In a case addressing the Family Medical Leave Act (FMLA) that directly implicates the privacy rules under the Health Insurance Portability and Accountability Act (HIPAA), Pacosa v. Kaiser Foundation Health Plan of the Northwest, the Portland Division of the United States District Court of Oregon awarded summary judgment against a physician assistant who claimed he was discharged in retaliation for taking FMLA leave. While the court primarily focused on the boundaries of what constitutes FMLA retaliation, the case serves as a good example of the limits healthcare companies can place on employee access to available protected health information and enforcement mechanisms for addressing violations of such access.

Frank Pacosa was a physician assistant for Kaiser Foundation Health Plan of the Northwest in Portland, Oregon. He alleged that he took intermittent leave under the FMLA for a period of 2001 to 2008 for purposes of caring for his wife’s clinical depression. While employed, Pacosa signed a number of confidentiality agreements, which prohibited him from accessing his own health records or those health records of his family or friends on Kaiser Permanente’s proprietary medical records system unless he had specific authorization from the patient and the access was approved. An additional confidentiality policy that he signed and had training on prohibited him, as an employee, from accessing any protected health information records except where related to his job.

In 2008, Kaiser Permanente’s Compliance Department received a series of phone calls from Pacosa’s wife, who informed it that Pacosa had accessed her medical records without authorization and that he was using the information to obtain a restraining order against her. The Compliance Department’s investigation revealed that Pacosa had accessed his wife’s records without authorization, and further accessed and edited his daughter’s records as if he was the treating medical provider, all while he was on alleged FMLA leave.

Kaiser Permanente determined that Pacosa, who at one time served on the Confidentiality Committee and Health Information Management Committee, improperly and with intent of personal gain, accessed the protected health information of his wife and daughter, violating its confidentiality policies. Kaiser Permanente terminated Pacosa’s employment on October 30, 2008.

Pacosa sued Kaiser Permanente in Oregon District Court, alleging multiple state and federal statutory violations, including that his termination interfered with his leave rights under the FMLA. The Oregon District Court granted summary judgment on each of Pacosa’s claims, determining that there was no issue of material fact that Pacosa violated confidentiality policies, which was the reason for his termination rather than any FMLA violation.

As we have touched upon in previous posts, the chance of a data breach or information misuse rises with the use of electronic data and employee access to that data. Of course, the advent of the electronic medical record is both a result of developing technology and required under HIPAA, but as Mr. Pacosa’s termination illustrates, the portability of electronic records make it easy to view or misuse a patient’s private health information.

Kaiser Permanente’s repeated distributions of confidentiality policies and the obligations to secure and limit access to protected health information by employees illustrates a best practice and minimum necessary compliance obligation that covered entities have under HIPAA’s privacy rule and recent changes to it in the American Recovery and Reinvestment Act of 2009 (“ARRA”). The Pacosa case serves as another reminder to covered entities to review and place appropriate limits on employee access to protected health information.

Background checks may be a prudent practice for businesses, but they present a range of issues.

The Association of Corporate Counsel recently published a "Top Ten" list of issues businesses should consider when deciding to implement a background check program, written by our Partner, Richard Greenberg and Dani Sanchez-Gleason.

See also prior posts.     

In New York, the Electronic Equipment Recycling and Reuse Act (pdf) (Environmental Conservation Law, Article 27, Title 26), creates electronics recycling programs effective April 1, 2011. The new law requires free and convenient recycling of electronic waste be provided to most "consumers" (see definition below) in the state, including households, many small businesses and many not-for-profit corporations. The State’s Department of Environmental Conservation has set up a detailed website providing information about this new law. As discussed below, other states are taking similar steps to deal with this new form of waste. 

New York’s e-Waste Law

The new law affects consumers, retailers, and manufacturers of "covered electronic equipment" (CEE), as well as certain waste recycling, consolidation, collection and management facilities. One of the notable requirements under the new law is that beginning April 1, 2011, manufacturers of CEE are required to take back from consumers a wide range of electronic waste.

Who is a "consumer" and what equipment is covered under the law?

A "consumer" is an individual, business, corporation, limited partnership, not-for-profit corporation, the state, a public corporation, public school, school district, private or parochial school or board of cooperative educational services or governmental entity located in New York State, except when involved in a wholesale transaction between a distributor and retailer.

"Covered electronic equipment" includes:

  • Computers
  • Televisions
  • Cathode Ray Tubes
  • Small Scale Servers
  • Computer Peripherals (Computer peripherals also include any cable, cord, or wiring permanently affixed to or incorporated into such product.)
    • Monitors
    • Electronic Keyboards
    • Electronic Mice or Similar Pointing Devices
    • Facsimile Machines, document scanners, and printers (only those intended for use with a computer and weighing less than 100 lbs.)
  • Small Electronic Equipment (Small electronic equipment also include any cable, cord, or wiring permanently affixed to or incorporated into such product.)
    • VCRs
    • Digital Video Recorders
    • Portable Digital Music Players
    • DVD Players
    • Digital Converter Boxes
    • Cable or Satellite Receivers
    • Electronic or Video Game Consoles

"Covered electronic equipment" does not include such things as cameras, portable or stationary radios, household appliances, monitoring and control instrument or system, telephones of any type; portable digital assistant or similar device, calculator, global positioning system (GPS) receiver or similar navigation device, a server other than a small-scale server, a cash register or retail self checkout system, stand-alone storage product intended for use in industrial, and other equipment.

What is the cost?

For the basic services required under the new law, which include acceptance of CEE, for-profit businesses with fewer than 50 full-time employees and not-for-profit organizations with fewer than 75 full-time employees may not be charged for the collection, handling, recycling, or reuse of CEE. Larger organizations may be charged for these services. (Full-time employment is not defined under the law.) Note, however, the new law generally does not affect contracts consumers had with manufactures entered into prior to January 1, 2011.

In addition, any consumer may be charged for "premium services." "Premium services" are any services above and beyond the reasonably convenient acceptance methods defined in the new law. These include equipment and data security services, refurbishment for reuse by the consumer, and other custom services as may be determined by the Department of Environmental Conservation such as at-home collection (other than mail back programs), data wiping, specialized packing and preparation for collection, etc.

Does the law require e-waste to be recycled?

Not yet. However, beginning January 1, 2012, businesses, municipalities, and subdivisions of the state, including their waste collection company or service, will no longer be able to collect electronic waste for disposal, or dispose of any electronic waste in a landfill or waste-to-energy facility. A similar rule goes into effect for individuals and households on January 1, 2015.

Will recycling be performed in a secure manner?

No. The Department of Environmental Conservation’s website warns:

Consumers should erase all personal and confidential data on their electronic equipment before sending it for recycling or reuse. Reformatting your hard drive or deleting files does not destroy your data. The resources listed on the right side of this page under "Offsite links," provide guidance on data wiping, etc., however, there might be other data security service resources and options available. Please note, the Department is not responsible for the contents of any offsite webpages referenced. These links are provided as a public service only (see disclaimer on the Electronic Equipment Recycling and Reuse Act main page).

This means that consumers need to take appropriate steps to safeguard data before submitting their CEE to be recycled under this program. Under New York’s new law, the manual for electronic products that contain internal memory capabilities, such as a hard drive which could retain personal or other confidential information, must describe for consumers how they can destroy such data before surrendering the products for recycling or reuse.

Activity in Other States

As reported in the BNA Privacy and Security Law report, a pending law in New Jersey (A. 2975) "would require businesses and government agencies to destroy personal data stored on a digital copy machine before disposing of it." The State’s Attorney General would be able to seek penalties of up to $10,000 for the first offense and up to $20,000 for subsequent violations. Similar laws are being considered in NevadaFlorida, Connecticut and Oregon.  

Continuing the trend of significant enforcement of data privacy and security laws by federal and state agencies across the nation, the Office of the Massachusetts Attorney General (AG) has settled a lawsuit against Boston-based Briar Group LLC for $110,000, according to a press release issued by that AG’s office on March 28, 2011.

See complaint and final judgment.

As we reported in prior posts, the U.S. Department of Health and Human Services (HHS) recently imposed a $4.3 million fine on a Maryland health care provider for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and days later entered into a $1 million settlement with a Massachusetts hospital that allegedly breached patient data. The recent enforcement activity of the HHS and the Massachusetts AG confirms that employers nationwide need to be as cognizant of the data privacy and security laws that apply to their operations as the government.

In its press release, the Massachusetts AG’s Office stated that the Briar Group, which owns and operates a number of bars and restaurants in the Boston area, “failed to take reasonable steps to protect its patrons’ personal information, thereby putting the payment card information of tens of thousands of consumers at risk.” The initial lawsuit filed by the AG’s Office stated that the Briar Group experienced a data breach in April 2009, in which hackers accessed customers’ credit and debit card information, but did not take steps to remove the software which allowed the hackers access to the company’s computer systems until December 2009, six months later. The lawsuit also outlined various other ways in which the company failed to properly safeguard its customers’ personal information, including:

  • Failing to change default usernames and passwords on point-of-sale computer systems;
  • Allowing multiple employees to share common usernames and passwords;
  • Failing to properly secure its remote access utilities and wireless network; and
  • Continuing to accept credit and debit card account information after knowing of the April 2009 data breach.

In addition to the monetary payment, the terms of the settlement require the company to “develop a security password management system and implement data security measures to comply with Payment Card Industry [PCI] Data Security Standards [and] state data security regulations, including implementation, maintenance, and adherence to a Written Information Security Program.”

This recent activity by the Massachusetts AG’s Office, along with HHS’s latest actions, should be motivation to employers to put in place the policies and procedures required by applicable data security and privacy laws. For those who have already taken steps toward conformity with the relevant laws, this should prompt a review of current policies and procedures to ensure the thoroughness of those policies and that they are being followed. For example, employers subject to HIPAA should have policies and procedures that address the management of protected health information of its constituents. Employers who employ Massachusetts residents or who maintain the personal information of Massachusetts residents are well advised to implement and follow a comprehensive WISP governing the storage, access, transmission and other forms of handling those individuals’ personal information.

Trying to keep up with the fast-moving world of social media, the Kentucky Court of Appeals has ruled that “tagged” or captioned photographs posted on Facebook may be admitted as evidence. The ruling in the case has implications for employers.  In LaLonde v. LaLonde, the appellant-wife objected to the trial court’s admitting into evidence photographs taken from Facebook that identified her by “tagging.”  The photographs appeared to show her consuming alcohol in contradiction to the advice of her mental health providers—a key issue in the custody dispute.     

The wife argued the photographs should not be admitted because Facebook allows anyone to post pictures and then “tag” or identify people in the pictures and she never gave permission for the photographs to be published in this manner on.  Rejecting this argument, the appellate court held, “There is nothing in the law that requires permission when someone takes a picture and posts it on a Facebook page.  There is nothing that requires her permission when she was ‘tagged’ or identified as a person in those pictures.”  The Court acknowledged that modern digital photography techniques may allow for alteration of the photograph, but pointed out that the wife never suggested such techniques were used, instead acknowledging the pictures were accurate.

The potential implications of this holding are numerous.  As we have previously discussed, employers may be able to use social media (which arguably includes tagged pictures) to fight emotional distress damages.  Similarly, as we described here, Facebook content has been utilized by employers in disciplinary decisions.   Our Social Media White Paper provides a helpful discussion of this and other issues employers should think about when it comes to social media.

The confidentiality of medical records requirement under the Americans with Disability Act (ADA) is violated when an employer discloses a current or former employee’s medical records in response to a state court subpoena absent the employee’s release or some other exception under the ADA, the Equal Employment Opportunity Commission (EEOC) recently held in Bennett v. U.S. Postal Serv., 2011 WL 244217 (E.E.O.C.), Jan. 11, 2011.

Companies frequently receive requests for information about current and former employees. These requests often come in the form of an attorney’s demand letter or a subpoena and apply to the individual’s medical records. Those receiving such requests typically feel compelled to respond without taking the time to think through issues such as: 

  • what kind of information in contained within the files being requested;
  • what specific statutory or regulatory protections apply for some or all of the information being requested (see below);
  • is a response appropriate without an authorization of the individual or giving an individual an opportunity to object;
  • is a court order needed for some or all of the information being requested; and
  • what safeguards should be taken to ensure the disclosure is secure.

As we have reported previously, failing to think through these issues can be a costly trap for the unwary.

EEOC Analysis

In the Bennett decision cited above, the EEOC sets out the basic ADA requirements concerning confidentiality of employee medical records:

Title I of the [ADA] requires that all information obtained regarding the medical condition or history of an applicant or employee must be maintained on separate forms and in separate files and must be treated as confidential medical records. [Citations omitted]. These requirements also extend to medical information that an
individual voluntarily discloses to an employer. [Citations omitted]. The confidentiality obligation imposed on an employer by the ADA remains regardless of whether an applicant is eventually hired or the employment relationship ends. [Citations omitted]. These requirements apply to confidential medical information from any applicant or employee and are not limited to individuals with disabilities. [Citations omitted].

The decision goes on to explain the general exceptions to these requirements:

  • supervisors and managers may be informed regarding necessary restrictions on the work or duties of the employee and necessary accommodations;
  • first aid and safety personnel may be informed, when appropriate, if the disability might require emergency treatment; 
  • government officials investigating compliance with this part shall be provided relevant information on request;
  • employers may disclose medical information to state workers’ compensation offices, state second injury funds, workers’ compensation insurance carriers, and to health care professionals when seeking advice in making reasonable accommodation determinations; and
  • employers may use medical information for insurance purposes.

The EEOC found that the Postal Service’s disclosure of Mr. Bennett’s medical records in response to the subpoena issued by the Galveston County 405th District Court did not fall into one of these exceptions. The EEOC held that while the ADA allows an employer to comply with the requirements of another federal statute or rule, even if in conflict with the ADA, "it is not a valid defense to argue that the [Postal Service’s] actions were required by state law," (emphasis added) unless one of the ADA exceptions applied.  The Commission also noted the subpoena in this case was signed and issued by the Deputy Clerk, and did not qualify as an “order” for purposes of the Privacy Act of 1974, on which the Agency attempted to rely to permit the disclosure.

Because of this violation of the ADA, the EEOC ordered the Postal Service (i) to start an investigation into compensatory and other damages that may be due to Mr. Bennett,  (ii) to conduct training concerning the ADA’s confidentiality requirements, and (iii) to prepare a report regarding corrective action. The Postal Service also may be responsible for Mr. Bennett’s attorneys’ fees, among other things.

Is the ADA the only concern?

In short, no, the ADA is only one protection for medical and other personal information that could trigger exposure for a company that improperly discloses such information. There is an increasing array of federal and state laws that need to be examined, as appropriate, before responding to a request:

  • GINA: Regulations issued under Title II (GINA’s employment provisions) provide that  employers that possess genetic information must maintain the information in confidence and may not disclose that information except in limited circumstances, such as (i) at the request of the employee, (ii) in response to a court order, (iii) to respond to a request from a government official investigating GINA compliance, or (iv) in support of an employee’s FMLA certification. The preamble to the GINA regulations provides that the court order exception "does not allow disclosures in other circumstances during litigation, such as in response to discovery requests or subpoenas that are not governed by an order specifying that genetic information must be disclosed. Thus, a covered entity’s refusal to provide genetic information in response to a discovery order, subpoena, or court order that does not specify that genetic information must be disclosed is consistent with the requirements of GINA." Additionally, the individual whose genetic information is disclosed may need to be notified. 
  • HIPAA: The privacy regulations under HIPAA likewise generally prohibit the disclosure of "protected health information" except in limited circumstances. HIPAA regulation 45 CFR 164.512(e), among other exceptions to the general rule, provides an exception for disclosures in connection with administrative and judicial proceedings. But one of the first questions to ask is whether the information being sought is "protected health information." Very often, employee medical information in a personnel or medical file is not, in the hands of the employer, protected health information subject to HIPAA. 
  • 42 USC Part 2: Federal law provides very stringent protection for records relating to substance abuse treatment at certain federally funded facilities. 
  • State law: Many states have laws protecting certain classes of medical records from disclosure without taking appropriate safeguards to address confidentiality. This includes application of the physician-patient privilege, as well as statutes and regulations dealing with specific types of information, such as mental health records. 

Because of these issues, businesses should develop a clear policy and procedure to direct employees on how to respond when they receive these requests. 

The First Amendment of the U.S. Constitution protects from judicial restraint discussions over matters of public concern, including claims of wide-scale data breaches of social security numbers and other personal information by a former employee on a blog, a New York State Supreme Court justice has ruled. Cambridge Who’s Who Publishing, Inc. v. Sethi, 009175/10, NYLJ 1201482619238, at *1 (Sup. Ct., Nassau Cty. Jan. 25, 2011). Finding no extraordinary circumstance that would overcome the Constitutional protection, the court denied a company’s request to enjoin its former employee from blogging about the company and its products, despite his agreement to maintain the confidentiality of confidential business information.

Relevant Background

Harsharan Sethi was the Director of Management Information Systems for marketing and networking company Cambridge Who’s Who Publishing. When Sethi started working at Cambridge in July 2008, he signed an “employee covenants and non-disclosure agreement.” The agreement prohibited Sethi from using the company’s confidential information, except to pursue Cambridge’s business. Confidential information included “client names, addresses, and credit card numbers.” Cambridge terminated Sethi’s employment in February 2010.

The Blog Post

After Sethi’s termination, Cambridge suspected he was the author of a post on www.cambridgeregistrscam.com, which stated that members might be entitled to a full refund of their membership fees, suggested that members file complaints with the District Attorney and Attorney General, and offered to provide information on management personnel, including “their backgrounds,” “their life styles,” and “their prior run ins with [the] IRS.”

Cambridge viewed the blog post on May 11, 2010, and moved for a preliminary injunction the very next day. It sought to restrain Sethi from: (1) attempting to access Cambridge’s database; (2) contacting Cambridge’s “members” or customers; (3) disclosing customers’ personal information; (4) making any statements about Cambridge that might interfere with its goodwill, including contacting its employees or vendors; and (5) maintaining any blog or website concerning Sethi’s former employment.

The court granted the company’s request for a preliminary injunction, in part, enjoining the solicitation of Cambridge’s customers or disclosing their names or personal information. The court, however, denied Cambridge’s request that Sethi be restrained from making any allegedly defamatory statements regarding the company.

Cambridge later renewed its injunction request, submitting to the court allegedly defamatory statements made by Sethi after the court’s initial ruling. It presented an e-mail from Sethi to the New York Attorney General in which Sethi stated that tapes containing the personal data (including names, addresses, social security numbers, payroll data, checking account and credit card information) of 400,000 Cambridge members were lost or stolen from the company.

The court then granted a temporary restraining order enjoining Sethi from contacting Cambridge’s employees about his former employment or making statements that interfere with Cambridge’s goodwill, including maintaining a website or blog, until the preliminary injunction hearing.

First Amendment Protection

At the hearing, though, Justice Stephen Bucaria finally denied the injunction, holding that the First Amendment of the U.S. Constitution encompasses “at the least the liberty [to] discuss publicly and truthfully all matter of public concern without previous restraint or fear of subsequent punishment.” Finding that the alleged loss of social security numbers and credit card information, among other data, “implicate[] the economic interests of a large number of people” and, therefore, were matters of public concern, the court held that Cambridge had failed to establish “extraordinary circumstances” justifying a prior restraint on speech and warranting the denial of the injunction restraining Sethi from communicating with Cambridge’s customers or law enforcement agencies concerning data loss.

Lessons

Cambridge provides employers with several significant lessons.

  • First, it is instructive of the enforceability of a non-solicitation-of-customers provision that it enforced by injunction.
  • Second, absent compelling facts constituting “extraordinary circumstances,” courts generally are reluctant to enjoin or restrain speech that may be protected by the First Amendment.
  • Third, the decision raises two key points about data security:
    • Companies that experience an unauthorized access to or acquisition of personal information that they possess may be required to report the unauthorized access to affected individuals and certain state agencies. In New York, there are three state agencies that must be notified in cases of certain breaches of personal information: Office of Cyber Security, Attorney General’s Office, and Consumer Protection Board.
    • Likewise, companies must take appropriate steps when employees complain about or raise data-security issues. In at least two court decisions, one in New Jersey and the other in California, employees were permitted to proceed with claims of employment retaliation upon asserting they have suffered an adverse employment action after their complaints about data security at their companies.

HHS continues to show signs of increased enforcement of HIPAA. Earlier this month, the agency announced it would hold 2-day, instructor-led HIPAA Enforcement Training courses in 4 locations across the country. Some Attorneys General, such as Connecticut’s former Attorney General Richard Blumenthal, have already used their new found authority to enforce HIPAA. This announcement follows two significant, high profile Office of Civil Rights (OCR) press releases touting its own enforcement activities, one involving the first imposition of penalties under HIPAA and the other involving a significant settlement with a Massachusetts hospital

The Health Information Technology for Clinical and Economic Health (HITECH) Act (pdf), part of the American Recovery and Reinvestment Act of 2009, gave State Attorneys General the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules. The HITECH Act permits State Attorneys General to obtain damages on behalf of state residents or to enjoin further violations of the HIPAA Privacy and Security Rules.

Attendees at each of the HIPAA Enforcement Training sessions will receive instruction on a number of enforcement topics including:

  • Investigative techniques for identifying and prosecuting potential violations
  • A review of HIPAA and State Law
  • The role and responsibility of an Attorney General under HIPAA and the HITECH Act
  • Resources available to Attorneys General to pursue alleged HIPAA violations

In addition to training, OCR promises that it will collaborate with and assist State Attorneys General seeking to bring civil actions to enforce HIPAA and Security Rules. This collaboration and assistance will include OCR providing to Attorneys General (i) information upon request about pending or concluded OCR actions against covered entities or business associates related to attorney general investigations, and (ii) guidance regarding the HIPAA statute, the HITECH Act, and the HIPAA Privacy, Security, and Enforcement Rules as well as the Breach Notification Rule.  

While years of lax enforcement may have lulled many HIPAA covered entities and business associates to not take HIPAA seriously, these recent activities should spur renewed efforts toward compliance. 

In the face of increasing unemployment, in March 2011, Florida, Michigan, and Montana joined the ranks of approximately fifteen other states that are considering bills limiting employers’ ability to use credit checks for employment purposes.

Florida. Florida’s Senate Bill 1562, introduced on March 3, would prohibit employers from using an applicant’s personal credit history as hiring criteria, except where a review of credit history is legally required. The proposed Florida law allows an employer to request credit history during the “application process if such history is shown to be directly related to the position sought by the applicant.” However, the credit history cannot be used as the “determining factor” in the hiring decision.

Michigan. Michigan’s House Bill 4363, introduced March 2, would prohibit employers from making hiring decisions based on an individual’s credit history and from inquiring about a job applicant’s or potential applicant’s credit history, unless good credit history is “an established bona fide occupational requirement of the particular position or employment classification.” Individuals cannot waive any right or protection under the proposed act and aggrieved individuals would be able to bring civil suit for damages or injunctive relief.

Montana. Montana’s House Bill 601, introduced March 1, would prohibit employers from using credit history information for employment purposes unless the employee’s current or potential position is one “for which credit is issued in goods, a line of credit is provided, or a fiduciary responsibility is owed to the employer,” or the position allows for use of such data when done in compliance with the Fair Credit Reporting Act, 15 U.S.C. §§1681(b)(2)(C) and (b)(4). Misuse of credit data or other violations of this proposed act would be punishable as a misdemeanor with fines up to $500.

Similar bills are also being considered in numerous jurisdictions such as: California, Connecticut, Georgia, Indiana, Kentucky, Maryland, Missouri, Nebraska, New Jersey, New Mexico, New York, Ohio, Pennsylvania, Vermont, and Texas. Illinois, Oregon, and Washington already have such laws in place.

“Employers with multi-state operations, in particular, must remain abreast of these developments and ensure any background check program involving credit checks complies with applicable state law. Further, due to EEOC initiatives in this area, credit checks should be limited to positions in which credit history can be deemed job-related and individualized analysis of each applicant’s history should be the goal,” counsels Richard Greenberg, a partner with Jackson Lewis LLP in New York.

In an effort to go “green” or “paperless,” employers have been rapidly moving to electronic employment application and on-boarding systems. This movement has created a cottage industry with vendors of all kinds seeking to help employers obtain the benefits of this technology.

These vendors often promise significant advantages for those making the switch, such as: (i) thousands of dollars in savings due to reduced paper and paperwork costs, (ii) simplified compliance for human resources through the use of the proper electronic forms; and (iii) increased productivity. These can be particularly attractive to businesses facing the demands for increased effectiveness and efficiency, the difficulties of managing an off-site/remote workforce, and the expectations of technologically savvy job applicants.

While going green by reducing the use of paper and moving to a web-based employment application and on-boarding system can increase efficiency and reduce costs, employers should be aware of the fresh workplace challenges such a move can present. Before jumping in, employers need to consider issues such as the privacy, security and management of personal data, compliance with various federal and state regulations governing the use of electronic media in obtaining verifiable signatures, how to provide required notices, and the implications of having employees electronically fill out required tax and other government hiring forms, among other things.

Key considerations and questions for employers include the following:

  • Does the company have to comply with the federal Electronic Signatures in Global and National Commerce Act or a state law equivalent?
  • Are there laws limiting the personal information that may be collected from applicants?
  • Can the company require that employees receive notices electronically?
  • Can the company require that employees make their benefit elections and receive benefit plan summaries and other benefits documents electronically?
  • Is the process subject to collective bargaining?
  • How must personal information collected during the process be safeguarded, retained, preserved, and, ultimately, destroyed?
  • Are there special rules for government contractors?
  • Are electronic consents for fitness-for-duty examinations, background checks, and drug testing valid?
  • Can employees fill out I-9 forms electronically? Can the company retain only electronic copies of the I-9 forms?
  • If an applicant is hired, how should the collected information about the person be transferred accurately and securely for benefit plan enrollment, payroll, personnel, and other purposes? Does the company have a plan or policy in place that not only addresses how the information is safeguarded, but how to respond if a data breach occurs?
  • Are there specific ERISA (Employee Retirement Income Security Act), HIPAA (Health Insurance Portability and Accountability Act), IRS (Internal Revenue Service), and other regulations that apply to using an electronic medium? How do these regulations intersect and how do they differ?
  • Do the rules change for applicants from other countries?
  • Can handbooks be provided on-line as part of the on-boarding process?
  • Can direct deposit forms be filled out and signed electronically?
  • Can restrictive covenant agreements be signed electronically?
  • Can employees be notified of and sign arbitration agreements electronically?
  • Has the on-boarding vendor been vetted and shown capable of safeguarding personal data and preserving the integrity of that data? Where is the data stored by the vendor? Are appropriate contract provisions in place?

Employers implementing electronic application and on-boarding systems may realize savings of time and money. However, those savings may be short-lived if the on-line process is not designed to fit the particular company and address its particular needs and risks. Before taking this step, employers should seek appropriate guidance in navigating their way through the regulatory quagmire that is implicated by the seemingly simple act of going green.