Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

Written by Jason Gavejian

One of the hottest topics throughout 2012 was the various states which passed, or enacted, legislation which prohibits employers from requiring current, or prospective, employees to disclose a user name or password for a personal social media account, such as Facebook or LinkedIn. In fact, this issue was recently featured in an article on nbcnews.com.   

Notably, fourteen states introduced such legislation in 2012, with Michigan becoming the most recent state to enact such legislation when Governor Rick Snyder signed his state’s equivalent law (HB 5523) last Friday. As we have discussed, California, Delaware (dealing with students at colleges and universities), Illinois, Maryland, and New Jersey (pending Governor's signature) also enacted laws on this issue in 2012.

We anticipate that other states will address this issue through legislation in 2013 and beyond. It is essential for businesses to be conscious of these new laws, and to carefully consider this issue whether or not the state in which they operate currently prohibits such conduct.
 

• Email This
• Print
• Comments
• Trackbacks

On April 12, 2011, Maryland Governor Martin O’Malley signed into law S.B. 132/H.B. 87. Under this law, Maryland employers, except in limited circumstances, are prohibited from using an individual's consumer credit history for hiring or other employment purposes. 

Beginning October 1, 2011,  employers are prohibited from using credit report data to deny employment, discharge an employee, set compensation, terms, conditions, or privileges of employment, unless, after making an offer of employment to an individual, the employer has a use for such information that is “substantially job-related.”   Additionally, an employer must disclose in writing its use of such information to the employee or applicant.

While the law does not contain any individual right of action, it allows individuals to file an administrative complaint with the state Commissioner of Labor and Industry. The Commissioner is authorized to assess a civil penalty of up to $500 per initial violation and up to $2,500 for repeat violations.

Employers exempt from the new law include those required by federal law to examine credit history data, financial institutions, or entities registered with the federal Securities and Exchange Commission as investment advisors.

As we have detailed previously, several other states (Florida, Michigan, and Montana) are considering similar laws, while Hawaii, Illinois, Oregon, and Washington have already enacted laws restricting the use of credit history in employment. 

• Email This
• Print
• Comments
• Trackbacks

Written by Marlo Johnson Roebuck

When considering the proper use or disclosure of patient data, most health care providers look immediately to the Health Insurance Portability and Accountability Act (“HIPAA”) privacy rules. But that may not be enough. As the plaintiff in Isidore Steiner, DPM, PC dba Family Foot Center v. Marc Bonanni learned, state law also must considered. In general, a state law will be applied instead of HIPAA if the state law is more stringent and protective of patients’ protected health information (PHI).

In Bonanni, the Family Foot Center, a HIPAA-covered entity, was seeking to enforce a non-compete agreement with its former employee, a physician. Believing the former employee was soliciting its patients in violation of the agreement, the Center requested its former employee’s patient lists as part of pre-trial discovery. The physician objected on the ground that HIPAA and Michigan law on physician-patient privilege protected information of non-party patients from disclosure without their consent. The Center filed a motion to compel the disclosure.

The trial court denied the motion, reasoning that the names, addresses, and phone numbers of non-party patients were privileged under Michigan law. The Center appealed.

Under HIPAA, a covered entity generally may not use or disclose an individual’s PHI without a written authorization or providing the individual the opportunity to agree or object. However, it may do so for example, when responding to a subpoena or discovery request, upon satisfying certain conditions. 45 CFR 164.512(e). Nevertheless, HIPAA further provides that even this limited exception can be trumped by a more stringent state law that prohibits such use or disclosure of PHI.

The appellate court held that under Michigan’s physician-patient privilege, MCL 600.2157, the right to waive the privilege rests solely with the patient. Further, unlike HIPAA, the privilege did not contain exceptions for disclosing patient information in judicial proceedings. The Court concluded that Michigan’s physician-patient privilege conflicted with HIPAA and provided more stringent protections for the PHI at issue. Therefore, the state’s privilege law trumped HIPAA. The Court affirmed the denial of the Center’s discovery motion. In reaching this result, it rejected the Center’s plea that it could not proceed with its non-compete action without the requested information. The Court stated:

To this, we say that it is not our role to address either the wisdom of a physician’s efforts to restrict with whom a patient may consult or the appropriate business or legal means by which a corporation can effectively protect its practice. Instead, our limited role is to decide whether the names, addresses and telephone numbers of non-party patients are protected from disclosure by law.

Health care providers receive requests for PHI in many different contexts, not just in connection with litigations. This ruling makes clear that when making disclosures of PHI, considering only HIPAA could be risky. Because this analysis is not limited to Michigan (see, for example, recent Ohio decisions, Turk v. Oiler and Grove v. Northeast Ohio Nephrology Associates, Inc.), providers should undertake a detailed analysis of the applicable federal, state and local laws and regulations prior to making any disclosure.
 

• Email This
• Print
• Comments
• Trackbacks

Prepared by Lillian Moon

In the face of increasing unemployment, in March 2011, Florida, Michigan, and Montana joined the ranks of approximately fifteen other states that are considering bills limiting employers’ ability to use credit checks for employment purposes.

Florida. Florida’s Senate Bill 1562, introduced on March 3, would prohibit employers from using an applicant’s personal credit history as hiring criteria, except where a review of credit history is legally required. The proposed Florida law allows an employer to request credit history during the “application process if such history is shown to be directly related to the position sought by the applicant.” However, the credit history cannot be used as the “determining factor” in the hiring decision.

Michigan. Michigan’s House Bill 4363, introduced March 2, would prohibit employers from making hiring decisions based on an individual’s credit history and from inquiring about a job applicant’s or potential applicant’s credit history, unless good credit history is “an established bona fide occupational requirement of the particular position or employment classification.” Individuals cannot waive any right or protection under the proposed act and aggrieved individuals would be able to bring civil suit for damages or injunctive relief.

Montana. Montana’s House Bill 601, introduced March 1, would prohibit employers from using credit history information for employment purposes unless the employee’s current or potential position is one “for which credit is issued in goods, a line of credit is provided, or a fiduciary responsibility is owed to the employer,” or the position allows for use of such data when done in compliance with the Fair Credit Reporting Act, 15 U.S.C. §§1681(b)(2)(C) and (b)(4). Misuse of credit data or other violations of this proposed act would be punishable as a misdemeanor with fines up to $500.

Similar bills are also being considered in numerous jurisdictions such as: California, Connecticut, Georgia, Indiana, Kentucky, Maryland, Missouri, Nebraska, New Jersey, New Mexico, New York, Ohio, Pennsylvania, Vermont, and Texas. Illinois, Oregon, and Washington already have such laws in place.

“Employers with multi-state operations, in particular, must remain abreast of these developments and ensure any background check program involving credit checks complies with applicable state law. Further, due to EEOC initiatives in this area, credit checks should be limited to positions in which credit history can be deemed job-related and individualized analysis of each applicant’s history should be the goal,” counsels Richard Greenberg, a partner with Jackson Lewis LLP in New York.
 

• Email This
• Print
• Comments
• Trackbacks

Less than one month into 2010 the trend to address data security, destruction, and encryption has continued among state lawmakers. Specifically, Florida, Michigan, Kentucky, Kansas, Pennsylvania, and New York all have introduced, reintroduced, or amended legislation of this kind. 

• The Florida and Michigan laws would amend personal data destruction rules for companies.
• The New York law would mandate data security and encryption measures.
• The Kentucky bill would require government agencies to protect all personal data under the Gramm-Leach-Bliley Act.
• The Michigan bill includes a state version of the Federal Trade Commission's Red Flags Rule and would require creditors in the state to implement programs aimed at spotting “red flags” of possible identity theft and put in place mitigation measures. Michigan is also considering a number of other measures. 
• The Kansas law would require state agencies to engage in periodic network security reviews.
• The Pennsylvania bill would require public agencies to notify state residents of a breach of their personal information within seven days of the discovery of the breach.

While 5 states remain without data breach notice bills (Alabama, Kentucky, Mississippi, New Mexico, and South Dakota), Congress is considering legislation, the Data Accountability and Trust Act (DATA) (H.R. 2221), that would preempt all state notification laws and instead establish a national breach notice standard.

As we have previously mentioned, we anticipate data privacy and security legislation and case law to be at the forefront of legal issues in 2010. Employers should begin by reading the Data Security Primer and consider implementing comprehensive data security policies and procedures that would allow them to comply with the various state laws that may impact their business. 

• Email This
• Print
• Comments (1)
• Trackbacks