 by V. John Ella

The Minnesota Supreme Court issued a decision on November 16, 2011 holding that the state's Genetic Privacy Act, Minn. Stat. Section 13.386 (2010) restricts the collection and use of blood samples taken from newborns pursuant to the state's Newborn Screening Statutes, Minn. Stat. Section 144.125-128.  The litigation, captioned Bearder et al v. State of Minnesota, was initiated by a group of families with children born between 1998 and 2008 who challenged the newborn screening program run by the Minnesota Department of Health ("DOH"). The DOH's program requires the collection of blood samples from newborn children within the fifth day of birth. The DOH analyzes the sample for the presence of substances that indicate the presence of a metabolic disorder. Only one of the many tests, a second level test for cystic fibrosis, analyzes DNA or RNA.  If a portion of any blood sample remained after screening tests were completed, the DOH either stored the sample indefinitely or allowed the Mayo Clinic to use the samples for unrelated studies, provided the samples had been either de-identified or Mayo had received written consent from the child's legal guardian.

Plaintiff's claimed that the Minnesota Genetic Privacy Act required the DOH to obtain informed consent before it could collect, use, store, or disseminate the samples that remained after the newborn health screening was complete. The trial court and Minnesota Court of Appeals rejected plaintiffs' argument, but the Minnesota Supreme Court reversed, holding that the Genetic Privacy Act placed limits on the DOH's practices. A central question in the case was whether a blood sample was properly considered "genetic information" as the term is defined in the state law. The Court held that it was, with one justice dissenting on that question.

Minnesota's Genetic Privacy Act was passed in 2006 as part of the Data Practices Act which governs the use and disclosure of information by state and local government.  Although it is unclear whether the Minnesota Legislature intended to limit section 13.386 to public entities, the plan language of the statute suggests it may govern the collection of genetic information by private companies and employers as well. It certainly serves as a reminder that there is a growing body of federal and state regulation in the area of medical privacy. The lawsuit also highlights the public's growing concern about the use of genetic information and may portend more litigation under federal laws such as GINA - the Genetic Information Nondiscrimination Act. 

 

 

Tags: , , ,

Record Retention and Notice Requirements Go Into Effect for New Jersey Employers

Posted on November 15, 2011 by Joseph Lazzarotti

Record keeping requirements in New Jersey add to the complexities multistate employers face trying to develop strong and practical record retention programs. Garden State employers must conspicuously post and distribute to employees a notice and maintain certain records according to a law, N.J.S.A. 34:1A-1.11 et seq., that went into effect on July 13, 2010.

To assist employers, the New Jersey Department of Labor and Workforce Development (“NJDOL”) published a notice entitled, “Employer Obligation to Maintain and Report Records,” that employers can post and distribute. According to the law, employers must 

  1. post this notice immediately in the workplace;
  2. provide each employee hired prior to November 7, 2011, a written copy of the notice no later than December 7, 2011; and
  3. provide employees hired after November 7, 2011, a written copy of the notice at the time of hire. 

Click here for more information concerning the posting and other requirements of the law.

Tags: , , ,

Automating HIPAA Compliance Tracking and Audit Preparation

Posted on November 9, 2011 by Joseph Lazzarotti

While we do not know the exact nature and scope of the imminent HIPAA audits, we do know that HIPAA compliance and the verification of compliance (the audit) can be a very daunting process that mandates a great deal of preparation and organization. Beyond getting legally compliant, HIPAA covered entities and business associates need to consider how to practically and efficiently track and illustrate this compliance should they find an OCR investigator knocking at the door.

We have asked Alan Heyman, Managing Director of Cyber Security Auditors & Administrators LLC (CSA2) to discuss how certain applications can facilitate the response to a HIPAA audit, including minimizing the time staff needs to be involved. The following is an excerpt from Alan's discussion of this issue:

For many health care providers and other covered entities, compliance with HIPAA and other data privacy and security requirements is a multifaceted and ongoing process of assessing changing risks, policy development and implementation across various departments, conducting and tracking training of workforce members, monitoring compliance, managing vendors and vendor agreements, responding the customer complaints and so on. When an OCR auditor is on the doorstep, pulling evidence of all of these efforts together would likely sap an already thin workforce of most covered entities. When various segments of the covered entity are not coordinated, the files are incomplete, and the persons leading the effort are in disarray, the auditor is likely to suspect there are substantial deficiencies and adjust the audit accordingly.

It is not difficult to imagine the Privacy Officer having to go from department to department asking, among other things:

  • Where are the current policies and procedures for your department concerning privacy and security?

  • Would you please send me the training sign-in sheets for your group? Why was that group not trained?

  • Where are the signed copies of the business associate agreements? Is this all of them?

  • Where can I find a copy of the risk assessment for your department? Is it updated?

  • How was that complaint resolved? Were there any others?

  • Do you have all of the documents for the data breach that affected the radiology department?

  • Can you send me your evaluation logs and what changes you have made based upon those efforts?

It is also not difficult to imagine how much easier this process would be if the covered entity's compliance efforts were tracked, maintained and documented in a single environment. An environment that would, for example

  • Allow different departments/groups to log on an update their compliance efforts,

  • Secure email notification/reminders for maintenance to update all required analysis, training, network architecture diagrams, etc.,

  • Digital repository for all required employee affidavits, training sign-in sheets and managed with email notification for maintenance and updating,

  • Maintain and track policy changes via secure email notification/reminders to all departments and employees from Privacy Officer or legal counsel,

  • Track and document responses to patient complaints,

  • Digitize interactive system for updating and obtaining required commentary from all required departments and Business Associates to establish and audit trail for creating “defensible position” to regulators.

  • Centralize administration for permissions to all employees, advisors or Business Associates access to read only, print, edit, etc., with watermark capabilities on all printed and viewed documents.

  • Centralize reporting dashboard status of all projects as well as the ability to digitally feed approved 3rd party software analytic results for centralized viewing to permission based participants with email notification of updates.

  • Prepare for post-breach requirements in a pre-breach environment allowing reduction in costs of time sensitive response.

Such a tool also could be designed to permit the auditor limited access to conduct the audit with less effort on the part of the privacy officer or his or her staff. While certainly not required under HIPAA, organizing compliance in this way would simplify the compliance process and put the covered entity in a much better position to survive an OCR audit with minimal effort.

 

Tags: , , , , , ,

OCR Announces HIPAA Audit Program

Posted on November 8, 2011 by Joseph Lazzarotti

Today, the Office for Civil Rights formally announced it is implementing the audit requirement under the American Recovery and Reinvestment Act of 2009, in Section 13411 of the HITECH Act. The agency confirmed that it is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance, and that the pilot phase will begin November 2011 and conclude by December 2012.

A new page on OCR's website answers some helpful questions for covered entities and business associates... 

Continue Reading...
Tags: , , , , , , , , ,

Update: Ninth Circuit to Rehear CFAA Case

Posted on November 8, 2011 by Nick Beermann

As previously discussed, the federal appeals court in San Francisco had reinstated an indictment charging a former employee of Korn/Ferry International, Inc., with violations of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (the “CFAA”) for trying to start a business that would compete with his former employer. Now, however, at the urging of the former employee’s counsel, by order dated October 27, the same court has agreed to rehear, en banc, its previous indictment reinstatement order.

The Ninth Circuit Court of Appeals reinstated the indictment on April 28 against former employee David Nosal on the basis of its interpretation that “an employee exceeds authorization under [the CFAA] when the employee uses that authorized access to obtain or alter information in the computer that the accesser is not entitled in that manner to obtain or alter.” The Court had reaffirmed that employers determine what access or authorization an employee has to an employer’s computer. It also pointed to specific examples of what the employer did to limit access to and authorized uses of information, including using unique usernames and passwords, requiring employees to enter into agreements that explained the limitations on the use of certain company information, and causing a notice concerning data security and confidentiality to pop up on each employee’s computer screen whenever the employee logs onto the company’s system.

The Ninth Circuit’s pending rehearing by the full court of the issue of unauthorized employee access to information under the CFAA puts its previous interpretation in doubt. It is clear, however, is that employers that wish to rely on the CFAA as a means of recovery against employees who steal data or take other actions to harm company computers must plan ahead. That is, employers must clearly define access rights and limitations to their information and information systems, and effectively communicate those rights and limitations to employees.
 

Tags: , , , , , , ,

Provide Feedback to Government on Exchanging Health Information on Mobile Communications Devices

Posted on November 5, 2011 by Joseph Lazzarotti

If you have an interest in the role the growing use of mobile communications devices (smart phones, iPads, iPhones, etc.) will play in how personal health information is exchanged in the health care industry, the Office of the National Coordinator for Health Information Technology (ONC) is seeking your input. According to a notice published Nov. 1, 2011 (76 Fed. Reg. 67455), comments are due Dec. 31.

As part of the Health Information Technology for Economic and Clinical Health Act (HITECH Act) of 2009, ONC is proposing to conduct a nationwide communication campaign to meet the Congressional mandate to educate the public about privacy and security of electronically exchanged personal health information. To conduct the campaign effectively, ONC requires "formative and process information" about different segments of the public. Among other things, ONC is seeking comments on consumer attitudes and preferences about the use of these devices to exchange health information, including how privacy and security information is presented electronically to consumers.

Tags: , , , , , ,

Unauthorized Employee Recommendations, References on Social Media May Put Employers at Risk

Posted on November 4, 2011 by Joseph Lazzarotti

Written by Alexander Nemiroff

Employers are beginning to realize that their employees are sending or receiving recommendations on social media sites, such as LinkedIn, that are inconsistent with the employer’s policies, or worse, are false or fraudulent. They need to do something about it.

A large number of social media web sites are allowing users to recommend the work performance or services of co-workers, vendors, and customers. Unfortunately, many employers are not paying attention to this phenomenon. To their chagrin, they are discovering serious problems with these recommendations only when it is much too late.

For many years, attorneys have advised employers that providing positive or negative references for former employees can be problematic. Negative references for employees can often lead to defamation actions. As for positive references, a number of courts have found employers liable who provided false positive references for former employees that employers knew had committed crimes or engaged in other misconduct. As a result, many employers today simply provide neutral references for all former employees.

Unsanctioned recommendations appearing on social media sites also can cause complications for employers. Take, for instance, an ill-timed positive reference published by a manager on a social media site extolling his former employee’s honesty while, at the same time, but unbeknownst to the manager, the employer was contemplating litigation against the former employee for taking trade secrets or other confidential business information as he was leaving. 

Anonymous recommendations or endorsements by employees also may run afoul of the Federal Trade Commission’s Guidelines on the Use of Endorsements and Testimonials in Advertising, 16 C.F.R. § 255. For example, employees anonymously endorsing their own company’s products without full disclosure of their relationship may trigger liability. The Guidelines require not only full disclosure of such relationships, but that employers have procedures in place to prevent such an endorsement from being made.

To avoid these issues, employers should take several steps. First, employers need to amend their written social media and/or reference policies to address unauthorized employee recommendations and references on social media sites. Depending upon the circumstances, barring employees from making such references may be appropriate. However, this is not always practical or prudent for employers who are encouraging employees to promote their businesses through social media. Under these circumstances, employers may require that employees request authorization from their human resources department or other designated individual before making references or recommendations, and to make any necessary disclosures.

Simply amending social media and references policies and procedures, however, may be insufficient. Employers need to be vigilant and proactive in this area. Appointing suitable personnel, and perhaps a social media manager, to monitor public social media sites to ensure that employees are not violating these critical policies, is another measure employers should consider. When monitoring, special care should be taken by governmental entities not to violate an employee’s constitutional right to privacy and by private employers not to infringe upon laws protecting employee off duty or protected concerted activities. 

Tags: , , , ,

SEC Guidance Related to Reporting Cyber Risks and Incidents

Posted on October 21, 2011 by Joseph Lazzarotti

The Securities and Exchange Commission's Division of Corporate Finance provided guidance to public companies on October 13, 2011, about their disclosure obligations concerning cybersecurity risks and cyber incidents. The Division is careful to point out that federal securities laws, in part, are designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision. So, while this guidance does establish new obligations for registrants, it seeks to help them understand their existing disclosure obligation as they relate to increasing cyber risks.

The guidance summarizes the kinds of attacks that may raise concerns:

  • unauthorized access to digital systems for purposes of misappropriating assets or sensitive information, corrupting data, or causing operational disruption;
  • causing denial-of-service attacks on websites; or
  • third parties or insiders using techniques that range from highly sophisticated efforts to electronically circumvent network security or overwhelm websites to more traditional intelligence gathering and social engineering aimed at obtaining information necessary to gain access.

Concerning the disclosure obligation, the Division observes:

Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents. In addition, material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading. Therefore, as with other operational and financial risks, registrants should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents.

In determining whether risk factor disclosure is required, including whether to include cybersecurity risks and cyber incidents in the Management’s Discussion and Analysis of Financial Condition and Results of Operations (MD&A), registrants will need to consider all of the facts and circumstances, such as:

  • prior cyber incidents;
  • severity and frequency of those incidents;
  • the probability of cyber incidents occurring;
  • the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption;
  • the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware; and
  • the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.

At the same time, the Division does not expect a registrant will make a disclosure that itself would compromise the registrant’s cybersecurity.

As cybersecurity risks continue to grow and cyber incidents become more widespread, all companies need to assess and address these risks. For public companies, this is even more critical given their reporting requirements. 

Tags: , , , ,

The Social Media Manager/Guru/Wizard/Ninja/Diva

Posted on October 19, 2011 by Jason C. Gavejian

Have you hired a social media manager?  A social media guru/wizard/ninja/diva?  Each of these job "titles" are increasingly being used by companies to attract individuals who specialize in marketing a company's brand and/or services in social media.  A recent article in the Chicago Tribune and Los Angeles Times highlights just how prevalent these job titles are becoming corporate America.  

As companies struggle to keep up with the rapidly evolving world of social media, they are turning to hiring to hiring social media managers to handle their social media presence.  However, companies should be leery of the “jump first, look second” approach.  In fact, several key questions should be asked when delving into the realm of social media and hiring a new, typically younger employee with responsibility for a company’s social media existence and, therefore, its brand

Qualifications:

  • What qualifications are you looking for?  Often companies seek a younger employee who is "tech-savy."  Traditional employment issues notwithstanding (i.e. age discrimination when an "older" employee is not hired/considered for a position), companies must also consider what their social media mission/focus will be.  For example, to the extent a company utilizes social media as a marketing tool, will you want your social media manager to have a background in marketing?  Similarly, to the extent you wish to utilize social media to handle client/customer complaints, will you want your social media manager to have a background in customer relations? Will you hire an external candidate who is perhaps unfamiliar with your company and its mission, or will you hire an internal candidate?

Responsibilities:

  • What products/services will the social media manager be responsible for discussing/marketing?
  • Will the social media manager have total freedom to explore and execute social media opportunities? 
  • What policies will the social media manager be responsible for implementing?  Will the social media manager have responsibility for implementing the company's social media policy to employees and managers as well?

Training/Protocols

  • What training will be provided to your social media manager?  For example, will the social media manager be trained on what information he/she should or should not consider when examining posts by customers and/or employees? 
  • What policies will govern your social media manager’s employment?  Will the social media manager be permitted to “friend” employees/subordinates on social media or establish policies for employees to follow? 
  • What safety protocols will be in place?  For example, if your company has a Facebook page, will you social media manager be responsible for maintaining the password and access to same?  How will the company transition its social media presence if and when the social media manager separates from employment? 

While the above list is by no means exhaustive, it demonstrates some of the additional considerations that must be examined when a company wishes to expand into social media.   Companies are often unaware of the need to consider these questions prior to implementing a social media policy or hiring a social media manager.  However, examining these points will help ensure your company’s social media experience flows more smoothly. 

Tags: , , , , , , , , , , , , , , , , , , ,

Federal Contractors Required to Conduct Privacy Training Under Proposed Regulations

Posted on October 15, 2011 by Joseph Lazzarotti

A Federal Acquisition Regulation proposed on October 14, 2011 (76 Fed. Reg. 63896, 10/14/11), would require federal contractors to conduct privacy training before being given access to government records or handling personally identifiable information. For many entities, training may already be called for under a federal or state law, or contract provision. However, this regulation raises the bar by effectively halting a contractor's work until the training is performed. Contractors will need to watch this regulation closely as it may affect their businesses. The public may submit comments on this regulation until Dec. 13, 2011.

Key features of the proposed regulations:

  • Contractors would be required to provide initial training and annual training for employees who either —(1) require access to a government system of records; (2) Handle personally identifiable information; or (3) Design, develop, maintain, or operate a system of records on behalf of the federal government.
  • Federal agencies are required to provide contractors the training materials unless, on
    an exception basis, the contracting officer authorizes a contractor to provide its own privacy training materials.
  • The contractor is responsible to ensure the training is completed, and must maintain documentation of the training.
  • Certain privacy clauses will need to be added to the contract between the contractor and  the government.

Training must cover at least the following seven areas:

  1. The protection of privacy, in accordance with the Privacy Act (5 U.S.C. 552a);
  2. The handling and safeguarding of personally identifiable information;
  3. The authorized and official use of government system of records;
  4. Restrictions on the use of personally-owned equipment to process, access, or store personally identifiable information;
  5. The prohibition against access by unauthorized users, and unauthorized use by authorized users, of personally identifiable information or systems of records on behalf of the Federal
    Government;
  6. Breach notification procedures i.e., procedures for notifying appropriate individuals when privacy information is lost, stolen, or compromised) and
  7. Any agency-specific privacy training requirements.
Tags: , , ,

New Director of Office of Civil Rights Speaks About HIPAA Enforcement

Posted on October 14, 2011 by Joseph Lazzarotti

"Enforcement promotes compliance" according to the new director of the Department of Health and Human Services' Office for Civil Rights, Leon Rodriguez, during an interview with HealthcareInfoSecurity's Howard Anderson. In September, Mr. Rodriguez replaced Georgina Verdugo, and enters his post with significant relevant experience. He was formerly chief of staff and deputy assistant attorney general for the Department of Justice Civil Rights Division, a health care attorney in privacy practice, and a prosecutor at the federal and state level. 

On the upcoming HIPAA audits, Director Rodriguez had the following to say:

This is the first time we're doing it, so the first thing ... is for us to 'go to school' on how best we will run an audit program. In part, this is what you might call a pilot. We're going to look at it and learn: How do we use an audit program? How does an audit program best advance our enforcement goals? 

The second purpose, and this is really different than enforcement, is to promote compliance among the covered entities that are subject to the audit. Our first objective is not to go out there and start banging [organizations] with penalties; it's really to take a good look at them, find out where their opportunities for improvement are and help them improve. Having said that, I think we know that there are cases where we're going to find some significant vulnerabilities and weaknesses. And in those cases, we may be pursuing significant corrective action. And in some of those cases, we may be actually pursuing civil monetary penalties. But that's really not the primary goal of the audit program.

With HIPAA audits scheduled to begin in the next few months, covered entities and business associates should become familiar with HHS' new Director of Office of Civil Rights and his mission.

Tags: , , ,

California to Restrict Employers' Use of Credit Reports Beginning 2012

Posted on October 12, 2011 by Joseph Lazzarotti

Joining six other states, California will impose significant restrictions on an employer’s ability to obtain a credit report for employment purposes. The law becomes effective January 1, 2012.

California Assembly Bill 22, signed by Governor Jerry Brown, generally permits employers who are seeking to fill only specific, identified “exempt” positions to obtain and use credit reports to screen applicants and/or current employees. The use of the credit reports in other occupations generally is prohibited. Further, employers will be required to provide the employee or applicant with a disclosure statement setting forth the specific basis permitting the employer to obtain a credit report. 

Click here for more information about this law.

Tags: , , ,