Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

The Fourth District Court of Appeal for the State of California expanded the tort of "public disclosure of private facts" under that state's common law right to privacy in a case involving a claim by an employee against her supervisor and employer. Ignat v. Yum! Brands, Inc. et al, No. G046434, (Cal. Ct. App. March 18, 2013). The plaintiff in that case suffered from bi-polar disorder and occasionally missed work due to the side effects of medication adjustments.  After returning from such an absence, the plaintiff alleged that her supervisor had informed everyone in her department about her medical condition and that, as a result, she was "shunned" and a co-worker asked if she was going to "go postal."  The plaintiff filed suit alleging a single cause of action for invasion of privacy by public disclosure of private facts. The trial court dismissed her claim on summary judgment because the disclosure of her condition was not in writing, relying on California case law from the early 1930's.

On appeal, the court reversed the dismissal, concluding that "limiting liability for public disclosure of private facts to those recorded in writing is contrary to the tort's purpose, which has been since its inception to allow a person to control the kind of information about himself made available to the public - in essence to define his public persona."  The court went on to note that, "[w]hile this restriction may have made sense in the 1890's - when no one dreamed of talk radio or confessional television - it certainly makes no sense now."

The court also clarified that the common law tort of invasion of privacy was not based on the guarantee of privacy which was added to the California Constitution in 1972 and noted that the two legal theories (common law and the State Constitution) provide "separate, albeit related ways to ensure privacy."

Different states have interpreted the common law right of privacy in the workplace in different ways. In Minnesota, for example, a district court rejected a lawsuit by an employee who claimed that her employer violated her right to privacy when it informed approximately 12 to 15 individuals that she suffered from multiple sclerosis. That court determined that because the disclosure was not "accessible to the public at large," it did not qualify as public in nature for purposes of maintaining an invasion of privacy claim. Johnson v. Cambell Mithun, 401 F. Supp.2d 964 (Minn. 2005).

If an employee is out on medical leave or requires an accommodation, employers may be asked what information, if any, can be disclosed to co-workers and supervisors about that employee's medical condition, and the reason for her leave or accommodation. HIPAA is probably not implicated in such situations because most employers are not covered entities in this context. Both the Americans with Disabilities Act (ADA) and the Family Medical Leave Act (FMLA), however, require employers to maintain confidentiality of medical information. See 29 C.F.R. Section 1630.14(c) (relating to ADA) and 29 C.F.R. Section 825.500 (relating to FMLA).

Employees asserting a common law claim for invasion of privacy against their employer based on the disclosure of medical information have not often been successful, but Ignat suggests the tide may be changing. The best practice is to reveal as little as possible to those with a need to know.

• Email This
• Print
• Comments
• Trackbacks

Employers increasingly have health professionals on-site providing medical services to employees. For some employers, the reason is to address the rising costs of health care, including uncertainties about the full impact of health care reform, the Affordable Care Act, looming in 2014. For others, more comprehensive approaches to disability and leave management can mitigate compliance and litigation concerns. 

Whether it is a single nurse at a facility providing basic first aid and assisting in fitness-for-duty exams, or a full-scale health clinic staffed with physicians, nurses and others, there are a range of issues the company should be thinking about – e.g., workplace safety, disability/leave management, labor, employee benefits, and privacy. Some of our practice group leaders put together a white paper to aid employers in spotting these issues. We hope you find this helpful and easy to read. 

Click here to access the White Paper: An Overview of Legal Considerations When Bringing Health Care "In-House"
 

• Email This
• Print
• Comments
• Trackbacks

Have you ever reviewed the Facebook or LinkedIn profile or other social media activity of an employee or applicant? How about requiring employees or applicants to provide access to social media activity as a condition of employment. The Maryland and Illinois legislatures would like to limit employers' ability to engage in this kind of activity with new laws that would be the first of their kind in the nation.

UPDATE - Newly enacted Maryland law prohibits employers from demanding access to Facebook or other on line accounts of employees and applicants.

Maryland. Under one version of the law in Maryland, H.B. 364, employers would not be permitted to

• require an employee or applicant . . . to disclose any user name, password, or other means for accessing any internet site or electronic account through an electronic device, or
• require an employee to install on the employee's personal electronic device software that monitors or tracks the content of the electronic device.  

Under this bill, the employer could not discipline the employee or refuse or fail to hire the applicant for not complying with such requests. However, an employer could require an employee to disclose username, password or other means of access to the employer's internal computer or information systems. 

The provision that would prohibit employers from monitoring or tracking content on electronic devices would present a dilemma for employers faced with various legal and ethical obligations to safeguard personal and other confidential data. Many employers are struggling to find ways to track, limit, and in some cases encrypt, personal and other confidential information maintained on portable electroinc devices, including the personal devices of employees. This bill would make that process more challenging, particulalry for businesses with nationwide operations in heavily regulated businesses such as healthcare, insurance, finance and so on.   

Two other bills (H.B. 310, S.B. 434) also are being considered that would prohibit public and nonpublic colleges and universities from making similar demands on students and applicants.

Illinois. The Illinois law being considered (H.B. 3782) would make it unlawful for "any employer to ask any prospective employee to provide any username, password, or other related account information in order to gain access to a social networking website where that prospective employee maintains an account or profile."

Existing Risks with Searching/Monitoring the Social Media Activity of Employees or Applicants. The Maryland and Illinois laws, if passed, may be the first of their kind, but they certainly are not the first risks employers have faced when engaging in this kind of activity. In fact, there are a range of existing risks employers must consider, such as

• Finding medical information protected under the American with Disabilities Act or the Genetic Information Nondiscrimination Act.
• Acting inconsistently when similar information is found about different applicants/employees/executives.
• Acting on information that is not true.
• Intruding into private areas.  
• Failure to document the steps taken in conducting the search.
• Not realizing the Fair Credit Reporting Act may apply and require consent and notice requirements.
• Unlawfully limiting protected concerted activity under the National Labor Relations Act.

Employers therefore need to proceed carefully when using social media as a tool for making decisions concerning hiring, promotion, discipline, and termination.  Assessing whether to engage in such activity, how and when to do so, who should be authorized to search and monitor in this way, and what training should be provided can go a long way to minimizing these risks.

• Email This
• Print
• Comments
• Trackbacks

Disclosure to management by the company’s in-house physician of an employee’s alleged “lie” (or at least significant omission) made months earlier on a post-job offer medical questionnaire violated the Americans with Disabilities Act’s confidentiality provisions, a federal District Court in Maine held last week. Blanco v. Bath Iron Works Corp., D. Me., No. 2:10-cv-00429.

Medical professionals are becoming a fixture at many workplaces, whether they be occupational nurses or full scale on-site health clinics. As reported by the L.A. Times on July 3, 2011, 15% of U.S. companies with 500 or more employees had health centers last year, up from 11% the year before, and companies with 20,000 or more employees were even more likely to have clinics. However, having these resources on site can raise a range of workplace law risks, not the least of which concerns confidentiality.

In the Maine case, following his job offer, Mr. Blanco completed a pre-placement medical screening, which included filling out and signing a “Medical Surveillance History Questionnaire,” administered by the employer’s in-house physician. He did not reveal on that form that he had Attention Deficit Hyperactivity Disorder (ADHD). Mr. Blanco received good reviews for the first few months of his employment, but when he was moved to a different position, his performance began to wane. During a meeting with his manager, he attributed his poor performance to his ADHD and not long after requested a reasonable accommodation.

Mr. Blanco was referred to the same in-house physician who administered the Medical Surveillance History Questionnaire. Rather than explore the substance of his request, the physician interrogated Mr. Blanco concerning the ADHD omission on the Questionnaire. He explained that he did not understand the questions to ask about mental or emotional issues, such as ADHD. The physician refused to provide an accommodation, or even address the issue, and shortly after the physician informed management of Mr. Blanco’s omission from the Questionnaire, he was fired.

In refusing to dismiss Mr. Blanco’s complaint under the Americans With Disabilities Act and the state anti-discrimination law, the Court rejected two interesting arguments raised by the employer:

1. Employees that lie should not be able to get protection under the ADA’s medical information confidentiality protections; and,
2. As a policy matter, these kind of misstatements put in-house physicians “in a pickle.” The court allowed, “If the revealed condition places the employee and his co-workers at risk, the doctor’s conflicting loyalty would become a safety issue."

In each case, however, the Court said it didn’t matter to its decision that the employee may have lied on the medical questionnaire. The Court simply pointed to the statutory language, which it found clear and controlling. The court stated:

The Court agrees that whether he lied is not dispositive since the confidentiality provision does not apply only to truthful information. But this does not assist the Defendants. The ADA clearly protects the confidentiality of Mr. Blancos’ response if truthful and the ADA still protects its confidentiality if not. In other words, there is no prevarication exception to the ADA’s confidentiality mandate for employment entrance examinations, much less for information the company doctor perceives is inaccurate. It is the information, accurate or not, that the statute protects.

In response to the conflicting loyalty argument, the Court reasoned:

The brief answer, however, is that these policy arguments do not trump the statutory language. Congress, not this Court, is a policy-making body, and the Court is duty-bound to follow the law as enacted by Congress. Congress may or may not have considered whether to carve out a disclosure exception for instances where the employer concludes that the employee lied or misrepresented his pre- employment medical or mental condition. In any event, there is no such exception in the statute.

More than ever, businesses are realizing that comprehensive approaches to disability and leave management not only can mitigate compliance and litigation concerns, but also can enhance employee productivity and, therefore, profit margins. For these companies, on-site health clinics, occupational health clinics, and in-house physicians can be attractive options. However, as this case makes clear, employers need to be mindful of the workplace law risks. The ADA may be one source of such risks.

• Email This
• Print
• Comments
• Trackbacks

The confidentiality of medical records requirement under the Americans with Disability Act (ADA) is violated when an employer discloses a current or former employee's medical records in response to a state court subpoena absent the employee's release or some other exception under the ADA, the Equal Employment Opportunity Commission (EEOC) recently held in Bennett v. U.S. Postal Serv., 2011 WL 244217 (E.E.O.C.), Jan. 11, 2011.

Companies frequently receive requests for information about current and former employees. These requests often come in the form of an attorney's demand letter or a subpoena and apply to the individual's medical records. Those receiving such requests typically feel compelled to respond without taking the time to think through issues such as: 

• what kind of information in contained within the files being requested;
• what specific statutory or regulatory protections apply for some or all of the information being requested (see below);
• is a response appropriate without an authorization of the individual or giving an individual an opportunity to object;
• is a court order needed for some or all of the information being requested; and
• what safeguards should be taken to ensure the disclosure is secure.

As we have reported previously, failing to think through these issues can be a costly trap for the unwary.

EEOC Analysis

In the Bennett decision cited above, the EEOC sets out the basic ADA requirements concerning confidentiality of employee medical records:

Title I of the [ADA] requires that all information obtained regarding the medical condition or history of an applicant or employee must be maintained on separate forms and in separate files and must be treated as confidential medical records. [Citations omitted]. These requirements also extend to medical information that an
individual voluntarily discloses to an employer. [Citations omitted]. The confidentiality obligation imposed on an employer by the ADA remains regardless of whether an applicant is eventually hired or the employment relationship ends. [Citations omitted]. These requirements apply to confidential medical information from any applicant or employee and are not limited to individuals with disabilities. [Citations omitted].

The decision goes on to explain the general exceptions to these requirements:

• supervisors and managers may be informed regarding necessary restrictions on the work or duties of the employee and necessary accommodations;
• first aid and safety personnel may be informed, when appropriate, if the disability might require emergency treatment; 
• government officials investigating compliance with this part shall be provided relevant information on request;
• employers may disclose medical information to state workers' compensation offices, state second injury funds, workers' compensation insurance carriers, and to health care professionals when seeking advice in making reasonable accommodation determinations; and
• employers may use medical information for insurance purposes.

The EEOC found that the Postal Service's disclosure of Mr. Bennett's medical records in response to the subpoena issued by the Galveston County 405th District Court did not fall into one of these exceptions. The EEOC held that while the ADA allows an employer to comply with the requirements of another federal statute or rule, even if in conflict with the ADA, "it is not a valid defense to argue that the [Postal Service's] actions were required by state law," (emphasis added) unless one of the ADA exceptions applied.  The Commission also noted the subpoena in this case was signed and issued by the Deputy Clerk, and did not qualify as an “order” for purposes of the Privacy Act of 1974, on which the Agency attempted to rely to permit the disclosure.

Because of this violation of the ADA, the EEOC ordered the Postal Service (i) to start an investigation into compensatory and other damages that may be due to Mr. Bennett,  (ii) to conduct training concerning the ADA's confidentiality requirements, and (iii) to prepare a report regarding corrective action. The Postal Service also may be responsible for Mr. Bennett's attorneys' fees, among other things.

Is the ADA the only concern?

In short, no, the ADA is only one protection for medical and other personal information that could trigger exposure for a company that improperly discloses such information. There is an increasing array of federal and state laws that need to be examined, as appropriate, before responding to a request:

• GINA: Regulations issued under Title II (GINA's employment provisions) provide that  employers that possess genetic information must maintain the information in confidence and may not disclose that information except in limited circumstances, such as (i) at the request of the employee, (ii) in response to a court order, (iii) to respond to a request from a government official investigating GINA compliance, or (iv) in support of an employee’s FMLA certification. The preamble to the GINA regulations provides that the court order exception "does not allow disclosures in other circumstances during litigation, such as in response to discovery requests or subpoenas that are not governed by an order specifying that genetic information must be disclosed. Thus, a covered entity’s refusal to provide genetic information in response to a discovery order, subpoena, or court order that does not specify that genetic information must be disclosed is consistent with the requirements of GINA." Additionally, the individual whose genetic information is disclosed may need to be notified. 
• HIPAA: The privacy regulations under HIPAA likewise generally prohibit the disclosure of "protected health information" except in limited circumstances. HIPAA regulation 45 CFR 164.512(e), among other exceptions to the general rule, provides an exception for disclosures in connection with administrative and judicial proceedings. But one of the first questions to ask is whether the information being sought is "protected health information." Very often, employee medical information in a personnel or medical file is not, in the hands of the employer, protected health information subject to HIPAA. 
• 42 USC Part 2: Federal law provides very stringent protection for records relating to substance abuse treatment at certain federally funded facilities. 
• State law: Many states have laws protecting certain classes of medical records from disclosure without taking appropriate safeguards to address confidentiality. This includes application of the physician-patient privilege, as well as statutes and regulations dealing with specific types of information, such as mental health records. 

Because of these issues, businesses should develop a clear policy and procedure to direct employees on how to respond when they receive these requests. 

• Email This
• Print
• Comments
• Trackbacks

 Does your HR staff know the limits on what they could tell prospective employers about former employees?

In this case, the US Equal Employment Opportunity Commission (EEOC) alleged that 7-Eleven of Hawaii failed to keep a former employee’s medical information confidential by disclosing the information to a prospective employer, in violation of the ADA, which caused the prospective employer to rescind a job offer. The EEOC filed suit in federal district court ( EEOC v 7-Eleven of Hawaii, Inc, DHaw, No CV 07-00478-SPK-BMK) and, after the District Court ruled in 7-Eleven’s favor, the EEOC appealed the decision in August 2008 to the US Court of Appeals for the Ninth Circuit.

However, on August 2, the EEOC announced a settlement under which 7-Eleven of Hawaii will:

1. pay $10,000,   
2. provide annual training to its human resources personnel and managers in equal employment opportunity, with an emphasis the ADA requirements concerning confidentiality, and
3. for a period of two years, 7-Eleven will also be required to report annually to the EEOC regarding the company’s policies and proposed training programs with respect to disability discrimination, medical disclosure, non-retaliation, and reasonable accommodation.

In comments about the case, EEOC representatives made clear that the ADA confidentiality requirements apply to applicants, current employees and former employees. Earlier in the year, we wrote about a recent EEOC senior staff attorney's informal letter concerning the duties of federal employees and contractors relating to medical confidentiality. It is unclear whether these actions by the EEOC suggests a greater emphasis on enforcement of medical records confidentiality under the ADA. Regardless, employers should be taking preventive steps to comply with these requirements. Some steps include:

• Creating a culture of confidentiality concerning medical records, whether those records are subject to ADA, HIPAA or some other law.
• Reminding employees that medical information is confidential and access is on a need-to-know basis.
• Reviewing and revising administrative, physical, and technical safeguards as necessary and appropriate to safeguard medical information, such as requiring employees to keep their desks clear of sensitive information and locking doors and file cabinets.

• Email This
• Print
• Comments
• Trackbacks

Contributed by: Joseph J. Lynett

In a February 18, 2010, informal letter, an Equal Employment Opportunity Commission senior staff attorney responded to an inquiry concerning the duties of federal employees and contractors relating to medical confidentiality under the Rehabilitation Act. The letter discusses the role of medical records custodians (MRCs) - those individuals whose official duties require access to employee medical information. Because the same legal standards apply to private-sector employers under the Americans with Disabilities Act’s medical confidentiality rules, the principles discussed in this letter can be helpful for all employers, including federal contractors.

The letter explains that MRCs should work in an environment that does not allow for unauthorized co-workers to have access to employee medical information. It goes on to list certain steps federal agencies and covered contractors should take to safeguard the confidentiality of employee medical information:

1. Remind all employees that medical information is confidential and only MRCs are authorized to have access to such information on a need-to-know basis.
2. Issue a memorandum informing all employees that anyone who discusses another employee's medical information with unauthorized persons or reads medical documents not intended for him or her will be disciplined.
3. To ensure that other employees, including other MRCs, cannot overhear conversations about an employee's confidential medical information, consider providing an office with a door that an MRC can use when he or she needs to discuss an employee's medical condition or history by telephone or in person.
4. Install a fax machine that is shared only by other MRCs in the office, with the door kept locked except when in use by an MRC.
5. Remind MRCs to keep any employee medical information in a locked file cabinet in their cubicles or in a file cabinet in the shared office to which only other MRCs have access.
6. Periodically audit policies and procedures to ensure sufficient measures are in place to guarantee the confidentiality of employee medical information and protect against unauthorized disclosure.

While the EEOC Office of Legal Counsel’s letter is not an official opinion of the Commission, it provides insights into the EEOC’s view of potential safeguards to protect against unlawful disclosure of employee medical information under the ADA and Rehabilitation Act. Organizations with multiple departments reviewing employee medical information in connection with an injury or illness (such as departments for occupational health, risk management, HR and benefits) may have the greatest need to adopt recommended safeguards to protect employee medical information from unlawful disclosure.
 

• Email This
• Print
• Comments
• Trackbacks

Contributed by Kathryn J. Russo.

A recent case emphasizes that employers must ensure they do not make improper medical inquiries related to pre-employment drug test results at the pre-offer stage. John Harrison v. Benchmark Electronics, Inc., No. 08-16656, 2010 App. LEXIS 632 (11th Cir. Jan. 11, 2010). Some valuable lessons for employers are discussed below.

The Eleventh Circuit Court of Appeals permitted an applicant who was not hired after testing positive for drugs used to control his epilepsy to proceed with his lawsuit asserting claims under the Americans with Disabilities Act because there were factual issues whether the employer made an improper medical inquiry and denied employment on that basis.

• Email This
• Print
• Comments (1)
• Trackbacks