Earlier this month, New York Governor Kathy Hochul signed into a law a bill that will require New York private sector employers to provide written notice to employees before engaging in electronic monitoring of their activities in the workplace.  Civil Rights (CVR) Chapter 6, Article 5, Section 52-C*2 will take effect six months after enactment, i.e. May 7th, 2022.

Pursuant to the new New York law, electronic monitoring in the workplace includes monitoring of employees’ telephone conversations or transmissions, electronic mail or transmissions, or internet access or usage of or by an employee by any electronic device or system, including but not limited to the use of a computer, telephone, wire, radio, or electromagnetic, photoelectronic or photo-optical systems. Prior written notice of the electronic monitoring must be issued at the time of hiring and must be acknowledged by the employee in writing or electronically.  In addition, the notice must be posted in a conspicuous place readily available for viewing by employees.

It is important to note that under the new law, a private right of action for employees that are impacted by the law is not available. The New York attorney general has exclusive enforcement authority. Failure to comply with the law’s notice requirements may subject the employer to a civil penalty of $500 for the first offense, $1000 for the second offense, and $3000 for the third and each subsequent offense.

Employer monitoring requirements of this kind are not exclusive to New York. In Connecticut, for example, both private and public sector employers are required to notify employees prior to electronic monitoring, with similar penalties for failure to comply.  Likewise, in Delaware, an employer is not permitted to monitor or intercept an employee’s telephone conversations, email or internet usage without prior notice in writing or alternatively notification, day of, each time the employee accesses the employer-provided email or Internet access services.

Excessive, clumsy, or improper employee monitoring can cause significant morale problems and, worse, create potential legal liability for privacy-related violations of statutory and common law protections, as evidenced by the New York law and others of its kind. Advancements in technology have made it easier to monitor remote employees, and by extension easier to violate the law for employers that are not careful.

When organizations decide to engage in any level of surveillance or search of employees, they should consider what their employees’ expectations are concerning privacy. Whether in a jurisdiction that requires prior notice of employee monitoring or not, in general, it is best practice to communicate to employees a well-drafted acceptable use and electronic communication policy that informs them what to expect when using the organization’s systems, whether in the workplace or when working remotely. This includes addressing employees’ expectations of privacy, as well as making clear the information systems and activities that are subject to the policy.

COVID-19 changed the way many organizations operate, and monitoring and surveillance have become increasingly important, particularly for employers that do not share the same physical workspace with their employees.  When employers implement new monitoring and surveillance tools, they need to plan carefully, have the right team in place, review policies and applicable state and federal law, and be prepared to address problems when they arise.

On October 27, 2021 the FTC issued a final rule (the “Final Rule”) amending 16 CFR Part 134, Standards for Safeguarding Customer Information (“Safeguards Rule”), after a period of notice and comment. While the existing Safeguards Rule imposes a general obligation on financial institutions to maintain an information security program, the Final Rule outlines these requirements in more granular detail. Importantly for smaller financial institutions, the Final Rule exempts businesses with fewer than 5,000 customers.

The Final Rule now defines key terms rather than incorporating them by reference. Other changes include requiring greater oversight and responsibility of a company’s information security program by designating a qualified individual to maintain the program, requiring annual reports to a company’s board of directors or governing body, and requiring vulnerability assessments and penetration testing. While there will likely be some cost to comply with the new requirements of the Final Rule, the FTC indicated the importance of these requirements justifies any associated costs.

What Businesses are Subject to the New Final Rule

The Final Rule applies to financial institutions that maintain customer information for over 5,000 individuals.

Data Breach Reporting Obligations

The FTC indicated in their discussion of the Final Rule that there may be future reporting obligations of data breaches to the FTC. The FTC requested comments on whether it should require such reporting. While reporting obligations were not added to the Final Rule, the FTC is issuing a Notice of Supplemental Rulemaking to impose data breach reporting obligations.

While not yet imposing data breach notification obligations, the Final Rule does require that covered business implement a written incident response plan.

Designation of a Qualified Individual and Internal Reporting

The Final Rule requires covered institutions to designate a qualified individual to oversee the organization’s information security program. This person need only be qualified and does not need to be an executive or CISO. In fact, this individual need not even be an employee. This allows smaller enterprises to utilize a third-party such as a virtual CISO. Previously, covered institutions were only required to designate an employee to coordinate the company’s information security program.

The qualified individual must now submit written reports to the company’s board of directors or senior officers no less than once a year. These reports must provide status updates regarding the company’s information security program, compliance with the Safeguards Rule, and other material issues such as risk assessments, security events or violations, and recommended changes to the information security program.

Overall, this change appears to be geared toward encouraging the participation of company leadership in information security. As the number of data breaches continue to increase, this change indicates that information security should receive regular consideration from company executives. The FTC stopped short of requiring the board of directors to certify the report, however.

Risk Assessments and Vulnerability Testing

The Final Rule requires companies conduct regular, written risk assessments that include testing for vulnerabilities and penetration testing. Previously, risk assessments could remain fairly high level. Vulnerability assessments and penetration testing, however, are far more granular and technical in nature.

Penetration testing must be conducted at least annually. Not all IT managed service providers are equipped with the ability to conduct this testing. Companies may therefore need to employ additional vendors with increased technical capabilities.

Vulnerability assessments must be conducted every six months or whenever there is a material change in business operations or a material impact on the information security program. Vulnerability assessments are designed to identify and detect publicly known security vulnerabilities.

Increased Security Controls

The Final Rule imposes greater security controls on covered businesses. Here are some of the significant requirements imposed by the Final Rule:

  • Encryption – Customer data must now be encrypted both in transit and at rest. Data need not be encrypted while in transit throughout internal business networks, however.
  • MFA – Covered businesses are now required to implement multi-factor authentication for all remote connections. Long considered a best practice, the Final Rule now mandates MFA.
  • Audit Trails – Information systems must be continuously monitored to detect and log unauthorized access. Logging must be enabled to show when individual users access protected information.
  • Change Management – Any change within a company’s technical infrastructure has the potential to introduce new vulnerabilities. The Final Rule requires covered businesses to implement formal change management procedures. This includes identifying potential impact beforehand and thoroughly documenting all changes.
  • Secure Disposal – Financial institutions would be required to dispose of customer information when no longer needed or when not required by law to retain the information. This applies to both digital and paper records. The Final Rule requires deletion of customer information not accessed for more than two years.
  • Secure Development Practices – Any applications that utilize or access customer information, whether developed in-house or by a vendor, must implement secure development practices. This includes regular testing and security evaluations during the development lifecycle.

Vendor Management

The Final Rule identifies the significant risk presented by outside vendors. Covered businesses will be required to take reasonable step in selecting service providers, which includes ensuring service providers implement and maintain appropriate safeguards for customer information. This oversight requirement is not just during the selection of vendors but includes periodic assessments. Covered businesses may no longer simply rely on a vendor’s security certifications or attestations.

Effective Date

The Final Rule will take effect 30 days after the date of its publication in the Federal Register. But certain provisions of the Final Rule will not take effect until one year after publication to give smaller organizations adequate time to comply. Provisions that take effect one year after publication include:

  • Designation of a qualified individual and annual written reporting
  • Written risk assessments
  • Continuous monitoring
  • Annual penetration testing
  • Biannual vulnerability assessments
  • Enhanced training
  • Periodic vendor assessments
  • Written incident response plan

 Conclusion

The Final Safeguards Rule imposes more detailed requirements for the information security programs of financial institutions. Covered businesses should prepare for the additional costs and administrative burden. Notification obligations to the FTC for data breaches may be soon to follow.

 

Last week, the Occupational Safety and Health Administration (OSHA) issued an Emergency Temporary Standard (ETS) implementing President Joe Biden’s COVID-19 vaccine mandate covering employers with at least 100 employees. The ETS is summarized here, including the general compliance deadline of 30 days from November 5, 2021, with an additional 30 days for testing to begin, if applicable.

Employers may already have the basic policy in place – get vaccinated or submit to periodic testing. But they may not be ready for the ETS’ record collection and record keeping requirements, or the obligations to make these records available upon request, sometimes within 4 business hours. Those are outlined here should the ETS survive the legal challenges filed in courts across the country.

When employers consider their ETS policies, they should consider these records issues to ensure compliance.

What records must covered employers collect and maintain?

Vaccination status. Because the ETS requires covered employers to determine the COVID-19 vaccination status of each employee, covered employers must collect “acceptable proof” of vaccination status, including whether each employee is fully or partially vaccinated. The list of items constituting “acceptable proof” includes, among other things, a copy of a COVID-19 Vaccination Record Card. See the full list here. If these items are unavailable, “acceptable proof” may also be an employee’s written certification, which is a signed and dated statement by the employee:

  • Attesting to vaccination status,
  • Attesting that they lost or are otherwise unable to provide the other forms of acceptable proof, and
  • Stating: I declare that this statement about my vaccination status is true and accurate. I understand that knowingly providing false information regarding my vaccination status on this form may subject me to criminal penalties.

The ETS notes that when attesting to vaccination status, employees should include in the attestation, to the extent they can recollect: (i) vaccination type, (ii) date(s) administered, (iii) name of health care professional(s) or clinic site(s) administering the vaccination. Employers using an app for this purpose, will want to ensure the app can capture this information, if available.

Employers must maintain a record of each employee’s vaccination status and preserve the “acceptable proof” for each fully or partially vaccinated employee. This includes the vaccine ascertainment records the employer obtained from employees prior to the ETS becoming effective. Employers also must maintain a roster of each employee’s vaccination status. The roster must list all employees and clearly indicate for each one whether they are fully vaccinated, partially vaccinated, not fully vaccinated either because (i) they qualify for a medical or religious accommodation, or (ii) they have not provided acceptable proof of their vaccination status.

Testing. Covered employers that opt for a policy permitting employees either to be fully vaccinated or provide proof of regular testing must collect:

  • Documentation of the most recent COVID-19 test result which may not be provided more than seven days after the employee last provided a test result. This is for employees who report at least once every seven days to a workplace where other coworkers or customers are present.
  • Documentation of a COVID-19 test within 7 days prior to returning to the workplace, to be provided upon return. This is for employees who do not report for seven or more days to such a workplace.

The employer must maintain a record of each test result provided by each employee.

Are these records confidential?

The vaccination records and rosters, as well as testing records, discussed above are considered employee medical records and must be maintained as such. They must not be disclosed except as required or authorized by the ETS or other federal law. Here are some best practices to consider. Employers using third parties to assist in the administration these obligations should take steps to assess the safeguards in place at those third parties.

How long must the records be maintained?

In a move that will please covered employers, OSHA’s standard 30-year retention requirement is not applicable to the records or rosters discussed above. Instead, they must be maintained and preserved while the ETS remains in effect. Of course, all are hoping that period will be much shorter than 30 years! But remember the Emergency Temporary Standard is just that, temporary, and only remains in effect for 6 months unless extended, while OSHA works on a permanent standard under which OSHA could choose to make COVID-19 vaccination records subject to its normal 30 year rule for retention.

Do employees have a right to the COVID-19 vaccination or testing records maintained by their employers?

Yes. Covered employers must make individual COVID-19 vaccination documentation and any COVID-19 test results available either to an employee or anyone with the written authorization of the employee. The records must be available for examination and copying, and must be available by the end of the next business day following the request. The regulation does not indicate whether the employee’s request must be in writing.

In an effort to help ensure compliance with the ETS, covered employers also must make available to an employee or the employee’s representative (no written consent required here; OSHA does not believe these records will contain any PII and has no serious confidentiality or privacy concerns) the aggregate number of fully vaccinated employees along with the total number of employees at the workplace.  Again, employers must make this information available by the end of the next business day following the request. Representatives include an employee’s (or former employee’s) personal representative as well as an authorized representative – an authorized collective bargaining agent of one or more employees.

What about OSHA, does it have a right to the COVID-19 vaccination or testing records maintained by employers?

An even tighter time frame applies to the obligation of covered employers to provide the Assistant Secretary for examination or copying (i) the employer’s written policy required for vaccination/testing and (ii) the aggregate number of fully vaccinated employees and total number of employees at the workplace. An Assistant Secretary includes the Assistant Secretary’s designees, which could include OSHA’s Compliance Safety and Health Officers.

The time frame – within 4 business hours of a request. If the records are maintained at a location in a different time zone, the employer may use the business hours of the establishment at which the records are located when calculating the deadline. For any other records required to be maintained under the ETS, covered employers have until the end of the next business date after the request to provide same to the Assistant Secretary.

How must these requests for information be submitted to employers?

As noted in ETS FAQs, employees, employee representatives, and OSHA can submit requests in any manner that provides adequate notice of the request to the employer. This may include requests by in writing (e.g., email, fax, letter), by phone, or in person.

 

We anticipate many employers will be leveraging either existing platforms or new applications to assist with managing the records, roster, and other information required under the ETS. In the course of doing so, employers should be sure to maintain the privacy and security of the information throughout the process.

Last week, the Department of Justice (“DOJ”) announced the launch of its Civil Cyber-Fraud Initiative (“the Initiative”) aimed at combating “new and emerging cyber threats to the security of sensitive information and critical systems” specifically targeting accountability of cybersecurity obligations for federal contractors and federal grant recipients, by way of the False Claims Act.  The Initiative will be led by the Civil Division’s Commercial Litigation Branch – Fraud Section.

The False Claims Act imposes liability on persons and entities that defraud governmental programs. The Initiative will hold persons and entities accountable, via the False Claims Act, for several practices related to cybersecurity practices including: 1) putting U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, 2) knowingly misrepresenting cybersecurity practices or protocols, and 3) knowingly violating obligations to monitor and report cybersecurity incidents and breaches.

“For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it,” said Deputy Attorney General Lisa O. Monaco in her announcement of the Initiative.

Well that changes today. We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards — because we know that puts all of us at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately and guard the public fiscal and public trust.

As detailed in Deputy General Monaco’s announcement, benefits of implementing the Initiative will include:

  • Building broad resiliency against cybersecurity intrusions across the government, the public sector and key industry partners.
  • Holding contractors and grantees to their commitments to protect government information and infrastructure.
  • Supporting government experts’ efforts to timely identify, create and publicize patches for vulnerabilities in commonly-used information technology products and services.
  • Ensuring that companies that follow the rules and invest in meeting cybersecurity requirements are not at a competitive disadvantage.
  • Reimbursing the government and the taxpayers for the losses incurred when companies fail to satisfy their cybersecurity obligations.
  • Improving overall cybersecurity practices that will benefit the government, private users and the American public.

Notably, that same day, the DOJ also announced a 2nd cybersecurity related initiative, the National Cryptocurrency Enforcement Team (“the Team”), which will address activities by entities such as virtual currency exchanges that misuse cryptocurrency for criminal activity, including ransomware attacks.  The Team, in addition to prosecuting such violations, will help recover lost cryptocurrency payments, including those to ransomware groups.

The DOJ is strategically increasing focus on cybersecurity, as the Biden Administration makes cybersecurity a top priority. The U.S. government has continued to ramp up efforts to strengthen its cybersecurity in the past year, and we can expect states to continue to legislate and regulate in this area. Businesses across all sectors will likely experience pressure to evaluate their data privacy and security threats and vulnerabilities and adopt measures to address their risk and improve compliance.

With health-related data and how to protect it at the forefront of discussion since the start of the COVID-19 pandemic, this week California Governor Gavin Newsom signed into law two bills related to genetic data.  First, AB 825, will expand the definition of personal information to include genetic data, for data breach notification requirements for businesses and government agencies, as well as reasonable safeguard requirements for businesses. Second,  SB 41, will establish the Genetic Information Privacy Act, requiring a direct-to-consumer genetic testing company to provide a consumer with notice and consent regarding its genetic data collection, use and disclosure policies.

Below is a breakdown of each law:

  • AB 825 – Unanimously approved by the Senate on September 8th, and Assembly back in May, AB 825, will expand the definition of personal information to include genetic data and define genetic data to mean any data, regardless of its format, that results from the analysis of a biological sample of an individual, or other source, and concerns genetic material, as specified. This expanded definition of personal information will apply to three existing laws: 1) the Information Practices Act of 1977 which requires an agency that owns or licenses computerized data that includes personal information to disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was compromised, 2) Civil Code 1798.81.5 which requires a business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices, and 3) Civil Code  Section 1798.82 which requires a person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, to disclose a breach of the security of the system following discovery or notification of the breach.
  • SB 41 – Also passed unanimously by both the Senate and Assembly in September, SB 41 will establish the Genetic Information Privacy Act, which will require a direct-to-consumer genetic testing company to provide a consumer with certain information regarding the company’s policies and procedures for the collection, use, maintenance, and disclosure, as applicable, of genetic data, and to obtain a consumer’s express consent for collection, use, or disclosure of the consumer’s genetic data. In particular, the new law will provide consumers with the right to revoke consent in accordance with certain procedures, and a requirement for companies to destroy a consumer’s biological sample within 30 days of revocation of consent. The bill will further require a direct-to-consumer genetic testing company to comply with all applicable laws for disclosing genetic data to law enforcement without a consumer’s express consent, implement and maintain reasonable security procedures and practices to protect a consumer’s genetic data against unauthorized access, destruction, use, modification, or disclosure, and develop procedures and practices to enable a consumer to access their genetic data, and to delete their account and genetic data. The law will impose civil penalties for violations of the law, and enforcement of such actions will be exclusive to the Attorney General, district attorney, county counsel, city attorney, or city prosecutor.

Both laws will take effect January 1, 2022. Whether an organization is a health care provider, a genetic testing company, an employer, or other company that potentially collects genetic data, it should review its policies and practices concerning genetic tests and genetic information.

The Federal Trade Commission (“FTC”) recently issued an important policy statement to health apps and other connected devices that collect or use consumers’ health information.  The FTC’s policy statement effectively clarified the position that health apps and related connected devices are subject to the Health Breach Notification Rule (“the Rule”), which requires vendors of personal health records (“PHR”) and PHR-related entities to notify U.S. consumers, the FTC, and in cases of certain breaches involving over 500 consumers, the media, if there has been a breach of unsecured identifiable health information.  The FTC’s commissioners voted 3-2 to approve the policy statement.

The FTC’s Rule helps account for entities that are not subject to the requirements of the Health Insurance Portability and Accountability Act (HIPAA), but nonetheless collect and use sensitive health information.  The FTC notes in its policy statement that while the Rule was established more than a decade ago, “the explosion in health apps and connected devices” particularly with the onset of the COVID-19 pandemic, and a spike in cyberattacks in this space, has made the Rule’s obligations “more important than ever.”  Health apps include everything from fitness, sleep and diet trackers, to apps that help individuals track their disease, diagnosis, medications, mental health, other vital areas and more.

Specifically, the Rule states that:

each vendor of personal health records, following the discovery of a breach of security of unsecured PHR identifiable health information that is in a personal health record maintained or offered by such vendor, and each PHR related entity, following the discovery of a breach of security of such information that is obtained through a product or service provided by such entity, shall:

  • Notify each individual who is a citizen or resident of the United States whose unsecured PHR identifiable health information was acquired by an unauthorized person as a result of such breach of security; and
  • Notify the Federal Trade Commission.

In addition, the Rule requires third-party service providers of such vendors, following the discovery of a breach of security, to provide notice of the breach to an official of the vendor designated in writing, and if no such designation is made, to a senior official of the vendor.

PHR is defined as an electronic record or individually identifiable health information that can be drawn from multiple sources and that is managed, shared and controlled by or primarily for an individual.

Notably, the policy statement emphasizes that a health app is subject to the Rule if it is capable of drawing information from multiple sources, even if the health information comes from only one source. The FTC provides the example of a blood sugar monitoring app that draws health information only from one source (e.g., a consumer’s inputted blood sugar levels), but also takes non-health information from another source (e.g., dates from your phone’s calendar) – such an app is covered under the Rule.

The FTC’s policy statement further clarifies that when a health app discloses sensitive health information without user consent, a “breach of security” is triggered under the Rule, and such a breach is not limited to “nefarious behavior”.  “While this Rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” said FTC Chair Lina M. Khan. “Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk.” Entities that fail to comply with the Rule are subject to monetary penalties of up to $43,792 per violation, per day.

The Rule has generated significant confusion for entities offering PHRs, particularly since the onset of the COVID-19 pandemic. It is important to emphasize that the FTC’s rule does not apply to HIPAA-covered entities. The preamble of the Rule, for example, addresses whether the Rule would cover PHRs that a HIPAA-covered entity offers its employees. The preamble explicitly notes that “because the FTCs rule does not apply to HIPAA-covered entities, it does not apply to PHRs that such entities offer their employees”.   The overarching goal is to “harmonize” HHS and FTC data breach notification reporting requirements, and compliance with certain HHS rule requirements in turn satisfies compliance under the FTC rule.  There are, however, situations where an entity may have “dual or overlapping” coverage under the HHS and FTC rules.  Here are a couple examples: 1) A vendor with a dual role as both a business associate under HIPAA and a provider of PHRs to the public through its own website (reporting requirements under HHS for its functions related to qualifying as a business associate, and requirements under the FTC rule for its role as a provider of PHRs to the public), 2) PHRs offered to families (a HIPAA covered group health plan would have data breach reporting requirements under HHS Rule for the employee covered by the plan, but not for a spouse who has a PHR under the plan, but is insured by the a different provider, for which the FTC Rule would be applicable). As a result, it is crucial for an entity that provides services and functions to varying categories of individuals, to carefully parse out applicability under each of the rules.

The health app industry is booming. It brings innumerable potential benefits as well as significant data privacy and security risks. Organizations that collect, use, and store medical data face increasing compliance obligations as the law attempts to keep pace with technology, cybersecurity crimes, and public awareness of data privacy and security. Creating a robust data protection program or regularly reviewing an existing one is a critical risk management and legal compliance step.

When use or disclosure of an individual’s health information or medical records is at issue, the assumption seems to be, much more often than not, that the HIPAA privacy and security rules apply. This has certainly been the case during the COVID-19 pandemic. Of course, it is true that in most healthcare settings, HIPAA is the primary law governing the use and disclosure of individually identifiable health information. However, HIPAA is often incorrectly applied in workplace settings.

Today, in an effort to clarify some of these issues as they relate to COVID-19 vaccination data, the Office for Civil Rights (OCR), the agency responsible for enforcing the HIPAA privacy and security rules (the “HIPAA rules”), issued this guidance. We have summarized some of the key points below.

Do the HIPAA rules prohibit businesses or individuals from asking whether their customers or clients have received a COVID-19 vaccine?

The OCR’s answer is clear – No.

The HIPAA Privacy Rule does not prohibit any person (e.g., an individual or an entity such as a business), including HIPAA covered entities and business associates, from asking whether an individual has received a particular vaccine, including COVID-19 vaccines.

It is important to remember that the HIPAA rules apply only to covered entities and business associates. In general, covered entities include health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions. But, HIPAA does not apply to entities functioning in their role as employers or to employment records.

The OCR also reminds organizations that even if HIPAA applies, it regulates the use and disclosure of protected health information (PHI), not the ability to request information. Thus, the HIPAA rules do not prohibit a covered entity from receiving COVID-19 vaccination information about an individual. Of course, organizations that receive such information, including employers, still may have a duty to safeguard that information and keep it confidential.

Do the HIPAA rules prohibit an employer from requiring a workforce member to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties?

This is a popular question these days. The OCR’s answer, “No.”

OCR reminds readers that the HIPAA rules do not apply to employment records:

including employment records held by covered entities or business associates in their capacity as employers.

The OCR also observed that:

federal anti-discrimination laws do not prevent an employer from choosing to require that all employees physically entering the workplace be vaccinated against COVID-19 and provide documentation or other confirmation that they have met this requirement, subject to reasonable accommodation provisions and other equal employment opportunity considerations.

But, again, once collected, vaccination information must be kept confidential and stored separately from the employee’s personnel files under Title I of the Americans with Disabilities Act (ADA). And, group health plans sponsored by employers are, in most cases, HIPAA covered entities. This means that COVID-19 vaccination information maintained in connection with those plans, such as claims information, would be PHI subject to the HIPAA rules.

Do the HIPAA rules prohibit a covered entity or business associate from requiring its workforce members to disclose to their employers or other parties whether the workforce members have received a COVID-19 vaccine?

Another popular question and, again, the OCR’s answer is no.

The HIPAA rules generally do not regulate what information can be requested from employees as part of the terms and conditions of employment. The following examples from OCR make clear that HIPAA does not prohibit a covered entity or business associate from requiring or requesting each workforce member to:

  • Provide documentation of their COVID-19 or flu vaccination to their current or prospective employer.
  • Sign a HIPAA authorization for a covered health care provider to disclose the workforce member’s COVID-19 or varicella vaccination record to their employer.
  • Wear a mask–while in the employer’s facility, on the employer’s property, or in the normal course of performing their duties at another location.
  • Disclose whether they have received a COVID-19 vaccine in response to queries from current or prospective patients.

Do the HIPAA rules prohibit a doctor’s office from disclosing an individual’s PHI, including whether they have received a COVID-19 vaccine, to the individual’s employer or other parties?

Here, the answer is generally, yes. The doctor’s office is a HIPAA covered entity and the HIPAA rules prohibit covered entities from using or disclosing an individual’s (patient’s) PHI except with the individual’s authorization, unless an exception applies. Exceptions include, for example, disclosures made for treatment, payment, or health care operations. Absent an exception, the doctor’s office will need a written authorization in order to disclosure the records.

Note, however, if the physician that owns the practice, while functioning as an employer, has COVID-19 vaccination information about an employee of the practice, the HIPAA rules generally would not apply to prohibit the physician from disclosing that information. But, other laws could apply, such as the ADA.

The OCR provides some additional examples:

  • A covered physician is permitted to disclose PHI relating to an individual’s vaccination to the individual’s health plan as necessary to obtain payment for the administration of a COVID-19 vaccine.
  • A covered hospital is permitted to disclose PHI relating to an individual’s vaccination status to the individual’s employer so that the employer may conduct an evaluation relating to medical surveillance of the workplace (e.g., surveillance of the spread of COVID-19 within the workforce) or to evaluate whether the individual has a work-related illness, provided all of the following conditions are met:
    • The covered hospital is providing the health care service to the individual at the request of the individual’s employer or as a member of the employer’s workforce.
    • The PHI that is disclosed consists of findings concerning work-related illness or workplace-related medical surveillance.
    • The employer needs the findings in order to comply with its obligations under the legal authorities of the Occupational Safety and Health Administration (OSHA), the Mine Safety and Health Administration (MSHA), or state laws having a similar purpose
    • The covered health care provider provides written notice to the individual that the PHI related to the medical surveillance of the workplace and work-related illnesses will be disclosed to the employer.

Organizations across the country are struggling with COVID-19 related regulations and the impact on their operations – screening requirements, vaccination mandates, how to incentivize vaccinations, responding to customer demands for vaccination status information about employees, maintaining adequate staffing levels, arranging for COVID-19 testing, etc. This OCR guidance should help to some degree by clarifying some questions regarding whether an often-cited set of rules – the HIPAA rules – apply to limit the use and disclosure of information necessary to carry out some of these activities. As explained above, the HIPAA rules often are not applicable.

On September 17, 2021, a three-judge panel of the Illinois Appellate Court for the First Judicial District issued a long-awaited decision regarding the statute of limitations for claims under the state’s Biometric Information Privacy Act (“BIPA”) in Tims v. Black Horse Carriers, Inc. The Tims decision marks the first appellate guidance regarding this issue.  Although the BIPA is silent as to the applicable statute of limitations, the panel concluded that claims brought under section 15(a), (b), and (e) of the statute, which are the claims requiring companies to have a publicly available policy, obtain informed consent, and reasonably safeguard biometric data, are subject to a five-year limitations period.  BIPA claims brought under sections 15(c) and (d) of the statute, which are the claims which prohibit profiting from the use of biometric data or disclosure of biometric data are subject to a one-year statute of limitations.

In reaching its split decision regarding the applicable statute of limitations, the panel noted that each duty under the BIPA is “separate and distinct,” and that a private entity “could violate one of the duties while adhering to others.”  The panel further opined that “a plaintiff who alleges and eventually proves violation[s] of multiple duties could collect multiple recoveries of liquidated damages.” The panel looked to the text of the BIPA without consideration of the legislative history of the statute, and precedent, including the Illinois Supreme Court’s decision in Rosenbach v. Six Flags Entertainment Corp., in reaching its conclusion.

Section 13-201 of the Illinois Code of Civil Procedure provides that there is a one-year statute of limitations for “actions for slander, libel or for publication  matter violating the right of privacy,” while section 13-205 has a five-year “catchall” statute of limitations for “all civil actions not otherwise provided for.”  The panel concluded that 13-201 does not apply to all privacy actions, but rather only privacy actions “where publication is an element or inherent part of the action.”  On these grounds, the panel determined that section 13-201’s one-year statute of limitations only applies to BIPA claims under sections 15(c) and (d) of the statute, which prohibit entities from “sell[ing], leas[ing], trad[ing], or otherwise profit[ing] from” or disclosing biometric data. With respect to those claims, the panel held that “publication or disclosure of biometric data is clearly an element of an action.”

Conversely, the panel concluded that claims under sections 15(a), (b), and (e) “have absolutely no element of publication or dissemination,” and thus, the five-year “catchall” statute of limitations applies.

In Tims, the First District was not asked, nor did it decide, the issue of when a claim under the BIPA accrues.  However, the accrual issue is currently the subject of an appeal before the federal Seventh Circuit Court of Appeals in Cothron v. White Castle.  The Seventh Circuit heard oral argument in Cothron on September 14, 2021, and has been asked by the plaintiff-appellant to certify the accrual issue to the Illinois Supreme Court for consideration.  In Marion v. Ring Container, the Illinois Appellate Court for the Third Judicial District is set to decide whether a one-year, two-year, or five-year statute of limitations applies to claims under the BIPA.  The Marion appeal is currently stayed pending a decision in McDonald v. Symphony Bronzeville, in which the Illinois Supreme Court will decide with finality whether BIPA claims arising in the employment context are preempted by the Illinois Workers’ Compensation Act.

There has been an influx of biometric privacy litigation in recent years. Private entities that collect, use, and store biometric data increasingly face compliance obligations as the law attempts to keep pace with ever-evolving technology. Creating a robust privacy and data protection program or regularly reviewing an existing one can mitigate risk and ensure legal compliance.

 

Yesterday, Baltimore’s local ordinance prohibiting persons from “obtaining, retaining, accessing, or using certain face surveillance technology or any information obtained from certain face surveillance technology,” became effective.  The new ordinance prohibits the use of facial recognition technology by city residents, businesses, and most of the city government (excluding the city police department) until December 2022. Baltimore joins a growing list of localities regulating private use of facial recognition technology including Portland (Oregon), and New York City.

Specifically, the Baltimore ordinance prohibits an individual or entity from obtaining, retaining, or using facial surveillance system or any information obtained from a facial surveillance system within the boundaries of Baltimore city. “Facial surveillance system” is defined as any computer software or application that performs face surveillance. Notably, the Baltimore ordinance explicitly excluded from the definition of “facial surveillance system” a biometric security system designed specifically to protect against unauthorized access to a particular location or an electronic device, meaning organizations using a biometric security system for employee/visitor access to their facilities would appear to be still be permissible under the bill. The ordinance also excludes from its definition of “facial surveillance system” the Maryland Image Repository System (MIRS) used by the Baltimore City Police in criminal investigations.

Significantly, a person in violation of the law is subject to fine of not more than $1,000, imprisonment of not more than 12 months, or both fine and imprisonment.  Each day that a violation continues is considered a separate offense. The criminalization of use of facial recognition, is first of its kind across the United States.

Businesses in the City of Baltimore should be evaluating whether they are using facial recognition technologies, whether they fall into one of the exceptions in the ordinance, and if not what alternatives they have for verification, security, and other purposes for which the technology was implemented. An earlier post providing details and analysis of the Baltimore prohibition on face surveillance technology is available here.

Watch out! A spike in ransomware attacks may be headed our way over Labor Day weekend. Yesterday, the FBI jointly with the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning to be on high alert for ransomware attacks this weekend, after recent targeted attacks over Mother’s Day, Memorial Day and Fourth of July weekends.

“Cyber actors have conducted increasingly impactful attacks against U.S. entities on or around holiday weekends over the last several months. The FBI and CISA do not currently have specific information regarding cyber threats coinciding with upcoming holidays and weekends. Cyber criminals, however, may view holidays and weekends—especially holiday weekends—as attractive timeframes in which to target potential victims, including small and large businesses. In some cases, this tactic provides a head start for malicious actors conducting network exploitation and follow-on propagation of ransomware, as network defenders and IT support of victim organizations are at limited capacity for an extended time”, the FBI and CISA noted in their alert.

In May 2021, leading into Mother’s Day weekend, malicious cyber attackers deployed the now infamous ransomware attack on Colonial Pipeline, resulting in the Biden Administration issuing a memo specifically addressing critical infrastructure cybersecurity. Shortly after, over Memorial Day weekend, an entity in the food and agricultural sector suffered a similar attack, resulting in a complete shutdown of production. And finally, over July 4th weekend, an entity in the IT sector was hit with an attack affecting hundreds of organizations including multiple managed service providers and their customers.  Needless to say, organizations across all sectors should be on high alert heading into Labor Day weekend.

The FBI’s Internet Crime Complaint Center (IC3), the go-to-source for cyber incident reporting, has tracked ransomware trends in recent years.  In 2020, a record number of complaints (791,790) related to internet crimes were reported to IC3, with reported losses exceeding $4.1 billion. In ransomware specifically, there was a 20% increase during 2020, and a 225% increase in ransomware demands.

The FBI/CISA’s joint ransomware warning for Labor Day, provides several suggestions for preventing and responding to an attack.  Here are a few key takeaways:

  • Make an offline backup of your data. This includes reviewing your organization’s back up schedule to consider the risk of possible disruption during weekends and holidays.
  • Do not click on suspicious links. Implementing an employee/user training program and phishing exercises can go a long way in warding off an attack.
  • If you use RDP-or other potentially risky services-secure and monitor. In particular limit access and monitor remote access, and review review review your third-party vendor’s security policies.
  • Upgrade your OS and Software; scan for vulnerabilities. Continue to review and upgrade your software, regularly patching and updating for the latest available versions that take into account security vulnerabilities.
  • Use strong passwords. Consistent password hygiene can make a world of difference. Ensure strong passwords, that are regularly updated and not used across multiple accounts or stored on the system.
  • Use multi-factor authentication. Where possible, implement multi-factor authentication, particularly for remote/virtual networks.
  • Secure your network (s) and user accounts. This includes securing home networks of remote workers, and regularly auditing user account logs to ensure legitimacy.
  • Have an incident response plan. There are several steps an organization can take to build an incident response plan that minimizes the chance and impact of a successful attack. Here are a few.

Organizations may not be able to prevent all attacks, but it is important to remain vigilant and be aware of emerging trends, such as spikes in attacks during the holidays.  Increasing awareness among employees to avoid becoming a victim of a phishing attack could be an excellent initial step.