California hospitals and nursing homes take note – the California Department of Public Health (CDPH) takes data breaches seriously. Since June of this year, CDPH has imposed nearly $1.5 million in fines affecting 12 California health facilities. California Health and Safety Code 1280.15(a) requires covered health facilities to prevent unlawful or unauthorized access, use or disclosure of patient medical information.

Violations of this requirement can result in penalties of up to $25,000 per patient and up to $17,500 per subsequent occurrences of unlawful or unauthorized access, use or disclosure of that patients medical information

In its most recent wave of penalties, announced November 19, 2010, CDPH assessed fines totaling $792,500 against six hospitals and one nursing home that it determined failed to prevent unauthorized access to confidential patient medical information. In one case, a health facility was fined $310,000:

  • $60,000 because the facility failed to prevent unauthorized access and disclosure of one patient’s medical information by two employees on three occasions.
  • $250,000 because the facility failed to prevent the theft of 596 patients’ medical information

The larger penalty resulted in part when laboratory reports of 596 patients were lost. In its investigation, CDPH learned that the staff employee at the facility responsible for running and storing laboratory reports, and who had signed the facility’s confidentiality statement, placed lab reports in an outside locker, but did not lock the locker because the lock was not working and the locker door was broken. This staff member told CDPH the locker had been broken for several months, although he did not report it. The lab reports that were lost included patient names, Social Security numbers and laboratory results, among other personal information. 

Beyond that, California health facilities should be reminded of Cal. Health and Safety Code § 1280.15, which requires covered facilities to notify CDPH and affected individuals of “unlawful or unauthorized access to” personal health data within five business days after discovery of a breach. Late notices can result in fines of $100 per day for each patient affected, up to maximum of $250,000. Of course, health care providers also need to take into account the interim final rules, promulgated under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act and enforced by the Department of Health and Human Services (“HHS”), which require entities covered by the Health Insurance Portability and Accountability Act (“HIPAA”) to report similar incidents.  Under the HIPAA rules, notice must be provided without “unreasonable delay.”

As the number of data security incidents in the health care industry continue to mount, CDPH’s enforcement activity should urge covered health facilities in California to pay greater attention to data security. As the incident above makes clear, simply requiring an employee to sign an acknowledgment of complying with facility data security policy will not be enough. Health facilities, including hospitals and nursing homes, need to continually assess their risks in this area and create a culture of data privacy and security across their organizations. This can only be accomplished through clear policy and frequent training and attention to the issue. 

We’ve written extensively here on the importance of safeguarding personal information. We’ve also made clear that the safeguarding of data should not stop with individually identifiable personal information. In fact, many times a company’s most sensitive information, data critical to the survival of its business, is its corporate trade secrets, proprietary information, and its clients’ information. My partner, Patricia Diulus-Myers, in our Pittsburgh office, drives this point home during a Q&A session with the Smart Business Network.

As reported by the American Bar Association and PHIprivacy.net, lawyers, accountants, health care providers and others soon may get some clarity as to whether the "red flag" rules apply to them. The United States Senate voted unanimously to pass the Red Flag Program Clarification Act of 2010. Under the Act, according to statements from Sen. Christoper Dodd (D) of Connecticut:

lawyers, doctors, dentists, orthodontists, pharmacists, veterinarians, accountants, nurse practitioners, social workers, other types of health care providers and other service providers will no longer be classified as “creditors” for the purposes of the Red Flags Rule just because they do not receive payment in full from their clients at the time they provide their services, when they don’t offer or maintain accounts that pose a reasonably foreseeable risk of identity theft.

After the Red Flags Rule became final, many businesses indicated that they were not aware that they would be covered by this rule. Despite the Federal Trade Commission delaying enforcement of the rule several times to allow these entities time to come into compliance, a number of professional organizations, including the American Bar Association and the American Medical Association, sued the FTC for taking the position that professionals were “creditors” when they allowed consumers to pay later, and would have to comply with its Red Flags Rule. On May 28, 2010, the FTC announced that it would delay enforcing its Red Flags Rule through December 31, 2010 and asked Congress to pass legislation that would resolve any questions about which entities should be covered as “creditors” and to obviate the need for further enforcement delays.

Presently, only the Senate has acted on this request. The measure will need to be approved by the House of Representatives and signed by President Obama. Still, this is encouraging news for many concerned about compliance with this new mandate.  

DriveCam - Camera on Rearview MirrorIn the name of vehicle safety, California Assembly Bill 1942 will permit among other things “driver cams” to be mounted on vehicle windshields beginning on January 1, 2011. Formally known as “video event recorders,” these devices can continuously record audio, video, and G-force levels in a digital loop in order to help identify bad driver habits or other factors that lead to vehicle accidents. Well intended, the new law certainly will create a range of privacy issues for employers, particularly those in the transportation and delivery business.

Specifically, the law will permit the monitoring of driver performance through video event recorders so long as the following are satisfied:

  • Size limitation – The recorder must be mounted either (i) in a seven-inch square in the lower corner of the windshield farthest removed from the driver, (ii) in a five-inch square in the lower corner of the windshield nearest to the driver and outside of an airbag deployment zone, or (iii) in a five-inch square mounted to the center uppermost portion of the interior of the windshield.
  • Notice requirement – A notice must be posted in a visible location informing passengers that their conversations may be recorded.
  • Length of recording – No more than 30 seconds may be recorded before or after a triggering event, e.g., a collision.
  • Driver for hire rights – Employers that install a video event recorder in vehicles of their employees driving for hire must provide those employees with unedited copies of the recordings upon the request of the employee or the employee’s representative. These copies must be provided free of charge to the employee and within five (5) days of the request.

There are a number of obvious issues that face employers interested in utilizing video event recorders, such as not knowing what information will be captured by these devices and how to discipline employees who violate policy as shown in the recording. There are other less obvious issues which employers should consider when deciding to implement this technology.

For example, the law does not provide a period after which employees can no longer request a copy of the recording. This raises the question of how long recordings must be maintained. Another concern is whether information captured in a recording could be used against the employer, such as in a wage and hour class actions or violations of common carrier or vehicle safety requirements. Because the law is designed to address vehicle safety, a question exists as to whether the law implies a training requirement on employers aware of bad driving habits of employees from the recordings.

For these and other reasons, employers ought to think carefully before implementing this technology.

What had been the first use of the enforcement authority under the HIPAA privacy regulations granted to a State Attorney General, has ended in a settlement agreement between Connecticut’s Insurance Department and Health Net of Connecticut. Under the agreement, Health Net will pay $375,000 in penalties, and it agreed to provide credit monitoring protection for 2 years to all affected persons in Connecticut and to take significant steps to improve data and equipment security in both its Shelton, CT locations.

One important item to note from the Insurance Department’s press release is that the "most prominent failure stemmed from the untimely notification of the 2009 loss of a disk drive from the Shelton location resulting in the loss of personal health information of approximately 500,000 Connecticut members." This should be a reminder to any entity involved in a data breach of the importance of acting quickly to notify affected individuals.

Welcome to the next advancement in the delivery of health services –

monitoring patients and promoting healthy behavior through mobile phones and other portable devices

The Washington Post reported today about a service offered through Voxiva whereby expectant mothers receive free text messages concerning prenatal health advice. The pilot program has been in place since February and since then more than 100,000 expectant mothers are reported to have participated in the program. These technologies clearly are in line with initiatives in this country to move to electronic health records. However, whether these methods for delivering health care take hold remains to be seen. As the WP notes, while these technologies are attractive, there are challenges:

  • As noted by WP reporter Steven Overly, communicating to a wide variety of patients through a "wide variety of mobile devices, operating systems and network speeds" raises significant challenges. 
  • Another issue, of course, is HIPAA and how these communications and devices will meet the privacy and security requirements under those regulations.
  • Human error easily could cause the wrong messages to be sent to the wrong patients creating data breach, malpractice and other risks.
  • One of our more recent posts highlights the concern about information maintained on cellphones and other mobile devices and what happens to that information when the phones are discarded. 
  • Employers who provide phones to their employees and have the right to review text messages, see recent U.S. Supreme Court decision in Quon v. City of Ontario, can easily find themselves with access to all kinds of medical information of employees and possibly their dependents who give their doctors their cell phone number. This risks here could be significant.   

As with the adoption of any new technology or new application of technology, companies and employers should be careful to think through all of the issues and take appropriate preventive steps toward minimizing risks.

The Seventh Circuit Court of Appeals in U.S. v. Szymuszkiewicz recently affirmed the criminal conviction of an employee under the federal Wiretap Act, 18 U.S.C. § 2511, after he auto-forwarded emails from his supervisor’s email account to his own. The Court concluded the use of the auto-forward feature constituted an “interception” in violation of the Act.

Szymuszkiewicz shows the application of traditional criminal statutes like the Wiretap Act to Internet-based modes of communications such as email, but also to voice-over IP phone communications. The case also is an example of the courts’ continuing struggle with applying the Act to modern communications technologies such as email. Szymuszkiewicz is an instructive reminder for employers, however, about the remedies applicable under the Act to employees who misuse an employer’s email system actions, in addition to traditional remedies such as discipline or termination. In light of the length of time in which Szymuszkiewicz forwarded his supervisor’s emails without her knowledge, 3 years, the case also highlights a need for review and audit of employer technology systems and education to employees to monitor their accounts for privacy purposes.
 

 

Continue Reading Court Finds Use of Microsoft Outlook’s Auto Forward Feature is an “Interception” and Upholds Criminal Conviction of Employee Under the Federal Wiretap Law

237801The folks at Identity Theft 911 remind us of the need to be "smart" about handling smartphones. In a recent post, the company warns that the wealth of data on these devices can substantially expose an individual if his or her device(s) are not purged upon disposal. The same is true, of course, for employers with respect to the phones and other devices they make available to their employees, as well as the employees’ own devices which employers permit to access their systems.

Whether because of personal preference, workforce turnover, technological advancement, a better provider contract, or business needs generally, phones and other communications devices are updated frequently. This typically results in the disposal of old devices which can have significant amounts of data stored on them. This data may include not only the personal information of the user of the phone, but sensitive company information, as well as personal information of other employees or the company’s customers. 

Employers should be taking steps to ensure these devices are handled properly. From a technical perspective, Identity Theft 911 notes that fortunately there are a number of ways to ensure that all sensitive data are cleared from a phone’s memory before it is thrown away. They warn, however, that it may not be enough to use a handset’s option to restore it to factory settings. Rather, the phone’s SIM card(s) which stores information should also be obtained, removed, purged, and/or destroyed, as appropriate.

From an employment policy perspective, employers should consider establishing policies to better manage the use of these devices. Policies such as:

  • limiting the kinds of devices that can be used,
  • maintaining an inventory of the devices being used,
  • controlling the information that can be stored on the devices, and
  • securing/purging devices upon termination of employment,

can go a long way to minimizing risk of a data breach involving sensitive personal and company information. Of course, employers that take these steps need to be mindful of employees’ expectation of privacy with respect to personal information that may be stored together with company information.  Such policies should be a part of any Written Information Security Program (WISP).

In March 2010, we reported on a decision by the U.S. District Court for the District of New Jersey that allowed an employee’s retaliation claim to proceed to trial under the New Jersey Conscientious Employee Protection Act (“CEPA”) on the ground that he was engaged in protected whistle blowing activity – voicing concerns regarding his employer’s handling of data security. A California Appellate Court recently adopted a similar line of reasoning. 

Rather than addressing an employee’s concerns, a company fired the employee for questioning whether the company’s networks and information systems adequately protected HIPAA patient information contained on those systems. Cutler v. Dike, 2010 WL 3341663 (Cal. Ct. App. Aug 26, 2010) (unpublished). Based on his employment contract, the employee reasonably believed that his job included acting as the company’s privacy officer. As the court found, the employee also reasonably believed:

the database used to test the company’s . . . software contained confidential patient information which would be exposed in violation of HIPAA, because [the company president] had told him it was patient information . . . [and that] confidential patient data would be used in the future as the program was implemented.

The employee had refused to participate in configuring the computer system as directed and voiced his objections that doing so would violate HIPAA rules and regulations. In response, the company president recommended that the employee resign or risk being fired “since you have chosen to be very negative about issues in the organization.” The employee sued the employer for wrongful termination and the jury found against the employer. The employer appealed the jury verdict.

The court began by citing the relevant section of the California Labor Code (Section 1102.5), which states:

[a]n employer may not retaliate against an employee for refusing to participate in an activity that would result in a violation of state or federal statute, or a violation or noncompliance with a state or federal rule or regulation.

The court went on to hold, “[T]he protection of confidential patient information is clearly the type of general public interest that supports a cause of action for wrongful termination in violation of public policy.” Accordingly, the court upheld the jury’s finding of liability against the employer for wrongful termination in violation of public policy.

Employers across the country generally are prohibited from retaliating against employees for refusing to participate in activities that are impermissible under state or federal law or regulations. This includes retaliating against employees that raise concerns under the HIPAA privacy and security regulations, or other data security mandates under federal or state laws, such as those in Massachusetts, Connecticut, or New Jersey. Employers may find themselves responding to more of these kinds of concerns from employees as employees are more aware of breaches reported in the media over the past few years and become anxious over their own sensitive personal information in their employer’s possession.

An employer should avoid reacting to an employee’s complaint of weaknesses in its data system by firing or disciplining the employee. Shooting the messenger is not acceptable. The company should investigate the issues which have been raised and, if necessary, address them appropriately. Employers are better served by employees who feel secure enough to come forward with unpleasant news, than by suppressing such reports and enduring embarrassing and costly disclosures later. Of course, vulnerabilities can be minimized by taking the preventive steps required under many state and federal laws to safeguard personal and confidential information.  

The long awaited final Title II regulations under the Genetic Information Nondiscrimination Act (GINA) will be issued tomorrow, November 9, 2010. The Equal Employment Opportunity Commission published proposed regulations under Title II of GINA on March 2, 2009. A period of public comment followed. The final regulations will have an impact on a number of employment practices, including wellness programs. We will be reviewing these regulations together with our Disability, Leave and Health Management Group, as well as our Employee Benefits Group. This guidance is welcomed news as litigation concerning GINA in the workplace has already commenced.

In general, Title II of GINA prohibits use of genetic information in the employment context, restricts
employers and other entities covered by Title II from requesting, requiring, or purchasing genetic
information, and strictly limits such entities from disclosing genetic information. The law
incorporates by reference many of the familiar definitions, remedies, and procedures from Title
VII of the Civil Rights Act of 1964, as amended, and other statutes protecting federal, state, and
Congressional employees from discrimination.