Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

Recruiters are increasingly turning to social media to screen and recruit candidates. Jobvite’s 2012 Social Recruiting Survey found that 92% of respondents plan to use social media for recruiting.  Often, recruiters are viewing and considering information that should not be utilized in the hiring process.  LinkedIn is replete with information that should not be considered when searching for or selecting candidates.  Yet, the same survey found that LinkedIn is the most popular social networking site for recruiters. 

LinkedIn profiles likely contain photos of candidates and other information identifying a candidate’s race, ethnicity, age, disability, pregnancy, or religion.  Federal and state anti-discrimination laws prohibit companies from using such non-work-related information when hiring.  Additionally, the Equal Employment Opportunity Commission (EEOC) has issued regulations for the employment provisions of the Genetic Information Nondiscrimination Act (GINA) that prohibit acquisition of “genetic information” through social media.  

The EEOC also has made clear that it is focusing its litigation efforts on eliminating systemic discrimination, such as discriminatory barriers in recruitment and hiring. The EEOC’s Compliance Manual states that bias is not always conscious, and that actions infected by stereotyped thinking or other forms of less conscious bias are discriminatory.  It further states that it is discriminatory to use a screening procedure that has a significantly disparate impact.

Employers can separate recruiters who screen applicants through social media from individuals who are making the hiring decision.  This would require a recruiter to search applicants online, scrub prohibited information, and deliver scrubbed profiles to a decision maker. This may be difficult for employers to act on without careful attention to details and legal guidance to avoid significant risks.  The process relies heavily upon a recruiter’s knowledge of employment laws to scrub prohibited information. Avoiding the issue because of its burdensomeness is fast being scrubbed as an option for employers.

Companies also can utilize third parties to screen applicants through social media as long as they are aware of the pitfalls.  First, many employers make little or no effort to determine whether the third party recruiters have developed appropriate safeguards.  Second, the Federal Trade Commission (FTC) has stated that employers who rely upon third parties for social media information about candidates must comply with the Fair Credit Reporting Act (FCRA).  

FCRA requires that an employer notify an applicant when it takes adverse actions based upon a consumer report.  Employers also must provide the rejected applicant with notice of his or her right to view the data relied upon as well as give the individual the opportunity to dispute any inaccurate or incorrect information.  Employers failing to comply with FCRA can be subject to tremendous liability.  For example, Spokeo, Inc., a website that collects and sells detailed consumer information by compiling online data, recently agreed to pay $800,000 to settle FTC charges alleging that it violated FCRA in the employment screening context. 

The EEOC, OFCCP (Office of Federal Contract Compliance Programs), and FTC are beginning to scrutinize employers that use social media to screen applicants.  Unfortunately, LinkedIn and other social media sites do not yet maintain a “safe” site for recruiters.  Employers need to anticipate government inquiry and not await the knock on the door.  Recruiters should be restricted from considering prohibited information about applicants, whether they are working on company time or researching an applicant on their own time.  They need appropriate social media guidelines and policies that are compliant with a host of laws.  Further, they need to be properly trained. 

Ignoring this problem or simply outsourcing recruitment to a third party without careful consideration of these issues and a recruiter’s qualifications is a recipe for lawsuits.

• Email This
• Print
• Comments
• Trackbacks

The confidentiality of medical records requirement under the Americans with Disability Act (ADA) is violated when an employer discloses a current or former employee's medical records in response to a state court subpoena absent the employee's release or some other exception under the ADA, the Equal Employment Opportunity Commission (EEOC) recently held in Bennett v. U.S. Postal Serv., 2011 WL 244217 (E.E.O.C.), Jan. 11, 2011.

Companies frequently receive requests for information about current and former employees. These requests often come in the form of an attorney's demand letter or a subpoena and apply to the individual's medical records. Those receiving such requests typically feel compelled to respond without taking the time to think through issues such as: 

• what kind of information in contained within the files being requested;
• what specific statutory or regulatory protections apply for some or all of the information being requested (see below);
• is a response appropriate without an authorization of the individual or giving an individual an opportunity to object;
• is a court order needed for some or all of the information being requested; and
• what safeguards should be taken to ensure the disclosure is secure.

As we have reported previously, failing to think through these issues can be a costly trap for the unwary.

EEOC Analysis

In the Bennett decision cited above, the EEOC sets out the basic ADA requirements concerning confidentiality of employee medical records:

Title I of the [ADA] requires that all information obtained regarding the medical condition or history of an applicant or employee must be maintained on separate forms and in separate files and must be treated as confidential medical records. [Citations omitted]. These requirements also extend to medical information that an
individual voluntarily discloses to an employer. [Citations omitted]. The confidentiality obligation imposed on an employer by the ADA remains regardless of whether an applicant is eventually hired or the employment relationship ends. [Citations omitted]. These requirements apply to confidential medical information from any applicant or employee and are not limited to individuals with disabilities. [Citations omitted].

The decision goes on to explain the general exceptions to these requirements:

• supervisors and managers may be informed regarding necessary restrictions on the work or duties of the employee and necessary accommodations;
• first aid and safety personnel may be informed, when appropriate, if the disability might require emergency treatment; 
• government officials investigating compliance with this part shall be provided relevant information on request;
• employers may disclose medical information to state workers' compensation offices, state second injury funds, workers' compensation insurance carriers, and to health care professionals when seeking advice in making reasonable accommodation determinations; and
• employers may use medical information for insurance purposes.

The EEOC found that the Postal Service's disclosure of Mr. Bennett's medical records in response to the subpoena issued by the Galveston County 405th District Court did not fall into one of these exceptions. The EEOC held that while the ADA allows an employer to comply with the requirements of another federal statute or rule, even if in conflict with the ADA, "it is not a valid defense to argue that the [Postal Service's] actions were required by state law," (emphasis added) unless one of the ADA exceptions applied.  The Commission also noted the subpoena in this case was signed and issued by the Deputy Clerk, and did not qualify as an “order” for purposes of the Privacy Act of 1974, on which the Agency attempted to rely to permit the disclosure.

Because of this violation of the ADA, the EEOC ordered the Postal Service (i) to start an investigation into compensatory and other damages that may be due to Mr. Bennett,  (ii) to conduct training concerning the ADA's confidentiality requirements, and (iii) to prepare a report regarding corrective action. The Postal Service also may be responsible for Mr. Bennett's attorneys' fees, among other things.

Is the ADA the only concern?

In short, no, the ADA is only one protection for medical and other personal information that could trigger exposure for a company that improperly discloses such information. There is an increasing array of federal and state laws that need to be examined, as appropriate, before responding to a request:

• GINA: Regulations issued under Title II (GINA's employment provisions) provide that  employers that possess genetic information must maintain the information in confidence and may not disclose that information except in limited circumstances, such as (i) at the request of the employee, (ii) in response to a court order, (iii) to respond to a request from a government official investigating GINA compliance, or (iv) in support of an employee’s FMLA certification. The preamble to the GINA regulations provides that the court order exception "does not allow disclosures in other circumstances during litigation, such as in response to discovery requests or subpoenas that are not governed by an order specifying that genetic information must be disclosed. Thus, a covered entity’s refusal to provide genetic information in response to a discovery order, subpoena, or court order that does not specify that genetic information must be disclosed is consistent with the requirements of GINA." Additionally, the individual whose genetic information is disclosed may need to be notified. 
• HIPAA: The privacy regulations under HIPAA likewise generally prohibit the disclosure of "protected health information" except in limited circumstances. HIPAA regulation 45 CFR 164.512(e), among other exceptions to the general rule, provides an exception for disclosures in connection with administrative and judicial proceedings. But one of the first questions to ask is whether the information being sought is "protected health information." Very often, employee medical information in a personnel or medical file is not, in the hands of the employer, protected health information subject to HIPAA. 
• 42 USC Part 2: Federal law provides very stringent protection for records relating to substance abuse treatment at certain federally funded facilities. 
• State law: Many states have laws protecting certain classes of medical records from disclosure without taking appropriate safeguards to address confidentiality. This includes application of the physician-patient privilege, as well as statutes and regulations dealing with specific types of information, such as mental health records. 

Because of these issues, businesses should develop a clear policy and procedure to direct employees on how to respond when they receive these requests. 

• Email This
• Print
• Comments
• Trackbacks

 Does your HR staff know the limits on what they could tell prospective employers about former employees?

In this case, the US Equal Employment Opportunity Commission (EEOC) alleged that 7-Eleven of Hawaii failed to keep a former employee’s medical information confidential by disclosing the information to a prospective employer, in violation of the ADA, which caused the prospective employer to rescind a job offer. The EEOC filed suit in federal district court ( EEOC v 7-Eleven of Hawaii, Inc, DHaw, No CV 07-00478-SPK-BMK) and, after the District Court ruled in 7-Eleven’s favor, the EEOC appealed the decision in August 2008 to the US Court of Appeals for the Ninth Circuit.

However, on August 2, the EEOC announced a settlement under which 7-Eleven of Hawaii will:

1. pay $10,000,   
2. provide annual training to its human resources personnel and managers in equal employment opportunity, with an emphasis the ADA requirements concerning confidentiality, and
3. for a period of two years, 7-Eleven will also be required to report annually to the EEOC regarding the company’s policies and proposed training programs with respect to disability discrimination, medical disclosure, non-retaliation, and reasonable accommodation.

In comments about the case, EEOC representatives made clear that the ADA confidentiality requirements apply to applicants, current employees and former employees. Earlier in the year, we wrote about a recent EEOC senior staff attorney's informal letter concerning the duties of federal employees and contractors relating to medical confidentiality. It is unclear whether these actions by the EEOC suggests a greater emphasis on enforcement of medical records confidentiality under the ADA. Regardless, employers should be taking preventive steps to comply with these requirements. Some steps include:

• Creating a culture of confidentiality concerning medical records, whether those records are subject to ADA, HIPAA or some other law.
• Reminding employees that medical information is confidential and access is on a need-to-know basis.
• Reviewing and revising administrative, physical, and technical safeguards as necessary and appropriate to safeguard medical information, such as requiring employees to keep their desks clear of sensitive information and locking doors and file cabinets.

• Email This
• Print
• Comments
• Trackbacks

Co-authors: Frank Alvarez, Michael Soltis, and Joseph Lynett

ABC News has reported that a Fairfield, Connecticut woman, Pamela Fink, yesterday filed claims with the U.S. Equal Employment Opportunity Commission and the Connecticut Commission on Human Rights and Opportunities that her employer violated GINA when it terminated her employment on March 25, 2010. The federal Genetic Information Nondiscrimination Act (GINA) (pdf), which went into effect for employment law purposes on November 21, 2009, prohibits discrimination by employers on the basis of an employee’s “genetic information.” Final EEOC regulations on GINA have not been released.

According to the ABC and other news outlets, after genetic tests and family history indicated Ms. Fink was at risk for breast cancer, she underwent a preemptive double mastectomy. She alleges the termination of her employment, approximately five months after her procedure, was the result of informing her employer of her genetic test results that showed she carried the BRCA2 gene. Under GINA, “genetic information” includes a genetic test (defined in the statute as an “analysis of human DNA, RNA, chromosomes, proteins, or metabolites, that detects genotypes, mutations, or chromosomal changes”).

Her complaint is believed to be the first in the country brought under the employment provisions of GINA. It surely will be watched closely as employers begin to understand the scope of protections for employees under this new law. Employers are awaiting final EEOC regulations, which they hope will clarify the requirements under GINA, among them Title II, Section 202 of the statute. That section provides:

(a) DISCRIMINATION BASED ON GENETIC INFORMATION.—It shall be an unlawful employment practice for an employer—

(1) to fail or refuse to hire, or to discharge, any employee, or otherwise to discriminate against any employee with respect to the compensation, terms, conditions, or privileges of employment of the employee, because of genetic information with respect to the employee; or

(2) to limit, segregate, or classify the employees of the employer in any way that would deprive or tend to deprive any employee of employment opportunities or otherwise adversely affect the status of the employee as an employee, because of genetic information with respect to the employee.

The result of Ms. Fink’s case will not be known for some time. Employers, meanwhile, need to think about how this law affects their employment practices, as well as the group health plans (including any wellness programs) they sponsor for employees. (Title I of GINA specifically applies to group health plans.) We have written extensively on this topic here and elsewhere (pdf).

• Email This
• Print
• Comments
• Trackbacks