As we continue to examine the final HIPAA privacy and security regulations, as amended by the HITECH Act and the Genetic Information Nondiscrimination Act, we pulled together a summary of some of the key points. We fully expect additional sub-regulatory guidance to be provided by OCR, such as frequently asked questions and sample business associate agreement provisions.
Have you ever reviewed the Facebook or LinkedIn profile or other social media activity of an employee or applicant? How about requiring employees or applicants to provide access to social media activity as a condition of employment. The Maryland and Illinois legislatures would like to limit employers' ability to engage in this kind of activity with new laws that would be the first of their kind in the nation.
Maryland. Under one version of the law in Maryland, H.B. 364, employers would not be permitted to
- require an employee or applicant . . . to disclose any user name, password, or other means for accessing any internet site or electronic account through an electronic device, or
- require an employee to install on the employee's personal electronic device software that monitors or tracks the content of the electronic device.
Under this bill, the employer could not discipline the employee or refuse or fail to hire the applicant for not complying with such requests. However, an employer could require an employee to disclose username, password or other means of access to the employer's internal computer or information systems.
The provision that would prohibit employers from monitoring or tracking content on electronic devices would present a dilemma for employers faced with various legal and ethical obligations to safeguard personal and other confidential data. Many employers are struggling to find ways to track, limit, and in some cases encrypt, personal and other confidential information maintained on portable electroinc devices, including the personal devices of employees. This bill would make that process more challenging, particulalry for businesses with nationwide operations in heavily regulated businesses such as healthcare, insurance, finance and so on.
Illinois. The Illinois law being considered (H.B. 3782) would make it unlawful for "any employer to ask any prospective employee to provide any username, password, or other related account information in order to gain access to a social networking website where that prospective employee maintains an account or profile."
Existing Risks with Searching/Monitoring the Social Media Activity of Employees or Applicants. The Maryland and Illinois laws, if passed, may be the first of their kind, but they certainly are not the first risks employers have faced when engaging in this kind of activity. In fact, there are a range of existing risks employers must consider, such as
- Finding medical information protected under the American with Disabilities Act or the Genetic Information Nondiscrimination Act.
- Acting inconsistently when similar information is found about different applicants/employees/executives.
- Acting on information that is not true.
- Intruding into private areas.
- Failure to document the steps taken in conducting the search.
- Not realizing the Fair Credit Reporting Act may apply and require consent and notice requirements.
- Unlawfully limiting protected concerted activity under the National Labor Relations Act.
Employers therefore need to proceed carefully when using social media as a tool for making decisions concerning hiring, promotion, discipline, and termination. Assessing whether to engage in such activity, how and when to do so, who should be authorized to search and monitor in this way, and what training should be provided can go a long way to minimizing these risks.
The Minnesota Supreme Court issued a decision on November 16, 2011 holding that the state's Genetic Privacy Act, Minn. Stat. Section 13.386 (2010) restricts the collection and use of blood samples taken from newborns pursuant to the state's Newborn Screening Statutes, Minn. Stat. Section 144.125-128. The litigation, captioned Bearder et al v. State of Minnesota, was initiated by a group of families with children born between 1998 and 2008 who challenged the newborn screening program run by the Minnesota Department of Health ("DOH"). The DOH's program requires the collection of blood samples from newborn children within the fifth day of birth. The DOH analyzes the sample for the presence of substances that indicate the presence of a metabolic disorder. Only one of the many tests, a second level test for cystic fibrosis, analyzes DNA or RNA. If a portion of any blood sample remained after screening tests were completed, the DOH either stored the sample indefinitely or allowed the Mayo Clinic to use the samples for unrelated studies, provided the samples had been either de-identified or Mayo had received written consent from the child's legal guardian.
Plaintiff's claimed that the Minnesota Genetic Privacy Act required the DOH to obtain informed consent before it could collect, use, store, or disseminate the samples that remained after the newborn health screening was complete. The trial court and Minnesota Court of Appeals rejected plaintiffs' argument, but the Minnesota Supreme Court reversed, holding that the Genetic Privacy Act placed limits on the DOH's practices. A central question in the case was whether a blood sample was properly considered "genetic information" as the term is defined in the state law. The Court held that it was, with one justice dissenting on that question.
Minnesota's Genetic Privacy Act was passed in 2006 as part of the Data Practices Act which governs the use and disclosure of information by state and local government. Although it is unclear whether the Minnesota Legislature intended to limit section 13.386 to public entities, the plan language of the statute suggests it may govern the collection of genetic information by private companies and employers as well. It certainly serves as a reminder that there is a growing body of federal and state regulation in the area of medical privacy. The lawsuit also highlights the public's growing concern about the use of genetic information and may portend more litigation under federal laws such as GINA - the Genetic Information Nondiscrimination Act.
ABC News has reported that a Fairfield, Connecticut woman, Pamela Fink, yesterday filed claims with the U.S. Equal Employment Opportunity Commission and the Connecticut Commission on Human Rights and Opportunities that her employer violated GINA when it terminated her employment on March 25, 2010. The federal Genetic Information Nondiscrimination Act (GINA) (pdf), which went into effect for employment law purposes on November 21, 2009, prohibits discrimination by employers on the basis of an employee’s “genetic information.” Final EEOC regulations on GINA have not been released.
According to the ABC and other news outlets, after genetic tests and family history indicated Ms. Fink was at risk for breast cancer, she underwent a preemptive double mastectomy. She alleges the termination of her employment, approximately five months after her procedure, was the result of informing her employer of her genetic test results that showed she carried the BRCA2 gene. Under GINA, “genetic information” includes a genetic test (defined in the statute as an “analysis of human DNA, RNA, chromosomes, proteins, or metabolites, that detects genotypes, mutations, or chromosomal changes”).
Her complaint is believed to be the first in the country brought under the employment provisions of GINA. It surely will be watched closely as employers begin to understand the scope of protections for employees under this new law. Employers are awaiting final EEOC regulations, which they hope will clarify the requirements under GINA, among them Title II, Section 202 of the statute. That section provides:
(a) DISCRIMINATION BASED ON GENETIC INFORMATION.—It shall be an unlawful employment practice for an employer—
(1) to fail or refuse to hire, or to discharge, any employee, or otherwise to discriminate against any employee with respect to the compensation, terms, conditions, or privileges of employment of the employee, because of genetic information with respect to the employee; or
(2) to limit, segregate, or classify the employees of the employer in any way that would deprive or tend to deprive any employee of employment opportunities or otherwise adversely affect the status of the employee as an employee, because of genetic information with respect to the employee.
The result of Ms. Fink’s case will not be known for some time. Employers, meanwhile, need to think about how this law affects their employment practices, as well as the group health plans (including any wellness programs) they sponsor for employees. (Title I of GINA specifically applies to group health plans.) We have written extensively on this topic here and elsewhere (pdf).
The Genetic Information Nondiscrimination Act (GINA) [pdf], signed into law in May 2008, prohibits discrimination by health insurers and employers based on individuals’ genetic information. Genetic information includes the results of genetic tests to determine whether someone is at increased risk of acquiring a condition (such as some forms of breast cancer) in the future, as well as an individual’s family medical history. It is family medical history information that presents the biggest challenge for employers.
In its announcement about the effective date of the regulations, the Equal Employment Opportunity Commission Acting Chair Stuart J. Ishimaru writes:
GINA affirms the principle central to all employment discrimination laws – that all people have the right to be judged according to their ability to do a job, not on stereotypical assumptions . . . No one should be denied a job or the right to be treated fairly in the workplace based on fears that he or she may develop some condition in the future.
Specifically, the law prohibits the use of genetic information in making employment decisions, restricts the acquisition of genetic information by employers and others, imposes strict confidentiality requirements, and prohibits retaliation against individuals who oppose actions made unlawful by GINA or who participate in proceedings to vindicate rights under the law or aid others in doing so. The same remedies, including compensatory and punitive damages, are available under Title II of GINA as are available under Title VII of the Civil Rights Act and the ADA.
Acting Vice Chair Christine Griffin said,
Title II of GINA is an ideal complement to the ADA Amendments Act. With both laws now effective, American workers are protected if they experience discrimination because of their disability or because of impairments they may develop.
To date, employers’ only regulatory guidance for the employment provisions of GINA (Title II) is a Notice of Proposed Rulemaking, published by the EEOC March 2, 2009. For health plans, which are subject to Title I of GINA, interim final regulations become effective for plan years beginning on and after December 7, 2009.
Employers should be reviewing their employment practices and health plans and wellness plans for compliance with GINA as soon as possible.
Click here for more information about how GINA affects employers.
Click here for more information about how GINA affects health plans.
Click here for more information about how GINA affects wellness programs.
Click here for information about the new Equal Employment Opportunity Poster that includes information about GINA.