Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

Based on recent events, the University of East Anglia likely will agree that data privacy and security requires a comprehensive approach, as data breaches are not limited to incidents involving personal information and identity theft. In fact, the effects of a breach to an organization's information systems involving confidential company information can be far worse on the organization as a whole than if the breach involved personal information.

Take, for example, a report by The New York Times reporter Lauren Morello concerning a breach involving thousands of emails and documents of the Climatic Research Unit (CRU) at University of East Anglia. Apparently, hackers obtained and posted on the Internet emails and documents calling into question some of the positions about climate change and global warming held by the CRU. Whatever the truth or perception of the information contained in the posted emails and documents, the CRU surely is in an uncomfortable position of having to defend its statements and address their context. 

Last month we reported a data breach involving personal information of a different kind - ethics investigations of members of the United States Congress. Again, while not the kind of personal information that would lead to identity theft, or require notification be sent to the affected individuals, it is the kind of information that could have significant adverse consequences for the institution and the persons affected.

For this reason, organizations need to address "information risk" on an organization-wide basis, making sure that their written information security programs take into account how information of any kind, maintained in any medium by the organization, can, if misused, caused the organization harm. While remedies may be available through the criminal justice system or civil litigation under such laws as the Computer Fraud and Abuse Act, avoiding the breach in the first place obviously is preferred.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

More companies are becoming a part of the social networking community – setting up Facebook pages, “friending” their employees and customers, and so on. Businesses use these sites for a variety of purposes including marketing; client, employee and government relations; and community involvement. With lawmaking bodies and courts just beginning to struggle with the range of issues these new media create, companies should exercise caution and monitor the legal, technical, and other developments that may affect their involvement.

Companies already a part of (or thinking of joining) the social networking community should consider the effects on employee relations. In theory, the risks inherent in interactions between/among the company and/or its employees in a social networking environment are similar to risks the company faces in more traditional workplace settings such as the office or company-sponsored events. Online media, however, create some interesting questions:

• Are all of your employees aware of the company site so as not to feel left out?
• Do employees feel as if they must participate on the site – such as accepting other employees as “friends,” or agreeing with company posts? Do they need to be compensated for participation?
• Does a supervisor accepting some employees as friends and not others raise discrimination risks and morale concerns?
• Are employees free to dissent from company positions on its site? How far can employees go? Disciplining or terminating an individual’s employment with the company for activity on the company’s site or some other online social media can be risky on a number of grounds – such as under whistleblower laws (e.g., Sarbanes-Oxley and state/local laws), the National Labor Relations Act, and anti-discrimination and anti-retaliation laws.
• Does active company management of the site constitute monitoring of employee communications?
• How does the company handle the information about employees (and their dependents, friends and others) it may have access to as part of the employees’ participation in the network?

For sure, there are many areas about which companies need to think through as they consider their direct participation in the social networking community – the services of the social network provider, promoting the company’s presence in the community, consumer protection, copyright protections, and so on. Even the list above only begins to scratch the surface of the range of employment law issues that arise when an employer participates in this media.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Genetic Information Nondiscrimination Act (GINA) [pdf], signed into law in May 2008, prohibits discrimination by health insurers and employers based on individuals’ genetic information. Genetic information includes the results of genetic tests to determine whether someone is at increased risk of acquiring a condition (such as some forms of breast cancer) in the future, as well as an individual’s family medical history. It is family medical history information that presents the biggest challenge for employers.

In its announcement about the effective date of the regulations, the Equal Employment Opportunity Commission Acting Chair Stuart J. Ishimaru writes: 

GINA affirms the principle central to all employment discrimination laws – that all people have the right to be judged according to their ability to do a job, not on stereotypical assumptions . . . No one should be denied a job or the right to be treated fairly in the workplace based on fears that he or she may develop some condition in the future.

Specifically, the law prohibits the use of genetic information in making employment decisions, restricts the acquisition of genetic information by employers and others, imposes strict confidentiality requirements, and prohibits retaliation against individuals who oppose actions made unlawful by GINA or who participate in proceedings to vindicate rights under the law or aid others in doing so. The same remedies, including compensatory and punitive damages, are available under Title II of GINA as are available under Title VII of the Civil Rights Act and the ADA.

Acting Vice Chair Christine Griffin said,

Title II of GINA is an ideal complement to the ADA Amendments Act. With both laws now effective, American workers are protected if they experience discrimination because of their disability or because of impairments they may develop.

To date, employers’ only regulatory guidance for the employment provisions of GINA (Title II) is a Notice of Proposed Rulemaking, published by the EEOC March 2, 2009. For health plans, which are subject to Title I of GINA, interim final regulations become effective for plan years beginning on and after December 7, 2009.

Employers should be reviewing their employment practices and health plans and wellness plans for compliance with GINA as soon as possible.

Click here for more information about how GINA affects employers.

Click here for more information about how GINA affects health plans. 

Click here for more information about how GINA affects wellness programs.

Click here for information about the new Equal Employment Opportunity Poster that includes information about GINA.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As the holidays approach, more of us will be utilizing work time, and likely work resources, to handle our holiday shopping. Some of us may even post our shopping successes or gift ideas on Facebook or email coupons to friends. Doing so not only results in a loss of employee productivity, but also creates significant risk that personal data will be breached, or employers’ software or hardware compromised. 

A recent survey conducted on behalf of the Information Systems Audit and Control Association (“ISACA”) found that over half of employees surveyed planned to shop online from a work computer this holiday season, spending nearly two full working days (14.4 hours) doing so. With convenience and boredom listed as the biggest motivators, one in 10 planned to spend at least 30 hours shopping online at work. 

The survey also found that those who shop online are more likely to engage in other high-risk behaviors, such as banking online, clicking on links from social networking sites like Facebook, and clicking e-mail links redirecting them to shopping sites. Employees engage in these high-risk behaviors with nearly universal disregard for the safety of the employer’s IT infrastructure. This is highlighted  by the fact that one in 10 Americans who use a mobile work device, such as a Blackberry or iPhone, plan to use it for holiday shopping, notwithstanding the lack of security measures on those devices.

Robert Stroud, international VP of ISACA and VP of IT service management and governance for the service management business unit at CA Inc., in connection with the survey above was quoted as saying,

[I]t’s unrealistic to think that companies can completely stop the use of work computers for online shopping…[W]hat companies can and should do is educate employees about the risks…and remind them of their company’s security policy. This is especially important this year, when the convenience of shopping online may be very appealing to employees whose workloads have doubled or tripled because of downsizing.

The Wall Street Journal recently published an article highlighting employers’ efforts to monitor employees’ usage of company time and resources for personal e-mail exchanges, and suggesting a trend that courts seem to be more protective of employee privacy rights than in years past. The WSJ article raised a number of concerns for employers, including that of our own Jane McFetridge, a Jackson Lewis partner in our Chicago office - 

Employers are right to expect their employees when they are paid for their time at work are actually working.

What ever a company's policies are concerning managing or monitoring employee communications, now is as good a time as any to revisit those policies and remind employees of their existence. With the use of technology increasing and the position of the courts appearing to shift toward employees, it is becoming more difficult for employers to manage the employee use of their electronic systems. Having and communicating a clear and comprehensive electronic communications policy is critical.

Steps an employer can take include having acceptable-use policies, reviewing those policies with employees to educate them about the risks, and familiarizing themselves with state laws governing the monitoring of employee computer usage.  

• Email This
• Print
• Comments
• Trackbacks
• Share Link

“Cloud computing” takes many forms, but, fundamentally, it is a computer network system that allows consumers, businesses, and other entities to store data off-site and manage it with third-party-owned software accessed through the Internet. Files and software are stored centrally on a network to which end users can connect to access their files using computers that are less powerful and sophisticated than those we use today.  This technology reduces the need for expensive multiple servers and PCs with enough capacity to store massive data and application files. Some believe the PC of the future will need simply the capacity to connect to a web browser for the user to access his or her applications and files.

For more information on how cloud computing works, click here. For information on the FTC investigation of cloud computing, click here.

If you are not already computing in a cloud, you likely will be hearing more about “cloud computing” soon. Last month, for example, the City Council for the City of Los Angeles voted to move city employee e-mail and other applications from city computer networks to a cloud service provider – in this case, Google Inc. City officials cite significant cost savings (which they estimate to be in the millions) as one of the reasons for the switch. They acknowledged that concerns over data privacy, security and management remain.

We’ll agree that significant cost savings can be achieved through, among other things, reduced infrastructure. Questions and concerns many have with cloud computing, however, relate to the privacy, security and management of the information in the cloud. These include:

• What if the cloud starts to rain – a cloud computing data breach – who is responsible for notifying affected persons (and bearing the costs)?
• Which company owns the data placed in the cloud?
• If the data in the cloud is employee e-mail, is the employer still permitted to access and monitor email communications? Will new policies/notices be needed?
• Will company proprietary information be safe?
• Who has access to the data? Who should have access?
• Is the cloud service provider a business associate under HIPAA, prepared to comply with the HITECH Act? What other legal compliance requirements are there?
• Do we still need to maintain a back-up of data in the cloud?
• Where is the data stored? Is it in the United States, or in a foreign country subject to different data security standards? Does one location as opposed to another provide better access or security? What if data is stored in multiple places, will we be able to locate what we need when we need it?
• How big is the cloud? How much can we store?
• What if the cloud goes down? How do we get our data and access the applications needed to run our business?
• How do we move between clouds? Can our data be held captive when contract negotiations fall through?
• Can we put our clients’ data in the cloud? Do we have to tell them where it is?
• What happens to the data if the cloud service provider or the cloud customer goes out of business?
• Will applications in the cloud work the same way, be as flexible, and respond with the same speed as those on current PCs?

Organizations such as the Cloud Security Alliance have been formed to grapple with some of these issues. Indeed, the City of Los Angeles has had to respond to some of these concerns. So, while cloud computing may yield substantial cost savings and appear tempting, these and other questions and concerns should be addressed before moving in that direction.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) announced on November 4, 2009, the filing of final regulations (pdf) with the Secretary of State’s office, the final step before the regulations take effect March 1, 2010.

The final regulations differ slightly from the version of the regulations issued in August 2009, which made significant revisions to the earlier version of the rules.

OCABR clarified in the final regulations that:

• those who store personal information must comply, and
• until March 1, 2012, contracts with service providers will be deemed to satisfy the contract requirement, even if the contract does not require the service provider to maintain appropriate safeguards, as long as the contract was entered into no later than March 1, 2010. However, it is recommended that contracts with service providers be amended as soon as possible to require appropriate safeguards, as there may be similar requirements under federal or applicable state law (such as HIPAA or data security laws in Maryland, Oregon or Nevada). 

While the regulations have had a number of changes, the written information security program requirement remains, along with a number of other safeguards for personal information that require immediate attention. 

A checklist for the final regulations can be found here (pdf). 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Baltimore Sun reports that Baltimore police are investigating a security breach at Mercy Medical Center that left certain patient records open to possible identity theft. According to the article, affected former patients were sent a letter informing them that their personal patient records may have been accessed by a former employee in order to apply for credit cards and loans. A Maryland state law that became effective in 2008 would require Mercy Medical Center to notify these individuals promptly in the event of such a breach. 

This case is yet another example of personal information being accessed for improper purposes by hospital staff and demonstrates the need for hospitals to establish strict privacy controls and notification procedures.

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

Today, Connecticut Attorney General Richard Blumenthal announced his office will investigate a data breach that occurred in late August that affected approximately 18,817 Connecticut health care professionals. The American Medical Association reported earlier that this breach involved the personal information, including Social Security numbers, of an estimated 850,000 physicians nationwide. What is most troubling about this breach is that it probably was avoidable.

Like many data breaches, this one involved a stolen laptop, in this case from the employee’s car. However, as NewsTimes.com reported, despite the employer’s encryption policy, the employee downloaded the file to a laptop, without the required encryption, in order to work from home.

Even the best firewalls and other technology-based information system protections cannot save us from ourselves. It was possible here that not only did the employee violate the company’s encryption policy, but he or she also may have exercised poor judgment in leaving the laptop in a car. The ease with which employees acquire, handle and transport massive amounts of sensitive personal information make it critical that businesses ensure their employees have greater awareness of the sensitivity of this information and receive regular training about how to be more cautious handling it. This should be a part of any written information security plan. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Joining the growing number of states which have enacted laws regulating the destruction of records to prevent possible identity theft, the Rhode Island Legislature passed H. 5092 on October 29, 2009. The bill requires businesses and government agencies to completely destroy records containing personal information, or render the personal information unusable, before disposing of records whether in electronic and paper form. Not surprisingly, H. 5092 comes on the heels of Texas’s Attorney General settling related violations for nearly $1,000,000 with Select Medical, and over $600,000 with Radio Shack.

As with most legislation of this nature, including the FTC’s data disposal rule, the law provides two means by which covered entities may destroy records: either by modifying the personal data to make it entirely unreadable or indecipherable through any means, or by taking reasonable steps to shred, erase, or otherwise destroy records. The bill also exempts certain covered entities whose destruction practices are covered by federal law or who contract with data disposal firms (who would be subject to the data disposal law). The need for such measures is further underlined by the overzealous office workers who used documents containing personal information as “confetti” during the New York Yankees World Series parade. 

Underlying the consequential nature of proper destruction, this bill permits individuals to sue to recover actual damages, and permits the state attorney general to seek fines or sue on behalf of individuals, with each record not properly disposed of being counted as a separate violation.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In another recent example of a law firm running afoul of privacy requirements in litigation (See also the discussion of Kim v. St. Elizabeth’s), U.S. District Judge Michael Davis recently assessed a $5,000 sanction against the law firm for electronically filing an affidavit that contained the Social Security numbers and dates of births of 179 people. Engeseth v. County of Isanti, No. 06-CV-2410 (D. Minn.), Oct. 20, 2009. The court’s order was premised on Rule 5.2(a) of the Federal Rules of Civil Procedure which states that filings in federal court may only include the last four digits of an individual’s social security number or taxpayer identification number. Judge Davis noted that: 

The Court is deeply concerned with the harmful and widespread ramifications associated with negligent and inattentive electronic filing of court documents. Although electronic filing significantly improves the efficiency and accessibility of our court system, it also elevates the likelihood of identity theft and damage to personal privacy when lawyers fail to follow the federal and local rules. 
(emphasis added)

In addition to the $5,000 sanction, Judge Davis required the plaintiff’s law firm to pay the costs associated with preventing identity theft for the 179 harmed individuals including informing the individuals and paying the costs of FICO standard services consisting of a credit report and a 12-month subscription to FICO Quarterly Monitoring.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As shown by a recent Illinois appellate court decision, Kim v. St. Elizabeth's Hosp., Ill. App. Ct., No. 5-08-0571, (Oct. 23, 2009), the patchwork of federal and state protections for certain types of information has made the process of responding to subpoenas more difficult. This is particularly the case with medical records.

Based on an Illinois law providing special protections for mental health records known as the Illinois Mental Health and Developmental Disabilities Confidentiality Act, the plaintiff in this case sued the hospital and her former husband’s law firm alleging the impermissible release of her mental health records in connection with a prior divorce action.

Absent an authorization from the individual, the Illinois Act prohibits any third party, including medical providers, from responding to a subpoena for mental health records unless the subpoena is accompanied by a written court order authorizing the disclosure. This requirement may be surprising to some, who assume that a subpoena is, itself, a request from the court. The law also prohibits the use of mental health records in litigation unless a judge makes certain findings after a review of the records.

In this case, the husband’s law firm served a subpoena on the health care provider seeking “any and all records regarding the care and treatment of” the plaintiff. While the appellate court wrestled with some procedural issues involving the lower court’s rulings, it held that the matter had not been fully considered and there could very well have been a violation of the Illinois law restricting the disclosure of certain mental health records.

This decision highlights the complicated tensions that arise in every state and federal court when medical records or other private information is requested during discovery. It also should be a reminder for hospitals and all other entities receiving requests for information to exercise the appropriate due diligence before responding.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Yesterday, the U.S. Senate Judiciary Committee again approved two pieces of legislation that would require certain entities to safeguard personal information and notify individuals of breaches of that information. Over the last few years, similar legislation made it out of various Committees, but failed to go any further. Could this time be different?

The Committee voted in favor of the Personal Data Privacy and Security Act of 2009 (S.1490) and the Data Breach Notification Act (S.139), sponsored by Senators Patrick Leahy and Dianne Feinstein, respectively.  In its current form, S. 1490 would require that covered entities, among other things, perform risk assessments, limit access to sensitive information, train their work force, and require vendors by contract to implement appropriate safeguards. The Data Breach Notification Act would establish a national standard for federal agencies and businesses engaged in interstate commerce to report data breaches.

There are a number of circumstances that suggest this legislation is more likely to move forward than in years past:

• The Judiciary Committee approved both measures by significant majorities.
• The number of data breaches and complaints about them continue to mount.
• Congress recently had its own data breach (reported here), affecting personal information not likely to lead to identity theft, but which could hurt some members' reelection efforts.
• The change in administration which arguably is more focused on privacy concerns given the push for electronic health records.

Stay tuned. . . 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In good and not-so-good economic times, the on-boarding process – recruiting, application, hiring and orientation – is critical for employers to attract and welcome new talent. In recent years, technology has enabled employers to perform all or a part of this process on-line, significantly increasing efficiency and reducing costs. Moving to a web-based on-boarding system, however, raises many workplace challenges and considerations, including the privacy, security and management of personal data collected in the process.

Following are some of the key challenges and considerations employers should think about when moving to electronic on-boarding:

• Can the on-line process be the exclusive method for applying and on-boarding? Consider, for example, applicants who cannot access or view the site because of a disability.
• Are there laws limiting the personal information that may be collected from applicants? See, for example, Utah Employment Selection Procedures Act discussed in our article and the Utah law. 
• How must personal information collected during the process be safeguarded, retained, preserved, and ultimately destroyed? A recent class action was filed alleging failure to safeguard on-line job application information. 
• Is the process subject to collective bargaining?
• Are there special rules for government contractors? See Office of Federal Contract Compliance Programs (OFCCP) guidance. 
• Are on-line consents for fitness-for-duty examinations, background checks, and drug testing valid? Can non-compete agreements be executed electronically?
• Are there any specific issues/disclosures for public sector employees/applicants?
• Can the I-9 verification/e-verify process be completed on-line?
• Do the rules change for applicants from other countries?
• If an applicant is hired, how does collected information about the person transfer accurately and securely for benefit plan enrollment, payroll, personnel, and other purposes?
• Has the on-boarding vendor been vetted and shown capable of safeguarding personal data and preserving the integrity of that data? Where is data stored by the vendor? Are appropriate contract provisions in place?
• Can benefit plan enrollment forms be completed on-line?
• Can handbooks and benefit plan documents be provided on-line as part of the on-boarding process? See ERISA electronic disclosure regulations.

Employers implementing an electronic on-boarding process will certainly realize significant savings of time and money. However, those savings can be short-lived if the on-line process is not designed to address the risks inherent in the new medium.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Department of Health and Human Services (HHS) published interim final regulations on October 30, 2009, to update existing enforcement regulations under HIPAA for statutory revisions made by the Health Information Technology for Economic and Clinical Health (HITECH) Act. These regulations become effective November 30, 2009, and only address the provisions of the HITECH Act already in effect.

The interim final regulations, among other things, implement the increases in civil penalties and the four categories of violations and corresponding penalties established by the HITECH Act. Also, under the Act and the regulations, penalties will apply even where the covered entity did not know (and with the exercise of reasonable diligence would not have known) of the violation. However, HHS has the authority to reduce penalties in certain circumstances.

There have been a number of recent changes that enhance and strengthen HIPAA's enforcement provisions - the HITECH Act, the interim final regulations discussed above and agency reorganization. These measures suggest an increasing likelihood of enforcement concerning the HIPAA privacy and security regulations.  As a result, health care providers and health plans should be reviewing their compliance with HIPAA and preparing for additional guidance expected to be issued shortly.

• Email This
• Print
• Comments
• Trackbacks
• Share Link