Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

The State of Minnesota has been smacked with a number of privacy-related district court lawsuits recently.

The most recent dispute arose after the state of Minnesota hired a Texas-based company, Lookout Services to perform E-Verify services for state employees as part of a U.S. Department of Homeland Security program to ensure that all employees of the state and its contractors have Social Security numbers and are authorized to work in the United States. A reporter for Minnesota Public Radio, Sasha Aslanian, discovered confidential data from state officials posted on the company's Web site, and reported the story along with a recitation of other recent privacy blunders by the state.  The story triggered a mandatory notification of a potential data breach under Minnesota law. In response, Lookout Services filed a lawsuit against both the state and Minnesota Public Radio alleging that Aslanian hacked into the site in violation of the Computer Fraud and Abuse Act.

A state agency, the Minnesota Department of Human Rights ("MDHR"), was the target of another district court action brought by a teacher who had been named as a witness in an action by the MDHR against the Anoka-Hennepin school district. The MDHR charge alleged in part that the teacher singled out a student for harassment because the student was gay. The MDHR settled the case, to which the teacher was not a party, with the school district and featured a description of the case as its “case of the month” on its website. The teacher sued and successfully obtained a temporary restraining order, in part requiring the MDHR to take her name off the website and amend it to refer only to a “female teacher.” The case is captioned Cleveland v. Minnesota Department of Human Rights.

In the third case, a state court dismissed a claim that the Minnesota Department of Health violated the Minnesota Genetic Privacy Act (GPA) by gathering and storing blood specimens from newborn babies and sharing them with medical facilities without the parents’ consent. The GPA prohibits collection or use of genetic information without informed consent, “unless otherwise expressly provided by law.” In an 11-page order, Hennepin County judge found that the blood samples were biological samples, not genetic information and, regardless, the state’s Newborn Screening Law was a statutory exception to the GPA. Bearder, et al v. State of Minnesota. This is a rare example of a private lawsuit under a genetic privacy law, but we can expect to see more as new legislation is enacted in this area, such as the Federal Genetic Information Nondiscrimination Act.

The last case involves the neighboring state of Wisconsin and comes to us from lawyer Peter Nickitas who recently obtained a $40,000 jury verdict in federal court against Dunn County Wisconsin for violation of Wisconsin’s Open Records Laws.  The case, Sheffler v. County of Dunn, involved a Minnesota citizen who was arrested in Madison, Wisconsin and spent time in the Dunn County Jail. A few weeks later he requested copies of video footage from his time in jail. The County failed to respond to his request in a timely fashion and the footage was copied over before it could be produced. Plaintiff Troy Scheffler represented himself pro se in defeating the County’s motion for summary judgment  and Nickitas represented him at trial. 

"These cases all demonstrate that private employers are not alone in facing the complexities and exposure of managing personal information about individuals, particularly employees",  observes Joe Saccomano, head of the Jackson Lewis public sector practice group. 
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

New Hampshire’s new breach notification law builds on the breach notification requirements under the HITECH Act by requiring health care providers and business associates to notify individuals of disclosures of their protected health information that are prohibited by New Hampshire law, even if such disclosures are permitted under HIPAA or other federal law. This new health information protection was enacted with other measures relating to privacy of electronic medical records and allowing individuals to opt out of sharing their names, addresses, and protected health care information with e-health data exchanges.

H.B. 619 becomes effective for data breaches occurring on and after January 1, 2010. Individuals may sue for violations of the notification requirement and, significantly, seek damages of not less than $1,000 per violation. The law also expressly requires business associates to cover the costs of notification if the use or disclosure triggering notification was made by the business associate.

Now, when New Hampshire health care providers and business associates experience a possible data breach, they will have to consider a number of laws to determine the appropriate response. These include H.B. 619, the state’s general breach notification statute, and the breach notification rules under the HITECH Act and implementing regulations. This is even more complex for health care providers and business associates operating in multiple states as at least five other states (Arkansas, California, Delaware, Missouri, Texas) and Puerto Rico require notification in the event some form of medical information is breached.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The U.S. Supreme Court’s recent grant of certiorari in City of Ontario, Ontario Police Department, and Lloyd Scharf v. Jeff Quon, et al. highlights the effects new technologies continue to have on workplace privacy issues. One issue the Court will consider is whether a California police department violated the privacy of one of its officers when it read the personal text messages on his department issued pager. The U.S. Court of Appeals for the Ninth Court sided with the police officer when it ruled that users of text messaging services “have a reasonable expectation of privacy” regarding messages stored on the service provider’s network.

The underlying suit was filed by police Sgt. Jeff Quon, his wife, his girlfriend, and another police sergeant after one of Quon’s superiors audited his messages and found that many of them were sexually explicit and personal in nature.   Among the defendants were the City of Ontario, the Ontario Police Department, and Arch Wireless Operating. Co. Inc. Plaintiffs sought damages for alleged violation of their privacy rights.

While this case involves a public sector entity, its outcome is likely to affect electronic communications policies and practices across the country, whether by public or privacy employers.  

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The New Jersey Appellate Division (Doe v. XYC Corporation) and the Court of Appeals of Wisconsin (Maypark v. Securitas Serv. USA Inc. & Sigler v. Kobinsky) have both examined an employer’s duty to monitor employees conduct while at work, and have reached drastically different results. Additionally, at least seven states—Arkansas, Illinois, Missouri, North Carolina, Oklahoma, South Carolina, and South Dakota—have enacted laws requiring computer technicians or Internet service providers to report child pornography if they encounter it in the scope of their work. 

New Jersey. In Doe v. XYC, the company’s IT department noticed an employee was accessing pornographic web pages while at work. Despite numerous complaints and suspicious usage by the employee, management took no formal action except to instruct the employee to stop visiting inappropriate web pages. Following the employee’s marriage to the Plaintiff, the employee took nude and semi-nude pictures of Plaintiff’s 10-year-old daughter and uploaded the photos to child porn web pages using his work computer. The employee was arrested and charged, and the Plaintiff sued the company, alleging that it knew or should have known of the employee’s conduct and had a duty to report it. The state Appellate Division reversed the trial court’s decision that no duty existed. It held that XYC Corporation knew or should have known the employee was accessing child pornography at work, and further had a duty to investigate and report it. Thus, in New Jersey, where an employer has the right and ability to monitor Internet usage and the employee has no expectation of privacy, employers have a duty to investigate and report the access of child pornography if they know or should have known an employee was doing so. For a detailed analysis of Doe, click here. 

Wisconsin. In Maypark v. Securitas, the plaintiff sued an employer for allowing a former employee, a security guard, to post photographs of the plaintiff’s employees on an adult website.   An earlier Wisconsin case, Sigler v. Kobinsky, held that a company could not be held liable for alleged negligent supervision leading to an employee's use of a company computer to harass plaintiffs where there is no probability of harm. Specifically, a company had no duty to monitor because it was not reasonably foreseeable that providing employees with unsupervised Internet access would probably result in harm.   Relying on Sigler, the Court in Maypark overturned a $1.4 million negligence verdict against the security company, finding the guard’s action were not foreseeable.

Given the unsettled law on this issue, employers should consider several important factors when it comes to monitoring of employees. The Society for Human Resource Management published an article (*registration required) analyzing this issue. The article provides a number of suggestions, including that of our own Nadine Abrahams, a Jackson Lewis Partner in our Chicago office, who suggests the first step should be setting up a procedure for the immediate reporting of child pornography that has been discovered and the designation of a company representative who should be notified.   Additional steps include:

• Institution of clear, effective and thorough computer usage and monitoring polices, which also address employee expectation of privacy;
• Training of employees conducting any monitoring;
• Prompt investigation of computer usage and allegations of unlawful conduct; and
• Consultation with legal counsel regarding the duty to report to authorities. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As passed by the House of Representatives on December 8, 2009, the Data Accountability and Trust Act would create federal data security standards, a national breach notification requirement, data destruction mandates, and special requirements for "information brokers." 

The Act will now move to the Senate, where it likely will be considered together with recent bills from various Senate Committees, two such bills we discussed in a recent post.

The Act would apply to each person engaged in interstate commerce that owns or possesses data in electronic form containing personal information (or contracts to have any third party entity maintain such data). In short, most businesses in the United States would be subject to the Act and required to establish and implement data security policies and procedures. Like other data security regulations, the Act would permit covered persons, when developing their policies and procedures, to take into account:

• the size of, and the nature, scope, and complexity of the activities engaged in by, such person;
• the current state of the art in administrative, technical, and physical safeguards for protecting such information; and
• the cost of implementing such safeguards.

These new standards will be regulated by the Federal Trade Commission (FTC). Violations of the Act would be enforced primarily by state Attorneys General, although the FTC maintains a right to intervene in those actions. Penalties can be substantial. For example, in the case of a violation of the breach notification requirement, the penalty amount would be calculated by multiplying the number of violations by an amount not greater than $11,000. Each failure to send notification would be treated as a separate violation, with a maximum civil penalty of $5,000,000.

Of course, it will be some time before the Act would become effective, if at all, and it may be substantially modified prior to enactment. Still, recent actions by Congress (for example the enhancements to HIPAA under the American Recovery and Reinvestment Act of 2009) and the states suggest a national standard for protecting personal information is only a matter of time. Companies should be gearing up to deal with these emerging information risks.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Co-Author:  Joseph J. Lazzarotti, Esq.

Health Net Inc., one of the nation’s largest publicly traded managed health care companies, recently notified authorities and informed affected persons, with a statement on its website, that the unencrypted personal information of 1.5 million current and former members, stored on a portable disk drive, is missing from the company's Connecticut office. The company is now working to send written notices to affected individuals in four states—Arizona, New York, New Jersey and Connecticut.

Coordinating a data breach response, responding to the questions and complaints of affected persons, and negotiating with vendors to provide monitoring services are time-consuming, tedious tasks that require a strong sense of an organization’s public image, good judgment and excellent communication skills. Having the right person to drive this effort internally is critical. 

Additionally, companies that experience data breaches increasingly are becoming subject to federal and state agency inquiries. In this case, at least two states have announced investigations. Connecticut Attorney General Richard Blumenthal said his office will investigate the loss of the portable disk drive that he believed held the unencrypted health, personal, and financial information of some 450,000 Connecticut residents. Blumenthal also vowed to probe a six-month lag in notifying affected individuals of the breach. In a letter dated November 19, 2009, Arizona Attorney General Terry Goddard’s office requested information about the breach from Health Net, also noting the time between the breach and when affected persons were notified. It is critical that an organization’s Privacy Officer be prepared to respond to these inquiries, with the assistance of internal or external counsel when appropriate.

A breach of personal information, particularly one of this size, reminds us of the need for companies to take steps to implement policies and practices that safeguard sensitive personal and company confidential information. The first step is to appoint a person to spearhead a data breach response– typically the Chief Privacy or Information Officer. Among the duties and responsibilities of a Privacy Officer is being the company’s first line of defense when responding to a data breach, including directing the investigation of the breach, coordinating the notification process, addressing the concerns of affected persons and responding to government agency inquiries. For a sample Privacy Officer job description, click here.  

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Continuing our thoughts on how disclosures of private or confidential information may adversely impact the institution and the persons affected by such disclosure, we now focus on something near and dear to lawyers’ hearts: paper shredding.

Many businesses regularly shred documents they no longer need to protect them from disclosure. While this may secure the information contained in those documents, an additional concern exists for HIPAA-covered entities, such as hospitals, medical providers or their business associates. Often, those documents might consist of old medical records, charts, notes, or other information containing protected health information (“PHI”) specifically protected from disclosure under HIPAA.  

Shredding frequently is done by outsourced vendors.  They shred what is provided to them and then resell it as fill, packaging material or for other recyclable-type uses. But shredding alone may not be sufficient to secure data under HIPAA. This can cause a HIPAA headache, as suggested by recent occurrences overseas.  A gift-wrapping company owner in England discovered protected health data (including names of patients) from a local hospital on the shredding she used for work. In another situation being investigated by British authorities, an outsourced medical transcription company in India disclosed shredded health data. Although those situations occurred abroad, they could just as easily happen in the U.S., or occur outside the U.S. but affect information involving U.S. citizens.

If a data breach is discovered by the unauthorized disclosure of PHI through shredding or otherwise, under the American Recovery and Reinvestment Act of 2009 (“ARRA”), covered-entities and business associates must notify those affected by the disclosure of unsecured PHI within 60 days after a breach. If the breach involves disclosure of PHI for over 500 persons, a covered-entity and/or a business associate must also notify Department of Health and Human Services and the media. “Unsecured” under ARRA means any data not rendered unusable, unreasonable or indecipherable. Thus, an individual’s name legible on a snippet of shredded paper together with some health information may be enough to trigger ARRA’s disclosure requirements and constitute a HIPAA violation. For more information about data breaches under HIPAA, click here.

We therefore remind HIPAA-covered entities to ensure that their vendors are compliant with the HIPAA security requirements, that they have appropriate business associate agreements where necessary, and that they actively monitor compliance with those agreements.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Co-Author:  V. John Ella, Esq.

In a key step toward developing a proposed U.S. health information technology (HIT) infrastructure, the Centers for Medicare & Medicaid Services has announced that Iowa’s Medicaid program is the first to receive federal matching funds for planning activities necessary to implement the electronic health record (EHR) incentive program established by the American Recovery and Reinvestment Act of 2009 (ARRA). 

ARRA was signed into law by President Obama on February 17, 2009. Among its various parts, ARRA includes provisions for the improvement of our nation’s health care through health information technology (also known as Health IT or HIT), Medicare and Medicaid Health IT provisions which provide incentives and support for the adoption of certified electronic health records (EHRs); and provisions to expand, enforce, and enhance the privacy and security safeguards required by HIPAA. The proposed goal of a switch to EHRs is to improve the quality of health care for individuals, make care more efficient by making it easier for providers treating a patient to coordinate care, and make it easier for individual patients to access the information they need to make decisions about their own health care. Responsibility for implementing this program falls to the National Coordinator for Health Information Technology, a position currently filled by Dr. David Blumenthal at the Department of Health and Human Services (“HHS”). In furtherance of this goal, Mr. Blumenthal recently announced $80 million in grants to develop a HIT workforce. Additionally, the HHS has created a helpful website on the topic of health information technology with links to resources on privacy issues.

In discussing the approximately $1.16 million in federal matching funds Iowa will receive, Cindy Mann, director of the Center for Medicaid and State Operations at CMS said, “While Iowa is the first state to receive approval of its plan for implementing the Recovery Act’s EHR incentive program, a number of other states have submitted plans as well, meaningful and interoperable use of EHRs in Medicaid will increase health care efficiency, reduce medical errors and improve quality-outcomes and patient satisfaction within and across the states.”   As the first state to receive federal funding, Iowa will use the funds to focus on planning, information gathering, analysis, and assessment with respect HIT and the use of EHR within the state.  

A HIT Infrastructure is likely to raise a range of new issues involving the handling of sensitive personal information. For instance, anytime extensive personal and medical information is placed in electronic form, the chance of a data breach or information misuse rises significantly. This is especially true given the recent growth in the area of medical identity theft. Additionally, as some commentators have reported, physicians, hospitals, and clinics have all expressed concerns regarding the technical feasibility of the system, potential for patient mix-ups, as well as the extensive cost to make the switch to EHR. How such a system would affect employers and group health plan administration remains unclear.  

With such an emphasis on a switch to EHR, and billions of federal dollars fueling the conversion, all businesses, particularly health care providers, need to be consider how they will be affected by the new HIT infrastructure. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link