Header graphic for print

Workplace Privacy, Data Management & Security Report

Stolen Laptops = HIPAA Settlements Totaling Nearly Two Million Dollars

Unencrypted laptop computers and other mobile devices pose significant risks to the security of patient information, reminds the U.S. Department of Health and Human Services Office for Civil Rights (OCR) in its announcement yesterday that it collected $1,975,220 from two entities collectively to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. All HIPAA covered entities and business associates should review these resolutions agreements as they are instructive to handling a key area of risk for just about any such organization – electronic mobile devices – which are frequently lost or stolen, and not encrypted.

In one of the cases, OCR found that the covered entity, Concentra Health Services:

failed to adequately remediate and manage its identified lack of encryption or, alternatively, document why encryption was not reasonable and appropriate and implement an equivalent alternative measure to encryption, if reasonable and appropriate.

In other words, OCR claims that although Concentra identified the lack of encryption as a risk, OCR determined that it failed to adequately remediate or manage the risk. It is also important to note, however, that OCR acknowledged that encryption is an “addressable” standard under the HIPAA Security Rule. This means that covered entities and business associates need not encrypt such devices, provided they determine encryption is not reasonable and appropriate, and implement an equivalent alternative measure(s) to encryption, if reasonable and appropriate, and document that determination.

In the other case, following receipt of a breach notice in February 2012 from the covered entity concerning a stolen unencrypted laptop with protected health information of 148 individuals, OCR investigated and contends that the covered entity failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, including conducting a thorough risk assessment.

So, there are a number of lessons for covered entities and business associates from these resolutions including:

  1. Conduct a risk assessment to identify vulnerabilities. HHS recently released a tool to assist covered entities with this step.
  2. Doing a risk assessment is not enough. Risks identified in the assessment have to be dealt with completely and consistently.
  3. While encryption may be preferred, it is not required so long as the entity identifies and applies alternative measures that are reasonable and appropriate, and documents that determination. But remember that depending on the information stored on the laptops or other mobile storage devices, states such as Massachusetts may require those laptops and devices be encrypted.

Fulbright’s Litigation Survey Addresses Privacy in the Age of Social Media and Mobile Devices

Norton Rose Fulbright recently released the results of their 9th annual litigation trends survey.  The Fulbright survey reflects information collected from 392 in-house attorneys; including 82% identifying themselves as general counsel and 14% as head of litigation. Additionally, the companies responding to the survey represent virtually all industries, include entities of all sizes, and are almost evenly split between public and private.

Notably, the survey addressed several key areas of workplace privacy.  Specifically:

  • Privacy & Data Protection: Nearly one-third of all respondents encountered issues involving privacy and/or data protection in disputes or investigations in the past 12 months. Issues arose most frequently in the context of collecting data from company equipment and from employees’ personal equipment. Companies were also concerned about the use of third-party vendors to collect and process data.
  • Cloud Computing: One-third of responding companies utilized the cloud. Of those companies, a third have had to preserve or collect data from the cloud in connection with actual or threatened disputes or investigations.
  • Employees & Social Media: About one-fifth of all companies responding had to preserve or collect data from an employee’s personal social media account in connection with a dispute or investigation. But only 9% of U.S. companies reported having to actually produce, as part of discovery, information stored on social media.
  • Mobile Data: 41% of U.S. companies have had to preserve or collect data from an employee’s mobile device for a dispute.

We have previously addressed each of the issues above, and highlighted many of them in our Top 14 for 2014.  We can expect as technology continues to grow and advance that its reach will continue to extend into the litigation arena, and companies will need to be proactive in addressing these issues.

Iowa Amends Its Breach Notification Law, Attorney General Notification Required For Breaches Affecting More Than 500 Iowans

Iowa made changes to its breach notification law (Iowa Code § 715C.1 et seq.) when the state’s Governor, Terry Branstad, signed S.F. 2259 into law. The amendment makes the following key changes which become effective July 1, 2014:

  1. The existing law applies to “computerized” personal information. The amendment clarifies that this includes personal information maintained in any medium, including paper, transferred to that medium from computerized form. So, paper files printed from a computer that contain the elements that constitute personal information (e.g., name and Social Security number) can trigger a notification obligation under Iowa law. The breach notification statute in Indiana has a similar rule.
  2. For breaches that affect more than 500 residents of the state, the statute now requires notice must also be made to the Director of the Consumer Protection Division of the Office of the Attorney General, in addition to the affected individuals. A similar change was made in California.

The nuances of breach notification laws across the country continue to grow in number and further complicate responding to multi-state breaches. Whether a national standard will resolve this challenge remains to be seen. In the meantime, companies have to exercise care when determining whether a particular incident constitutes a breach, and to whom notice must be provided.


Kentucky Enacts a Data Breach Notification Law and Protects Student Data in the Cloud

Kentucky Gov. Steve Beshear signed H.R. 232 on April 10, 2014, making the Commonwealth the 47th state to enact a data breach notification law. The law also limits how cloud service providers can use student data. A breach notification law in New Mexico may follow shortly.

Data Breach Notification Mandate

The Kentucky law follows the same general structure of many of the breach notification laws in the other states:

  • A breach of the security of the system happens when there is unauthorized acquisition of unencrypted and unredacted computerized data that compromises the security, confidentiality, or integrity of personally identifiable information maintained by the information holder as part of a database regarding multiple individuals that actually causes, or leads the information holder to reasonably believe has caused or will cause, identity theft or fraud against any resident of Kentucky. The law does not refer to “access” only acquisition, and appears to have a risk of harm trigger.
  • The good faith acquisition of personally identifiable information by an employee or agent of the information holder for the purposes of the information holder is not a breach if the personally identifiable information is not used or subject to further unauthorized disclosure.
  • “Personally identifiable information” means an individual’s first name or first initial and last name in combination with the individual’s (i) Social Security number, (ii) Driver’s license number; or (iii) Account number, credit or debit card number, in combination with any required security code, access code, or password permit access to an individual’s financial account.
  • The notification required under the law must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
  • Notice may be provided in writing and can be provided electronically if the E-Sign Act requirements are met. For larger breaches, the law also contains substitute notice provisions similar to those in other states.
  • If notification is required to more than 1,000 Kentuckians at one time under this law, all nationwide consumer reporting agencies and credit bureaus also must be notified of the timing, distribution and content of the notices. However, the law does not require the Kentucky Attorney General to be notified of the incident, as is the case in a number of other states such as California, Maryland, Massachusetts, New Hampshire, and New York.
  • The law excludes persons and entities that are subject to Title V of the Gramm-Leach-Bliley Act of 1999 and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Of course, covered entities, business associates and certain vendors have their own breach notification requirements.

Protections for Student Data In the Cloud

The law is designed to protect student data at educational institutions, public or private, including any administrative units, that serve students in kindergarten through grade twelve when stored in the “cloud”. We may see more of these kinds of laws, particularly in light of the Fordham Law School study on the topic. For purposes of this law, “student data” means

any information or material, in any medium or format, that concerns a student and is created or provided by the student in the course of the student’s use of cloud computing services, or by an agent or employee of the educational institution in connection with the cloud computing services. Student data includes the student’s name, email address, email messages, postal address, phone number, and any documents, photos, or unique identifiers relating to the student.

Cloud providers serving these institutions in Kentucky need to be aware of this law not only so they can take steps to comply, but because it requires the providers to certify in their services contracts with the educational institutions that the providers will comply with this new law.

Specifically, the law prohibits cloud computing service providers from “processing student data for any purpose other than providing, improving, developing, or maintaining the integrity of its cloud computing services, unless the provider receives express permission from the student’s parent.” Processing is defined pretty broadly, it means to “use, access, collect, manipulate, scan, modify, analyze, transform, disclose, store, transmit, aggregate, or dispose of student data.”

While the provider may assist an educational institution with certain research permitted under the Family Educational Rights and Privacy Act of 1974, also known as “FERPA,” it may not use the data to “advertise or facilitate advertising or to create or correct an individual or household profile for any advertisement purpose.” Finally, the provider may not sell, disclose, or otherwise process student data for any commercial purpose.


EEOC Meeting: Social Media Discovery Chills The Exercising of Rights

The United States Equal Employment Opportunity Commission (EEOC) recently held a meeting to gather information about the growing use of social media and how it impacts the laws the EEOC enforces.

During the meeting, a panel representative from the Society for Human Resource Management (SHRM) explained that employers use different types of social media for various reasons, including: employee engagement and knowledge-sharing; marketing to clients and potential customers; crisis management; and recruitment and hiring.

Others noted that while social media has benefits and can be a valuable tool, the improper use of information obtained from such sites may be discriminatory since most individuals’ race, gender, age, disability, and possibly ethnicity can be discerned from information on social media sites.  This is especially important in states which have prohibited employers from requesting access to employees’ or potential employees’ social media accounts.

Perhaps the most telling area discussed during the meeting was the increased use of social media as a source of discovery in employment discrimination litigation.  While there appears to be no dispute that public social media content is accessible by all, a Senior Trial Attorney in the EEOC’s Denver Field Office warned that the increased effort to access potentially aggrieved persons private social media communications may have a chilling effect on persons seeking to exercise their rights under federal anti-discrimination laws.

The EEOC has often taken the position that social media content is not relevant, while many employers have utilized social media to gain valuable discovery, especially with regard to emotional distress damages.  The EEOC’s position is now being mirrored at the state level where plaintiffs assert that their social media content is not relevant.  However, defendants (often employers) have benefited from obtaining social media content to dispute a plaintiff’s claims, especially when the defendant is able to demonstrate the relevant nature of social media content to the litigation.

Social media, and especially the discovery of same, is one of the most important and ever evolving areas of employment law.  Litigants, and employers must be prepared for the nuances associated with social media and the current standing of the law in the local  jurisdiction.

Healthcare Employer’s Termination Letter Provides Basis For Court to Allow Discovery of Patient Contact Information

Written by Jeffrey M. Schlossberg

Employers faced with the inevitable task of terminating an employee’s employment often inquire whether to provide the employee with written reasons for the termination; or, if they are required to provide an explanation of the termination, they ask what should be included in the explanation. Except in a limited number of states (and except where an employment agreement provides otherwise), a written statement of reasons is not required. Indeed, the general rule of thumb is to not provide written reasons. Perhaps the employer in Peace v. Premier Primary Care Physicians, S.C., should have followed the rule of thumb. In a recent decision, a federal court in Illinois ordered the disclosure of patient contact information because the employer had indicated in its termination letter that patients complained about the plaintiffs.

In Peace, two former employees sued seeking unpaid overtime and damages for alleged retaliation. During discovery, plaintiffs sought the names and contact information of defendant’s patients. The basis for the request was that the termination letter said, among other things, “Patients have complained that you are rude and unhelpful to them on the phone and when they are in the office. Patients have reported not receiving reminder calls for their appointments.” The court noted that the letter contained other examples of patient complaints, but that none of the patients was identified. The employer objected to the disclosure of patient names contending that “their patients’ privacy rights outweigh the plaintiffs’ interest in obtaining discovery. . . .” The court rejected the employer’s argument and ordered the disclosure of the patient contact information noting that privacy concerns were minimal (since plaintiffs were not seeking actual medical records) and were outweighed by plaintiffs’ right to relevant discovery.

The fact that the court ordered disclosure of even limited protected health information highlights the importance the court attached to the contents of a written employment termination letter. A termination letter can become the proverbial “Exhibit A” should an employment claim be filed, at least in connection with requests for discovery. Anything contained in the letter will be the subject of scrutiny and discovery. Had the employer not provided the letter (or, provided a letter with a more general explanation), it is likely that the plaintiff would not have had such a focused target of discovery, one that in this case is likely to affect the practice’s business beyond its HR department. Of course, the information may have come out at some point in the case, but by that time, it may have been late in discovery where plaintiff would have had less time to explore these issues, or the case may have settled. The bottom line here is to give serious thought before providing a written statement of reasons and, if doing so, consider carefully the letter’s contents.


Use of HIPAA-Protected Personal Health Information by Employer Investigating FMLA Issue Not Barred

The 11th Circuit Court of Appeals has rejected the appeal of a former City of Daytona Beach Fire Inspector who argued that the City improperly used her “personal health information” to defend itself against her lawsuit for interference under the Family Medical Leave Act. In Bailey v. City of Daytona Beach Shores, the City of Daytona Beach fired its Fire Inspector, Christine Bailey, after it learned she made claims under the City’s self-funded health plan for reimbursement of the cost of prescription narcotics without informing the City of the use of such drugs, in violation of the City’s drug-free workplace policy while she was on FMLA leave. In response, Bailey sued the City for FMLA interference and retaliation. During the underlying lawsuit, she moved to strike the City’s use of her personal health information on grounds that it would violate the Health Insurance Portability and Accountable Act (“HIPAA”) by the disclosure of her HIPAA-protected personal health information.

Health plans, like the one sponsored by the City, are “covered entities” under HIPAA and the use of protected health information from those plans for employment purposes is prohibited. Apparently, the Department of Health and Human Services notified the City that using the personal health information from the City’s plan for employment-related decisions would violate Bailey’s rights under HIPAA. We regularly advise employers who sponsor health plans, particularly self-funded plans, that individually identifiable health information they obtain in connection with plan administration services they provide for those plans cannot be used in the course of making employment decisions, absent the individual’s authorization or some other exception.

Affirming the trial court’s rejection of Bailey’s motion to strike, the 11th Circuit determined that while HIPAA prohibits the use and disclosure of personal health information in employment-related decisions, it does not bar a defendant in litigation from using the plaintiff’s personal health information to defend against that lawsuit. Thus, at least in the 11th Circuit, “fruit of the poisonous tree” can be used by employers to defend their employment decisions made based on fruit from their HIPAA-covered plans. The court further rejected Bailey’s FMLA interference and retaliation claims on grounds that the City proved it would have taken the same action, i.e., firing her for violations of the City’s drug policy, if she had not taken FMLA leave.

The 11th Circuit’s ruling may appear to be a victory for defendants in litigation who seek to use plaintiffs’ HIPAA-protected personal health information to defend themselves from plaintiff allegations that involve such information. However, the Court seems to gloss over the distinction made in the HIPAA regulations between functioning as a covered entity-health plan and functioning as an employer. The employee was suing the employer in this case, not the plan, and the employer, functioning as an employer, simply should not have had access to this information. The effects of this decision may be problematic for employers that do not read this decision and HIPAA carefully. Specifically, some employers may be encouraged to tap into health plan claims records more freely, not for plan administration purposes, but for employment purposes, believing that information can be used to defend their employment decisions in subsequent litigation.

Of course, while there may not be a private right of action under HIPAA, using protected health information in that way could expose the health plans, and in effect the employers, to investigations by the Office for Civil Rights. The 11th Circuit focused on the use of personal health information in litigation only, but whether such information is used in litigation or not does not remedy any underlying HIPAA violation. HIPAA would bar an employer from reviewing a prescription claim submitted to its health plan for the purposes of making an employment decision, irrespective of any litigation involving the disclosure or use. It remains to be seen whether a claimant who successfully files a HIPAA charge with the Office of Civil Rights, would be able to obtain a different result by a court addressing that party’s personal health information in the litigation context, the Bailey case notwithstanding.


IRS Guidance for Bitcoin in Time for Tax Season

Written by Tyler Philippi

In an earlier post, we discussed the basics behind how Bitcoin operates and how it might create unique issues for employers. In the span of just a little over a month, the Bitcoin community has had its share of stories in the news cycle. One of the largest exchanges, Mt. Gox, has filed for bankruptcy following an apparent security breach costing customers and the exchange nearly $500 million. Within a couple weeks of Mt. Gox’s demise, Newsweek then claims to have identified the creator of the virtual currency, known only as Satoshi Nakamoto (the pseudonym used in the white paper that laid out the cryptography framework for bitcoin operations). Whether the person identified really is Nakamoto is still debated, but stories like this and the fall of Mt. Gox continue to add to the mystery that is bitcoin.

Yesterday, the IRS removed some of that mystery when it released guidance on the tax treatment of bitcoin and other virtual currencies (which just happened to be day one of a virtual currency industry summit in San Francisco). One of the appealing factors for users of the virtual currency is that it was an unregulated peer-to-peer network, meaning it is not tied to any central monetary authority. The IRS’s guidance was expected, but many in the Bitcoin community believed that it would be treated like any other foreign currency. Apparently relying on the premise that bitcoin does not have legal tender status in any jurisdiction, the IRS has determined that bitcoin should be treated as property for tax purposes.

IRS Notice 2014-21 is somewhat of a blow to bitcoin users because the exchange of property, even to buy a cup of coffee, is now a reportable event. The notice provides that virtual currency is treated as property for U.S. federal tax purposes. General tax principles that apply to property transactions apply to transactions using virtual currency. Among other things, this means that:

  • Wages paid to employees using virtual currency are taxable to the employee, must be reported by an employer on a Form W-2, and are subject to federal income tax withholding and payroll taxes.
  • Payments using virtual currency made to independent contractors and other service providers are taxable and self-employment tax rules generally apply. Normally, payers must issue Form 1099.
  • The character of gain or loss from the sale or exchange of virtual currency depends on whether the virtual currency is a capital asset in the hands of the taxpayer.
  • A payment made using virtual currency is subject to information reporting to the same extent as any other payment made in property.

This may sound like an insurmountable hurdle of onerous recordkeeping for virtual currencies, but automated accounting solutions are already in the works with more likely on the way. With a request for public comments included in its guidance, the IRS has signaled that these rules are not set in stone and changes may be ahead to the tax treatment of virtual currencies.

What seems unlikely to change is the continuing momentum bitcoin and other virtual currencies appear to be gaining. The failure of Mt. Gox may have been bad for Bitcoin’s public image, but supporters of the virtual currency seem undeterred. Despite security concerns, Bitcoin ATMs continue to pop up in the United States and abroad. The number of e-commerce retailers accepting bitcoin has outpaced those accepting in-store purchases, but that is starting to change. And even if your store of choice does not let you spend bitcoins, other companies have begun to find innovative ways around that problem too.

But perhaps the most intriguing item on the horizon is the race to open regulated investment funds and exchanges in the United States. Bitcoin might soon see an enormous influx of capital if investors are comfortable with the regulatory safeguards. The hope amongst the Bitcoin community is that this will lead to new innovations, making the use virtual currencies more prevalent and practical for everyday use.

New technologies almost always trend to the ‘more’ side of the spectrum. Whether Mr. Nakamoto’s (who(m)ever he or she is) vision of a global economy utilizing peer-to-peer transactions will come to pass is anyone’s guess, but you may not want to bet too much bitcoin against it.