Record keeping requirements in New Jersey add to the complexities multistate employers face trying to develop strong and practical record retention programs. Garden State employers must conspicuously post and distribute to employees a notice and maintain certain records according to a law, N.J.S.A. 34:1A-1.11 et seq., that went into effect on July 13, 2010.

To assist employers, the New Jersey Department of Labor and Workforce Development (“NJDOL”) published a notice entitled, “Employer Obligation to Maintain and Report Records,” that employers can post and distribute. According to the law, employers must 

  1. post this notice immediately in the workplace;
  2. provide each employee hired prior to November 7, 2011, a written copy of the notice no later than December 7, 2011; and
  3. provide employees hired after November 7, 2011, a written copy of the notice at the time of hire. 

Click here for more information concerning the posting and other requirements of the law.

While we do not know the exact nature and scope of the imminent HIPAA audits, we do know that HIPAA compliance and the verification of compliance (the audit) can be a very daunting process that mandates a great deal of preparation and organization. Beyond getting legally compliant, HIPAA covered entities and business associates need to consider how to practically and efficiently track and illustrate this compliance should they find an OCR investigator knocking at the door.

We have asked Alan Heyman, Managing Director of Cyber Security Auditors & Administrators LLC (CSA2) to discuss how certain applications can facilitate the response to a HIPAA audit, including minimizing the time staff needs to be involved. The following is an excerpt from Alan’s discussion of this issue:

For many health care providers and other covered entities, compliance with HIPAA and other data privacy and security requirements is a multifaceted and ongoing process of assessing changing risks, policy development and implementation across various departments, conducting and tracking training of workforce members, monitoring compliance, managing vendors and vendor agreements, responding the customer complaints and so on. When an OCR auditor is on the doorstep, pulling evidence of all of these efforts together would likely sap an already thin workforce of most covered entities. When various segments of the covered entity are not coordinated, the files are incomplete, and the persons leading the effort are in disarray, the auditor is likely to suspect there are substantial deficiencies and adjust the audit accordingly.

It is not difficult to imagine the Privacy Officer having to go from department to department asking, among other things:

  • Where are the current policies and procedures for your department concerning privacy and security?

  • Would you please send me the training sign-in sheets for your group? Why was that group not trained?

  • Where are the signed copies of the business associate agreements? Is this all of them?

  • Where can I find a copy of the risk assessment for your department? Is it updated?

  • How was that complaint resolved? Were there any others?

  • Do you have all of the documents for the data breach that affected the radiology department?

  • Can you send me your evaluation logs and what changes you have made based upon those efforts?

It is also not difficult to imagine how much easier this process would be if the covered entity’s compliance efforts were tracked, maintained and documented in a single environment. An environment that would, for example

  • Allow different departments/groups to log on an update their compliance efforts,

  • Secure email notification/reminders for maintenance to update all required analysis, training, network architecture diagrams, etc.,

  • Digital repository for all required employee affidavits, training sign-in sheets and managed with email notification for maintenance and updating,

  • Maintain and track policy changes via secure email notification/reminders to all departments and employees from Privacy Officer or legal counsel,

  • Track and document responses to patient complaints,

  • Digitize interactive system for updating and obtaining required commentary from all required departments and Business Associates to establish and audit trail for creating “defensible position” to regulators.

  • Centralize administration for permissions to all employees, advisors or Business Associates access to read only, print, edit, etc., with watermark capabilities on all printed and viewed documents.

  • Centralize reporting dashboard status of all projects as well as the ability to digitally feed approved 3rd party software analytic results for centralized viewing to permission based participants with email notification of updates.

  • Prepare for post-breach requirements in a pre-breach environment allowing reduction in costs of time sensitive response.

Such a tool also could be designed to permit the auditor limited access to conduct the audit with less effort on the part of the privacy officer or his or her staff. While certainly not required under HIPAA, organizing compliance in this way would simplify the compliance process and put the covered entity in a much better position to survive an OCR audit with minimal effort.

 

Today, the Office for Civil Rights formally announced it is implementing the audit requirement under the American Recovery and Reinvestment Act of 2009, in Section 13411 of the HITECH Act. The agency confirmed that it is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance, and that the pilot phase will begin November 2011 and conclude by December 2012.

A new page on OCR’s website answers some helpful questions for covered entities and business associates… 

Continue Reading OCR Announces HIPAA Audit Program

As previously discussed, the federal appeals court in San Francisco had reinstated an indictment charging a former employee of Korn/Ferry International, Inc., with violations of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (the “CFAA”) for trying to start a business that would compete with his former employer. Now, however, at the urging of the former employee’s counsel, by order dated October 27, the same court has agreed to rehear, en banc, its previous indictment reinstatement order.

The Ninth Circuit Court of Appeals reinstated the indictment on April 28 against former employee David Nosal on the basis of its interpretation that “an employee exceeds authorization under [the CFAA] when the employee uses that authorized access to obtain or alter information in the computer that the accesser is not entitled in that manner to obtain or alter.” The Court had reaffirmed that employers determine what access or authorization an employee has to an employer’s computer. It also pointed to specific examples of what the employer did to limit access to and authorized uses of information, including using unique usernames and passwords, requiring employees to enter into agreements that explained the limitations on the use of certain company information, and causing a notice concerning data security and confidentiality to pop up on each employee’s computer screen whenever the employee logs onto the company’s system.

The Ninth Circuit’s pending rehearing by the full court of the issue of unauthorized employee access to information under the CFAA puts its previous interpretation in doubt. It is clear, however, is that employers that wish to rely on the CFAA as a means of recovery against employees who steal data or take other actions to harm company computers must plan ahead. That is, employers must clearly define access rights and limitations to their information and information systems, and effectively communicate those rights and limitations to employees.
 

If you have an interest in the role the growing use of mobile communications devices (smart phones, iPads, iPhones, etc.) will play in how personal health information is exchanged in the health care industry, the Office of the National Coordinator for Health Information Technology (ONC) is seeking your input. According to a notice published Nov. 1, 2011 (76 Fed. Reg. 67455), comments are due Dec. 31.

As part of the Health Information Technology for Economic and Clinical Health Act (HITECH Act) of 2009, ONC is proposing to conduct a nationwide communication campaign to meet the Congressional mandate to educate the public about privacy and security of electronically exchanged personal health information. To conduct the campaign effectively, ONC requires "formative and process information" about different segments of the public. Among other things, ONC is seeking comments on consumer attitudes and preferences about the use of these devices to exchange health information, including how privacy and security information is presented electronically to consumers.

Written by Alexander Nemiroff

Employers are beginning to realize that their employees are sending or receiving recommendations on social media sites, such as LinkedIn, that are inconsistent with the employer’s policies, or worse, are false or fraudulent. They need to do something about it.

A large number of social media web sites are allowing users to recommend the work performance or services of co-workers, vendors, and customers. Unfortunately, many employers are not paying attention to this phenomenon. To their chagrin, they are discovering serious problems with these recommendations only when it is much too late.

For many years, attorneys have advised employers that providing positive or negative references for former employees can be problematic. Negative references for employees can often lead to defamation actions. As for positive references, a number of courts have found employers liable who provided false positive references for former employees that employers knew had committed crimes or engaged in other misconduct. As a result, many employers today simply provide neutral references for all former employees.

Unsanctioned recommendations appearing on social media sites also can cause complications for employers. Take, for instance, an ill-timed positive reference published by a manager on a social media site extolling his former employee’s honesty while, at the same time, but unbeknownst to the manager, the employer was contemplating litigation against the former employee for taking trade secrets or other confidential business information as he was leaving. 

Anonymous recommendations or endorsements by employees also may run afoul of the Federal Trade Commission’s Guidelines on the Use of Endorsements and Testimonials in Advertising, 16 C.F.R. § 255. For example, employees anonymously endorsing their own company’s products without full disclosure of their relationship may trigger liability. The Guidelines require not only full disclosure of such relationships, but that employers have procedures in place to prevent such an endorsement from being made.

To avoid these issues, employers should take several steps. First, employers need to amend their written social media and/or reference policies to address unauthorized employee recommendations and references on social media sites. Depending upon the circumstances, barring employees from making such references may be appropriate. However, this is not always practical or prudent for employers who are encouraging employees to promote their businesses through social media. Under these circumstances, employers may require that employees request authorization from their human resources department or other designated individual before making references or recommendations, and to make any necessary disclosures.

Simply amending social media and references policies and procedures, however, may be insufficient. Employers need to be vigilant and proactive in this area. Appointing suitable personnel, and perhaps a social media manager, to monitor public social media sites to ensure that employees are not violating these critical policies, is another measure employers should consider. When monitoring, special care should be taken by governmental entities not to violate an employee’s constitutional right to privacy and by private employers not to infringe upon laws protecting employee off duty or protected concerted activities. 

The Securities and Exchange Commission’s Division of Corporate Finance provided guidance to public companies on October 13, 2011, about their disclosure obligations concerning cybersecurity risks and cyber incidents. The Division is careful to point out that federal securities laws, in part, are designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision. So, while this guidance does establish new obligations for registrants, it seeks to help them understand their existing disclosure obligation as they relate to increasing cyber risks.

The guidance summarizes the kinds of attacks that may raise concerns:

  • unauthorized access to digital systems for purposes of misappropriating assets or sensitive information, corrupting data, or causing operational disruption;
  • causing denial-of-service attacks on websites; or
  • third parties or insiders using techniques that range from highly sophisticated efforts to electronically circumvent network security or overwhelm websites to more traditional intelligence gathering and social engineering aimed at obtaining information necessary to gain access.

Concerning the disclosure obligation, the Division observes:

Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents. In addition, material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading. Therefore, as with other operational and financial risks, registrants should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents.

In determining whether risk factor disclosure is required, including whether to include cybersecurity risks and cyber incidents in the Management’s Discussion and Analysis of Financial Condition and Results of Operations (MD&A), registrants will need to consider all of the facts and circumstances, such as:

  • prior cyber incidents;
  • severity and frequency of those incidents;
  • the probability of cyber incidents occurring;
  • the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption;
  • the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware; and
  • the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.

At the same time, the Division does not expect a registrant will make a disclosure that itself would compromise the registrant’s cybersecurity.

As cybersecurity risks continue to grow and cyber incidents become more widespread, all companies need to assess and address these risks. For public companies, this is even more critical given their reporting requirements. 

Have you hired a social media manager?  A social media guru/wizard/ninja/diva?  Each of these job "titles" are increasingly being used by companies to attract individuals who specialize in marketing a company’s brand and/or services in social media.  A recent article in the Chicago Tribune and Los Angeles Times highlights just how prevalent these job titles are becoming corporate America.  

As companies struggle to keep up with the rapidly evolving world of social media, they are turning to hiring to hiring social media managers to handle their social media presence.  However, companies should be leery of the “jump first, look second” approach.  In fact, several key questions should be asked when delving into the realm of social media and hiring a new, typically younger employee with responsibility for a company’s social media existence and, therefore, its brand

Qualifications:

  • What qualifications are you looking for?  Often companies seek a younger employee who is "tech-savy."  Traditional employment issues notwithstanding (i.e. age discrimination when an "older" employee is not hired/considered for a position), companies must also consider what their social media mission/focus will be.  For example, to the extent a company utilizes social media as a marketing tool, will you want your social media manager to have a background in marketing?  Similarly, to the extent you wish to utilize social media to handle client/customer complaints, will you want your social media manager to have a background in customer relations? Will you hire an external candidate who is perhaps unfamiliar with your company and its mission, or will you hire an internal candidate?

Responsibilities:

  • What products/services will the social media manager be responsible for discussing/marketing?
  • Will the social media manager have total freedom to explore and execute social media opportunities? 
  • What policies will the social media manager be responsible for implementing?  Will the social media manager have responsibility for implementing the company’s social media policy to employees and managers as well?

Training/Protocols

  • What training will be provided to your social media manager?  For example, will the social media manager be trained on what information he/she should or should not consider when examining posts by customers and/or employees? 
  • What policies will govern your social media manager’s employment?  Will the social media manager be permitted to “friend” employees/subordinates on social media or establish policies for employees to follow? 
  • What safety protocols will be in place?  For example, if your company has a Facebook page, will you social media manager be responsible for maintaining the password and access to same?  How will the company transition its social media presence if and when the social media manager separates from employment? 

While the above list is by no means exhaustive, it demonstrates some of the additional considerations that must be examined when a company wishes to expand into social media.   Companies are often unaware of the need to consider these questions prior to implementing a social media policy or hiring a social media manager.  However, examining these points will help ensure your company’s social media experience flows more smoothly. 

A Federal Acquisition Regulation proposed on October 14, 2011 (76 Fed. Reg. 63896, 10/14/11), would require federal contractors to conduct privacy training before being given access to government records or handling personally identifiable information. For many entities, training may already be called for under a federal or state law, or contract provision. However, this regulation raises the bar by effectively halting a contractor’s work until the training is performed. Contractors will need to watch this regulation closely as it may affect their businesses. The public may submit comments on this regulation until Dec. 13, 2011.

Key features of the proposed regulations:

  • Contractors would be required to provide initial training and annual training for employees who either —(1) require access to a government system of records; (2) Handle personally identifiable information; or (3) Design, develop, maintain, or operate a system of records on behalf of the federal government.
  • Federal agencies are required to provide contractors the training materials unless, on
    an exception basis, the contracting officer authorizes a contractor to provide its own privacy training materials.
  • The contractor is responsible to ensure the training is completed, and must maintain documentation of the training.
  • Certain privacy clauses will need to be added to the contract between the contractor and  the government.

Training must cover at least the following seven areas:

  1. The protection of privacy, in accordance with the Privacy Act (5 U.S.C. 552a);
  2. The handling and safeguarding of personally identifiable information;
  3. The authorized and official use of government system of records;
  4. Restrictions on the use of personally-owned equipment to process, access, or store personally identifiable information;
  5. The prohibition against access by unauthorized users, and unauthorized use by authorized users, of personally identifiable information or systems of records on behalf of the Federal
    Government;
  6. Breach notification procedures i.e., procedures for notifying appropriate individuals when privacy information is lost, stolen, or compromised) and
  7. Any agency-specific privacy training requirements.

"Enforcement promotes compliance" according to the new director of the Department of Health and Human Services’ Office for Civil Rights, Leon Rodriguez, during an interview with HealthcareInfoSecurity’s Howard Anderson. In September, Mr. Rodriguez replaced Georgina Verdugo, and enters his post with significant relevant experience. He was formerly chief of staff and deputy assistant attorney general for the Department of Justice Civil Rights Division, a health care attorney in privacy practice, and a prosecutor at the federal and state level. 

On the upcoming HIPAA audits, Director Rodriguez had the following to say:

This is the first time we’re doing it, so the first thing … is for us to ‘go to school’ on how best we will run an audit program. In part, this is what you might call a pilot. We’re going to look at it and learn: How do we use an audit program? How does an audit program best advance our enforcement goals? 

The second purpose, and this is really different than enforcement, is to promote compliance among the covered entities that are subject to the audit. Our first objective is not to go out there and start banging [organizations] with penalties; it’s really to take a good look at them, find out where their opportunities for improvement are and help them improve. Having said that, I think we know that there are cases where we’re going to find some significant vulnerabilities and weaknesses. And in those cases, we may be pursuing significant corrective action. And in some of those cases, we may be actually pursuing civil monetary penalties. But that’s really not the primary goal of the audit program.

With HIPAA audits scheduled to begin in the next few months, covered entities and business associates should become familiar with HHS’ new Director of Office of Civil Rights and his mission.