Header graphic for print

Workplace Privacy, Data Management & Security Report

HIPAA Privacy Rule Also Affected By Supreme Court’s DOMA Decision in U.S. v. Windsor

When the U.S. Supreme Court decided United States v. Windsor, it declared section 3 of the Defense of Marriage Act (DOMA) to be unconstitutional. For many companies, the decision meant changes to certain of their employee benefit plans, as well as the tax treatment of employee contributions for same sex spouses. However, declaring section 3 of DOMA unconstitutional reached well beyond ERISA-covered benefit plans, changing the applciation of many federal laws, including the HIPAA Privacy Rule. Today, the Office for Civil Rights (OCR) provided guidance concerning Windsor’s application to the HIPAA Privacy Rule.

Under the HIPAA Privacy Rule, covered entities can share information about a patient’s care with the patient’s family members in various circumstances – those family members include spouses. In addition, the Privacy Rule provides protections against the use of genetic information about an individual. Genetic information includes certain information about family members (including, spouses) of the individual.

Based on the holding in Windsor, when the Privacy Rule uses the terms “spouse” and “marriage,” such as at 45 CFR 160.103 (definition of family member), lawful same-sex spouses have to be included. More specifically, the term “spouse” includes individuals who are in a legally valid same-sex marriage sanctioned by a state, territory, or foreign jurisdiction (as long as, as to marriages performed in a foreign jurisdiction, a U.S. jurisdiction would also recognize the marriage). The term “marriage” includes both same-sex and opposite-sex marriages, and family member includes dependents of those marriages. All of these terms apply to individuals who are legally married, whether or not they live or receive services in a jurisdiction that recognizes their marriage.

The OCR guidance clarifies, for example, that in connection with the standard concerning uses and disclosures to those involved in an individual’s care (45 CFR §164.510(b)), in cases where covered entities are permitted to share an individual’s protected health information with a family member of the individual, family member includes legally married same-sex spouses, regardless of where they live.

Covered entities and business associates should review their practices and alert their workforce members of this development. OCR intends to issue additional clarifications through guidance or rulemaking to address same-sex spouses as personal representatives under the Privacy Rule.

 

Big Data in the Workplace, EEOC Attorney Urges Caution

You may have been reading about how “Big Data” technologies are being used for a variety of purposes, such as making purchase suggestions based on prior buying patterns or staging law enforcement resources based on predictions for where and when crimes are likely to occur. But these technologies also are being used in the human resources context, such as to better select and manage applicants and employees, and can be of significant value to human resources leaders, and the company generally. Of course, there are mixed views about the use of this technology, as well as legal risks that should be considered.

Earlier this year, for example, a Forbes article explored the concern that if too heavy a weight is placed on “data” in the recruiting process, the human element can be lost and the business might not be capturing the top talent for the position. Others have observed that analytics tools in this context fall short in that they “don’t directly assess whether a person can do a job” and base recommendations on correlations that might not translate into good performance.

Certainly the role big data analytics tools can and should play in the workplace will depend on a range of factors, not the least of which is whether they can actually produce results. Employers that are considering whether these tools can positively impact HR decision making should also be considering the applicable risks when using this technology, even if “big data’s” recommendations are only one of many factors in the ultimate decision.

Attorneys at the EEOC, for example, are already considering the potential ways that using “big data” tools can violate existing employment laws, such as Title VII of the Civil Rights Act of 1964, the Age Discrimination in Employment Act, the American with Disabilities Act and the Genetic Information Nondiscrimination Act. Law360 recently reported (registration required) on comments made by EEOC Assistant Legal Counsel Carol Miaskoff who discussed these potential risks and others during a workshop hosted by the Federal Trade Commission. There are, of course, a range of other potential issues including employee relations, labor relations, privacy and so on. At a minimum, employers need to proceed cautiously and be sure to maintain records that can verify their decisions were made lawfully.

HIPAA Reminders – Business Associate Agreement Deadline and Continuation of OCR Audits

I recently had the pleasure of speaking to a great group at the Connecticut Assisted Living Association (CALA) about HIPAA and a range of related practical issues. Many covered entities and business associates, particularly those that are small businesses, continue to work on understanding the privacy and security standards, and how to best apply them in their businesses and with their varied workforces. Compliance can be challenging, but it is important to get started and document the compliance steps taken. Here are some reminders about HIPAA privacy and security compliance:

  • Risk assessment. This is a critical step required under the security regulations. Many covered entities and business associates focus first on written policies and procedures to safeguard protected health information (PHI). But those policies and procedures need to address the risks and vulnerabilities to PHI, which can only be determined through an appropriate risk assessment. Of course, organizations need to continually assess their risks and vulnerabilities as their businesses change and grow.
  • Business Associate Agreements. The Health Information Technology for Economic and Clinical Health (HITECH) Act made a number of changes affecting “business associates.” Among those changes were updates to the “business associate agreements” that the HIPAA Rules require covered entities to maintain with their business associates, which could include claims administrators, consultants, cloud and other data storage providers. The final HIPAA regulations established a transition rule that permitted covered entities and business associates to continue to operate under certain existing business associate agreements for up to one year beyond the compliance date of the final regulations (September 23, 2013). That transition period ends this month. Accordingly, it is critical that business associate agreements be updated.A starting point for business associate agreement compliance is the set of sample provisions posted by the Office of Civil Rights. However, there are other issues that parties to the business associate agreement will want to address, such as, data breach coordination and response, indemnity, and agency status. Additionally, a number of state laws (e.g., California, Massachusetts, Maryland) require businesses to have contracts with third-party service providers to safeguard personal information, which likely will include information in addition to protected health information under HIPAA.
  • Data Breach Preparedness. Data breaches continue to happen across the country, exposing vast amounts of sensitive data. HIPAA regulations and laws in 47  states require a number of steps to be taken when a breach happens including notifying the affected individuals and certain governmental agencies. Absent a plan for responding, companies often find themselves ill-prepared to respond timely, correctly and completely. Responding timely is particularly important for avoiding an inquiry from a federal or state agency concerning a data breach. Having a plan and practicing that plan can significantly enhance a company’s ability to respond and minimize its exposure following a breach.
  • OCR AuditsIt is expected that the Office for Civil Rights, which enforces the HIPAA privacy and security rules, will be resuming its audit program this fall – which applies to both covered entities and business associates. There are many steps covered entities and business associates can take to be audit ready. Good documentation is one of the most important. OCR wants to be able to see that the organization has taken steps to address the standards under the privacy and security rules. A documented risk assessment, written policies and procedures, and sign-off sheets showing workforce members went through HIPAA training are all examples of documentation an OCR investigator would be expecting to find as part of the audit.

Being “compliant” is no small task, especially as each business has its own particular needs, risks, vulnerabilities, environments, and circumstances that have to be considered. Compliance for an assisted living facility, for example, might look a bit different than it does for a large metropolitan hospital, but many of the fundamental principles are the same.  The key is to get started, understand the risks to PHI, address those risks in a manner appropriate to the organization (one hundred and fifty pages of policies and procedures is not appropriate for many organizations) and under each of the required standards, implement appropriate policies and procedures, and document.

A Broadened Crackdown on EU/U.S. Safe Harbor Violations

In the wake of the Edward Snowden’s intelligence leaks and increasing concerns about the use of personal information, the Center for Digital Democracy recently filed a Fair Trade Commission complaint alleging that 30 US Databrokers and data management firms had violated the European Union’s Privacy Directive Safe Harbor framework.  According to the CDD, the collection of private data of EU residents, including online tracking, purchasing history, addresses, income and family structures, each violates EU Safe Harbor commitments made by the companies as required by the EU Privacy Directive. 

What is the Safe Harbor Framework and Why is it Useful?

The EU Privacy Directive establishes the protection of one’s personal data as a fundamental human right and prohibits the transmission of such data outside of the EU unless the covered entity or individual can certify that “adequate safeguards” are in place. This of course, raises issues when EU-protected personal data needs to be sent cross-border to U.S. businesses because the EU does not view the U.S. as having adequate safeguards. 

Exceptions are made where U.S. companies use EU-approved standard contractual clauses (SCCs), which embody key EU privacy principles. In the case of transfers of personal data across EU borders within a multinational corporation, the EU has issued approved binding corporate rules (BCRs).

Yet, the biggest exception to the directive’s prohibitions on transmission of personal data is the EU’s “safe harbor”.  Under that safe harbor, data can be transmitted to third party nations where “the third country in question ensures an adequate level of protection and the [EU] laws implementing other provisions of the Directive are respected prior to the transfer.”  Companies seeking protection of the safe harbor certify their compliance with the Directive’s seven privacy principles and subject to themselves to enforcement by the Federal Trade Commission in the event of non-compliance. More than 3,000 U.S. businesses have enrolled in the Safe Harbor program, and it underlies millions of data transfers from the EU. 

U.S. Criticized for Lax Enforcement of Safe Harbor

The EU Data Protection Authority and the CDD have each recently criticized the FTC for its weaker enforcement of what the EU deems to be privacy violations. And the CDD’s complaint alleges more than just personal data has been used by the 30 companies it targeted in its FTC complaint.  As CDD’s Legal Director Hudson Kingston has explained, “CDDs complaint describes the systemic failure of the Safe Harbor to function as it was intended. Companies are flouting standards that the Department of Commerce agreed to and the Federal Trade Commission pledged to enforce . . . The fundamental privacy right of 500 million Europeans has been ignored and must be acknowledged and protected going forward.”

Jeff Chester, CDD’s executive director further elaborated in in a statement:  “Instead of ensuring that the U.S. lives up to its commitment to protect EU consumers, our investigation found that there is little oversight and enforcement by the FTC. The Big Data-driven companies in our complaint use Safe Harbor as a shield to further the information-gathering practices without serious scrutiny . . . Our investigation found that many of the companies are involved with a web of powerful multiple data broker partners who, unknown to the EU public, pool their data on individuals so they can be profiled and targeted online

FTC Steps Up Safe Harbor Enforcement

 In an apparent response to some of these criticisms, the FTC has started to more actively enforce safe harbor violations in 2014. In January of this year the FTC announced it had settled privacy violations with 12 companies.  Then, in June 2014, the FTC announced that it had settled privacy violations under the safe harbor with 14 U.S. companies.  We expect increasing enforcement to continue in light of actions like the CDD complaint.

Companies Need to be Better Prepared to Respond to Problematic Social Media Activity, Including Facebook “Likes”

The National Labor Relations Board has found that another employer (a non-union employer) violated its employees’ protected concerted activity rights under the National Labor Relations Act (NLRA) when it disciplined and fired them for certain social media activity. Our Labor Group provides an extensive analysis of this decision in Triple Play Sports Bar and Grille, 361 NLRB No. 31 (2014).

The analysis of the issues in Triple Play, you will see, is quite fact intensive and requires some thought in applying the applicable legal principles – and that is just addressing the NLRA issues. When companies are faced with adverse social media activity or campaigns, whether it be by employees, customers, bloggers, etc., they frequently are unprepared to take the appropriate steps to investigate, or to weigh the legal, business and other risks in deciding what actions, if any, to take. The situation in Triple Play, and other activity in social media, provide good reason for companies to be better prepared and to have a plan. Many companies may already have a crisis management plan or a communications policy, but those plans and policies need to reflect the nuances of social media and other factors, such as who is engaging in the activity and what information is being communicated.

Here are some basic questions/issues that should be considered in any plan, which are by no means exhaustive:

  • Should we have resources proactively monitoring social media activity and communications that potentially affect the company, and what limitations should there be on that monitoring?
  • Who in the company should receive initial reports of a potential problem?
  • Who should be involved in the investigation? Do we need third-party forensic expertise?
  • Do we have insurance coverage for the particular incident?
  • How will the persons involved in the activity – employees, customers, bloggers, etc. – affect the process from a legal, business or other perspective?
  • How did we learn about, get access to the activity – was it permissible under the Stored Communications Act (SCA), the Electronic Communications Privacy Act (ECPA), state laws concerning social media passwords?
  • Is the information being communicated accurately?
  • Are we acting consistent with our own privacy and other policies in connection with the investigation?
  • Is the activity/communication protected – protections may exist under First Amendment, the NLRA, whistleblowing, or other sources?
  • Do we need to respond? How have we responded in the past to similar situations? Will a response only make things worse? If a response is warranted, what should it be?
  • What can we learn from this incident in order to avoid incidents like this in the future?

A little planning can go a long way toward minimizing mistakes and getting better results when companies face urgent situations that require immediate action.

Key Considerations When Monitoring Employees Using GPS Tracking Devices

With the proliferation of wage and hour litigation, especially in Florida which has the highest number of Fair Labor Standards Act (“FLSA”) cases filed annually nationwide, employers have sought for better ways to track employee work time in anticipation of defending against unpaid overtime claims. Additionally, employers have used monitoring devices in hopes of increasing efficiency, address safety concerns, ensure compliance with company policies, protection of employer-owned property; and for customer service purposes.  One such monitoring method is the implementation of global positioning system (“GPS”) devices on equipment, such as vehicles, cellular phones, laptops, IPADs.

Few courts have addressed the issue of GPS tracking in the employment context, although, most have held that employers may use tracking devices on company-owned equipment, where the employee does not have a reasonable expectation of privacy in its use. Several states, California, Minnesota, Tennessee, and Texas, have laws preventing the use of mobile tracking devices in order to track other individuals.  Common exceptions to these laws include the consent of the owner of the device or vehicle to which a tracking device is attached.

In addition to notice and consent, employers should consider whether employees have a reasonable expectation of privacy when using the equipment on which the GPS device is to be attached or installed.  A balance needs to be considered between the employee’s expectation of privacy, the reasonableness of the intrusion upon that privacy (i.e., being tracked by the employer), and the employer’s legitimate business purpose for utilizing the tracking device. These considerations are heightened when the device is attached to an employee’s personal property or to company owned equipment that the employee uses or transports after work hours and the tracking system continues to record such after-hour usage.

Tracking employees during non-work hours can be an invasion of the employee’s privacy, whether the tracking is done via the employer-owned or employee-owned equipment. When the device tracks non-work time, such as during the evenings, weekends, and when the employee is on vacation, the employer may gain private information about an employee that would be considered an invasion into the employee’s personal privacy.  For example, an employer may find out that an employee travels each day after work to a dialysis center; that the employee has a pattern of visiting gambling facilities; the employee’s travel habits; where and how often the employee shops; the amount of restroom breaks an employee takes during the day; the employee’s eating habits; the employee’s religious service attendance patterns or schedule; etc.  Not only does obtaining and acting upon such information potentially lead to employee claims of an unreasonable invasion of privacy, but could also lead to claims of discrimination or wrongful termination based upon off-duty conduct (where such claims are permitted under state law, such as in New York).

Thus, information collected through GPS monitoring should be focused on an employee’s job performance and disseminated only to employees who have a legitimate business reason for knowing the information. The tracking should be limited to the legitimate business purposes, conducted only during working hours, and provided the company has addressed the employee’s expectation of privacy. Policies should be carefully drafted to explain the legitimate business purpose, circumstances under which monitoring will take place, notice of the company’s right to monitor employee actions while using Company owned property, the GPS monitoring capabilities of the Company-issued property, and that employees should not have an expectation of privacy while using the same.  For employee-owned equipment, employers should have a carefully drafted Bring Your Own Device policy that provides for employee consent for use of the tracking device on the employee’s equipment, and be carefully limited to use only while the employee is working.

*UPDATE* Suit Against School District Regarding Tweet Settles

As previously reported, in a March 2014 filing titled H.W. v. Sterling High School District, a New Jersey high school student filed suit claiming school officials had violated her constitutional rights when they punished her for content she posted on Twitter which criticized Sterling High School’s principal.

The settlement, which was approved by the Sterling High School District in April and entered by the Court on July 29, 2014, provides that the district will reimburse the student $9,000 for her legal fees.   However, the district will not pay additional damages to the student.  In addition, the school district agreed to revoke punishments imposed against the student for her Twitter postings, expunge documents related to the incident from the student’s academic record, and abandon its attempted requirements for drug testing of the student.  Specifically, the agreement provides that the student is eligible for graduation upon completion of outstanding assignments, is allowed to attend the senior class trip to Florida, and if the student does not seek press coverage or disclose the settlement terms she will be allowed to participate in prom and the graduation ceremony.

Beyond agreements directly between the school district and the student, the settlement also calls of the school to modify its student handbook to specify that administrators “may be monitoring student discussions on Facebook, Twitter or other social media outlets and may seek to impose penalties in accordance with the student code of conduct if such discussions cause a substantial disruption at the school.”

Missouri Constitutional Amendment Protects Electronic Privacy

On August 5, 2014, Missouri voters approved Amendment 9 to the Missouri Constitution making Missouri the first state in the nation to offer explicit constitutional protection to electronic communications and data from unreasonable serches and seizures.

The official ballot title asked:  “Shall the Missouri Constitution be amended so that the people shall be secure in their electronic communications and data from unreasonable searches and seizures as they are now likewise secure in their persons, homes, papers and effects?”

The fair ballot language specified:  “A ‘yes’ vote will amend the Missouri Constitution to specify that electronic data and communications have the same protections from unreasonable searches and seizures as persons, papers, homes, and effects.  A ‘no vote will not amend the Missouri Constitution regarding protections for electronic communications and data.”

The measure, which was approved by nearly 75% of voters amended Section 15 of Article I of the Missouri Constitution to read:

That the people shall be secure in their persons, papers, homes, effects, and electronic communications and data, from unreasonable searches and seizures; and no warrant to search any place, or seize any person or thing, or access electronic data or communication, shall issue without describing the place to be searched, or the person or thing to be seized, or the data or communications to be accessed, as nearly as may be; nor without probable cause, supported by written oath or affirmation.

Missouri’s vote comes on the heels of the June 2014 U.S. Supreme Court’s ruling, as covered by CNN, that law enforcement must obtain a warrant to search cell phones seized during arrest.

Given the ruling of the Court, and this first measure by Missouri, it is anticipated that other similar constitutional protections will be extended to electronic communications and data.  Importantly, entities which operate as government contractors and/or entities which may be considered state actors due to their funding, should be aware of these developements to determine what if any potential impact exists for their business.

Report Says Russian Hackers Stole 1.2 Billion Usernames and Passwords, But Don’t Let “Breach Fatigue” Take Hold

In what is believed to be the largest security breach to date, the Associated Press reported that Russian hackers have stolen 1.2 billion user names and passwords. According to the AP, Milwaukee security firm, Hold Security, learned of the breach, but has yet to provide details about the series of website hackings believed to have affected 420,000 websites. Citing nondisclosure agreements, Hold Security has not named the hacked websites.

A concern raised by some is the “breach fatigue” that may be created by the continuing stream of news reports about breaches large and small, the notification letters that follow, and the repeated warnings and recommendations to individuals and businesses about addressing data security. This “condition” may be real, but it is a condition individuals and business have to overcome as “big data” and the “internet of things” (IoT) becomes more a part of our lives, creating value in data that criminals want to steal.

A frequent refrain from some, including many small businesses, is that incidents like these will not happen to them. But, as the L.A. Times reports, according to the National Small Business Assn., 44% of survey respondents had been victims of at least one cyberattack. For well over a decade, identity theft continues to be the top crime reported to the FTC. For businesses, the risk is more than whether a breach will happen and how to respond, it is the effects the breach can have on its reputation, the enforcement that increasingly follows these incidents at the federal and state level, and increased litigation including class actions. Late last month, for instance, the Massachusetts Attorney General’s office reported a $150,000 settlement with a local hospital based on allegations of failing to properly safeguard patient data and report the incident.

For many businesses, there are a number of “best practices” that are relatively easy to implement and can have a significant impact on reducing the risks of a data breach. Many say, yes, but where do we start. Logically, the starting point is gaining an understanding of the businesses’ data privacy and security risks – doing a risk and vulnerability assessment. There are a number of resources available to assist in designing and carrying out an assessment. For example, the National Institute of Standards and Technology (NIST) recently issued a draft update of its primary guide to assessing security and privacy controls. While the work NIST does, including this guide, is designed for federal information systems and networks, it is an excellent and comprehensive source for businesses to understand steps they too can take to safeguard their systems and data.

The practical starting point, however, is getting management, C-suite support. Data privacy and security is an enterprise-wide risk which requires an enterprise-wide solution. Like many conditions, left untreated, “breach fatigue” can have significant consequences.