Joining the growing number of states which have enacted laws regulating the destruction of records to prevent possible identity theft, the Rhode Island Legislature passed H. 5092 on October 29, 2009. The bill requires businesses and government agencies to completely destroy records containing personal information, or render the personal information unusable, before disposing of records whether in electronic and paper form. Not surprisingly, H. 5092 comes on the heels of Texas’s Attorney General settling related violations for nearly $1,000,000 with Select Medical, and over $600,000 with Radio Shack.

As with most legislation of this nature, including the FTC’s data disposal rule, the law provides two means by which covered entities may destroy records: either by modifying the personal data to make it entirely unreadable or indecipherable through any means, or by taking reasonable steps to shred, erase, or otherwise destroy records. The bill also exempts certain covered entities whose destruction practices are covered by federal law or who contract with data disposal firms (who would be subject to the data disposal law). The need for such measures is further underlined by the overzealous office workers who used documents containing personal information as “confetti” during the New York Yankees World Series parade. 

Underlying the consequential nature of proper destruction, this bill permits individuals to sue to recover actual damages, and permits the state attorney general to seek fines or sue on behalf of individuals, with each record not properly disposed of being counted as a separate violation.

In another recent example of a law firm running afoul of privacy requirements in litigation (See also the discussion of Kim v. St. Elizabeth’s), U.S. District Judge Michael Davis recently assessed a $5,000 sanction against the law firm for electronically filing an affidavit that contained the Social Security numbers and dates of births of 179 people. Engeseth v. County of Isanti, No. 06-CV-2410 (D. Minn.), Oct. 20, 2009. The court’s order was premised on Rule 5.2(a) of the Federal Rules of Civil Procedure which states that filings in federal court may only include the last four digits of an individual’s social security number or taxpayer identification number. Judge Davis noted that: 

The Court is deeply concerned with the harmful and widespread ramifications associated with negligent and inattentive electronic filing of court documents. Although electronic filing significantly improves the efficiency and accessibility of our court system, it also elevates the likelihood of identity theft and damage to personal privacy when lawyers fail to follow the federal and local rules. 
(emphasis added)

In addition to the $5,000 sanction, Judge Davis required the plaintiff’s law firm to pay the costs associated with preventing identity theft for the 179 harmed individuals including informing the individuals and paying the costs of FICO standard services consisting of a credit report and a 12-month subscription to FICO Quarterly Monitoring.

As shown by a recent Illinois appellate court decision, Kim v. St. Elizabeth’s Hosp., Ill. App. Ct., No. 5-08-0571, (Oct. 23, 2009), the patchwork of federal and state protections for certain types of information has made the process of responding to subpoenas more difficult. This is particularly the case with medical records.

Based on an Illinois law providing special protections for mental health records known as the Illinois Mental Health and Developmental Disabilities Confidentiality Act, the plaintiff in this case sued the hospital and her former husband’s law firm alleging the impermissible release of her mental health records in connection with a prior divorce action.

Absent an authorization from the individual, the Illinois Act prohibits any third party, including medical providers, from responding to a subpoena for mental health records unless the subpoena is accompanied by a written court order authorizing the disclosure. This requirement may be surprising to some, who assume that a subpoena is, itself, a request from the court. The law also prohibits the use of mental health records in litigation unless a judge makes certain findings after a review of the records.

In this case, the husband’s law firm served a subpoena on the health care provider seeking “any and all records regarding the care and treatment of” the plaintiff. While the appellate court wrestled with some procedural issues involving the lower court’s rulings, it held that the matter had not been fully considered and there could very well have been a violation of the Illinois law restricting the disclosure of certain mental health records.

This decision highlights the complicated tensions that arise in every state and federal court when medical records or other private information is requested during discovery. It also should be a reminder for hospitals and all other entities receiving requests for information to exercise the appropriate due diligence before responding.

Yesterday, the U.S. Senate Judiciary Committee again approved two pieces of legislation that would require certain entities to safeguard personal information and notify individuals of breaches of that information. Over the last few years, similar legislation made it out of various Committees, but failed to go any further. Could this time be different?

The Committee voted in favor of the Personal Data Privacy and Security Act of 2009 (S.1490) and the Data Breach Notification Act (S.139), sponsored by Senators Patrick Leahy and Dianne Feinstein, respectively.  In its current form, S. 1490 would require that covered entities, among other things, perform risk assessments, limit access to sensitive information, train their work force, and require vendors by contract to implement appropriate safeguards. The Data Breach Notification Act would establish a national standard for federal agencies and businesses engaged in interstate commerce to report data breaches.

There are a number of circumstances that suggest this legislation is more likely to move forward than in years past:

  • The Judiciary Committee approved both measures by significant majorities.
  • The number of data breaches and complaints about them continue to mount.
  • Congress recently had its own data breach (reported here), affecting personal information not likely to lead to identity theft, but which could hurt some members’ reelection efforts.
  • The change in administration which arguably is more focused on privacy concerns given the push for electronic health records.

Stay tuned. . . 

In good and not-so-good economic times, the on-boarding process – recruiting, application, hiring and orientation – is critical for employers to attract and welcome new talent. In recent years, technology has enabled employers to perform all or a part of this process on-line, significantly increasing efficiency and reducing costs. Moving to a web-based on-boarding system, however, raises many workplace challenges and considerations, including the privacy, security and management of personal data collected in the process.

Following are some of the key challenges and considerations employers should think about when moving to electronic on-boarding:

  • Can the on-line process be the exclusive method for applying and on-boarding? Consider, for example, applicants who cannot access or view the site because of a disability.
  • Are there laws limiting the personal information that may be collected from applicants? See, for example, Utah Employment Selection Procedures Act discussed in our article and the Utah law
  • How must personal information collected during the process be safeguarded, retained, preserved, and ultimately destroyed? A recent class action was filed alleging failure to safeguard on-line job application information. 
  • Is the process subject to collective bargaining?
  • Are there special rules for government contractors? See Office of Federal Contract Compliance Programs (OFCCP) guidance
  • Are on-line consents for fitness-for-duty examinations, background checks, and drug testing valid? Can non-compete agreements be executed electronically?
  • Are there any specific issues/disclosures for public sector employees/applicants?
  • Can the I-9 verification/e-verify process be completed on-line?
  • Do the rules change for applicants from other countries?
  • If an applicant is hired, how does collected information about the person transfer accurately and securely for benefit plan enrollment, payroll, personnel, and other purposes?
  • Has the on-boarding vendor been vetted and shown capable of safeguarding personal data and preserving the integrity of that data? Where is data stored by the vendor? Are appropriate contract provisions in place?
  • Can benefit plan enrollment forms be completed on-line?
  • Can handbooks and benefit plan documents be provided on-line as part of the on-boarding process? See ERISA electronic disclosure regulations.

Employers implementing an electronic on-boarding process will certainly realize significant savings of time and money. However, those savings can be short-lived if the on-line process is not designed to address the risks inherent in the new medium.
 

The Department of Health and Human Services (HHS) published interim final regulations on October 30, 2009, to update existing enforcement regulations under HIPAA for statutory revisions made by the Health Information Technology for Economic and Clinical Health (HITECH) Act. These regulations become effective November 30, 2009, and only address the provisions of the HITECH Act already in effect.

The interim final regulations, among other things, implement the increases in civil penalties and the four categories of violations and corresponding penalties established by the HITECH Act. Also, under the Act and the regulations, penalties will apply even where the covered entity did not know (and with the exercise of reasonable diligence would not have known) of the violation. However, HHS has the authority to reduce penalties in certain circumstances.

There have been a number of recent changes that enhance and strengthen HIPAA’s enforcement provisions – the HITECH Act, the interim final regulations discussed above and agency reorganization. These measures suggest an increasing likelihood of enforcement concerning the HIPAA privacy and security regulations.  As a result, health care providers and health plans should be reviewing their compliance with HIPAA and preparing for additional guidance expected to be issued shortly.

A British TV station investigation into India’s medical transcription industry, known as Business Process Outsourcing (BPO), uncovered unsettling news for British subjects, as well as American citizens. Medical records sent to India to be transcribed and computerized are being sold. The Economic Times report on the investigation out of New Delhi suspects a "hardening of stance on the outsourcing industry by the western world." The article states:

The revelation has forced police of the two countries to join hands to launch an official investigation into the data pilferage of the records stored by the Indian BPOs. If found true, the allegations could hit the flourishing BPO sector in India hard, fueling doubts about their integrity and efficiency.

Security breaches of this kind can have far reaching effects beyond the businesses and individuals directly impacted. The hopes for funding U.S. healthcare reform rest, in part, on administrative cost savings. Under the HITECH Act, enacted as part of the 2009 federal stimulus bill, the U.S. will spend 36 billion to spur the health care industry to purchase and create systems and equipment, including electronic health records systems, to better network the healthcare industry. Reluctance to outsource and increased security are likely to chip away at whatever cost savings can be achieved through enhanced technology in healthcare. 

In the short run, businesses must be more vigilant in vetting their vendors, as well as the vendors of their vendors. These efforts should include stronger agreements, deeper examinations of security protocols, knowing where information is ultimately stored and processed, and having a better understanding of the applicable legal and industry standards concerning data security. These efforts can not stop at the water’s edge.

The Washington Post is reporting another inadvertent disclosure of sensitive information involving “peer-to-peer” or “P2P” technology. This time, the disclosure exposed a House Ethics Committee document outlining ongoing ethics investigations for an uncomfortably large number of House members. The same technology raises serious issues for employers.

According to the Washington Post, the now-terminated, junior committee staff member saved a copy of the document summarizing the ethics investigations to her personal computer where her peer-to-peer file-sharing software allowed it to be shared.

Besides the difficult political questions that are sure to follow, this incident makes clear that strong data security requires more than a strong firewall and encryption. Administrative policies, training and vigilance are essential, particularly where working remotely and from home is the norm.

A New Jersey restaurant has been hit with a jury verdict in favor of two waiters who were fired after the restaurant’s managers accessed a private social networking site where the waiters were criticizing management.

As the social networking (e.g., MySpace and Facebook) “craze” continues to expand, employers must be more mindful of privacy concerns relating to content made available in these media by applicants and employees. Hiring and other job decisions often seem based on information obtained from employees’ or applicants’ social interactions on the Internet, at least to some degree. Generally, employment decisions are more supportable where there is a social networking policy that has been communicated to employees.

In Brian Pietrylo, et al. v. Hillstone Restaurant Group d/b/a Houston’s, a federal court in New Jersey rejected the employer’s attempt to throw out the jury verdict that managers at a Houston’s restaurant intentionally and without authorization accessed a private, invitation-only chat group on MySpace in violation of the federal Stored Communications Act (SCA). The SCA prohibits unauthorized access of stored communications such as e-mail and Internet accounts. The Court also upheld the jury’s award of compensatory and punitive damages against Hillstone.

This case reminds employers to consider carefully any decision to monitor employees’ use of social networking sites.  Mistakes may be costly.

Reports indicate that identity theft is the fastest growing crime in the United States. In fact, the FTC lists identity theft as the most reported crime for 2008. Identity thieves use personally identifying information of unsuspecting individuals to open new accounts and misuse existing accounts, creating havoc for individuals and business and costing millions of dollars. To help slow the frequency of these offenses, the federal government passed the Fair and Accurate Credit Transactions Act of 2003 (PDF).

Under the FACT Act, a number of federal agencies, including the FTC, the federal bank regulatory agencies, and the National Credit Union Administration, issued regulations (“Red Flags Rules”) requiring financial institutions and creditors to develop and implement written identity theft prevention programs to detect, prevent, and mitigate instances of identity theft. These programs must be designed to provide for the identification, detection, and response to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft.

The Red Flag Rules apply to “financial institutions” and “creditors” with “covered accounts.” The FTC has broadly interpreted the term “creditors” to include professionals such a lawyers and doctors. However, the U.S. House of representatives passed H.R. 3763 which would exclude from the meaning of “creditor” any health care practice, accounting practice, or legal practice with 20 or fewer employees. Currently, this Bill awaits action by the Senate.  Similarly, a federal judge in the U.S. District Court for the District of Columbia recently ruled that the FTC cannot force practicing lawyers to comply with the red flags, holding that she had a problem concluding that Congress intended to regulate lawyers when these statutes were enacted. 

Given the November 1, 2009 enforcement date, and the unresolved definition of "creditor," businesses of all sizes and industries will need to take immediate steps to develop a comprehensive strategy for compliance with the Red Flag Rules. Here is helpful information for the Red Flag Rules and small businesses.

Update:  Since the publishing of this post, the FTC has again extended the enforcement date to June 1, 2010.  Additionally, the U.S. District Court for the District of Columbia upheld the American Bar Association’s challenge to the Rule and the opinion enjoins the FTC from enforcing the Rule against lawyers.