The 11th Circuit Court of Appeals has rejected the appeal of a former City of Daytona Beach Fire Inspector who argued that the City improperly used her “personal health information” to defend itself against her lawsuit for interference under the Family Medical Leave Act. In Bailey v. City of Daytona Beach Shores, the City of Daytona Beach fired its Fire Inspector, Christine Bailey, after it learned she made claims under the City’s self-funded health plan for reimbursement of the cost of prescription narcotics without informing the City of the use of such drugs, in violation of the City’s drug-free workplace policy while she was on FMLA leave. In response, Bailey sued the City for FMLA interference and retaliation. During the underlying lawsuit, she moved to strike the City’s use of her personal health information on grounds that it would violate the Health Insurance Portability and Accountable Act (“HIPAA”) by the disclosure of her HIPAA-protected personal health information.

Health plans, like the one sponsored by the City, are “covered entities” under HIPAA and the use of protected health information from those plans for employment purposes is prohibited. Apparently, the Department of Health and Human Services notified the City that using the personal health information from the City’s plan for employment-related decisions would violate Bailey’s rights under HIPAA. We regularly advise employers who sponsor health plans, particularly self-funded plans, that individually identifiable health information they obtain in connection with plan administration services they provide for those plans cannot be used in the course of making employment decisions, absent the individual’s authorization or some other exception.

Affirming the trial court’s rejection of Bailey’s motion to strike, the 11th Circuit determined that while HIPAA prohibits the use and disclosure of personal health information in employment-related decisions, it does not bar a defendant in litigation from using the plaintiff’s personal health information to defend against that lawsuit. Thus, at least in the 11th Circuit, “fruit of the poisonous tree” can be used by employers to defend their employment decisions made based on fruit from their HIPAA-covered plans. The court further rejected Bailey’s FMLA interference and retaliation claims on grounds that the City proved it would have taken the same action, i.e., firing her for violations of the City’s drug policy, if she had not taken FMLA leave.

The 11th Circuit’s ruling may appear to be a victory for defendants in litigation who seek to use plaintiffs’ HIPAA-protected personal health information to defend themselves from plaintiff allegations that involve such information. However, the Court seems to gloss over the distinction made in the HIPAA regulations between functioning as a covered entity-health plan and functioning as an employer. The employee was suing the employer in this case, not the plan, and the employer, functioning as an employer, simply should not have had access to this information. The effects of this decision may be problematic for employers that do not read this decision and HIPAA carefully. Specifically, some employers may be encouraged to tap into health plan claims records more freely, not for plan administration purposes, but for employment purposes, believing that information can be used to defend their employment decisions in subsequent litigation.

Of course, while there may not be a private right of action under HIPAA, using protected health information in that way could expose the health plans, and in effect the employers, to investigations by the Office for Civil Rights. The 11th Circuit focused on the use of personal health information in litigation only, but whether such information is used in litigation or not does not remedy any underlying HIPAA violation. HIPAA would bar an employer from reviewing a prescription claim submitted to its health plan for the purposes of making an employment decision, irrespective of any litigation involving the disclosure or use. It remains to be seen whether a claimant who successfully files a HIPAA charge with the Office of Civil Rights, would be able to obtain a different result by a court addressing that party’s personal health information in the litigation context, the Bailey case notwithstanding.

 

In an earlier post, we discussed the basics behind how Bitcoin operates and how it might create unique issues for employers. In the span of just a little over a month, the Bitcoin community has had its share of stories in the news cycle. One of the largest exchanges, Mt. Gox, has filed for bankruptcy following an apparent security breach costing customers and the exchange nearly $500 million. Within a couple weeks of Mt. Gox’s demise, Newsweek then claims to have identified the creator of the virtual currency, known only as Satoshi Nakamoto (the pseudonym used in the white paper that laid out the cryptography framework for bitcoin operations). Whether the person identified really is Nakamoto is still debated, but stories like this and the fall of Mt. Gox continue to add to the mystery that is bitcoin.

Yesterday, the IRS removed some of that mystery when it released guidance on the tax treatment of bitcoin and other virtual currencies (which just happened to be day one of a virtual currency industry summit in San Francisco). One of the appealing factors for users of the virtual currency is that it was an unregulated peer-to-peer network, meaning it is not tied to any central monetary authority. The IRS’s guidance was expected, but many in the Bitcoin community believed that it would be treated like any other foreign currency. Apparently relying on the premise that bitcoin does not have legal tender status in any jurisdiction, the IRS has determined that bitcoin should be treated as property for tax purposes.

IRS Notice 2014-21 is somewhat of a blow to bitcoin users because the exchange of property, even to buy a cup of coffee, is now a reportable event. The notice provides that virtual currency is treated as property for U.S. federal tax purposes. General tax principles that apply to property transactions apply to transactions using virtual currency. Among other things, this means that:

  • Wages paid to employees using virtual currency are taxable to the employee, must be reported by an employer on a Form W-2, and are subject to federal income tax withholding and payroll taxes.
  • Payments using virtual currency made to independent contractors and other service providers are taxable and self-employment tax rules generally apply. Normally, payers must issue Form 1099.
  • The character of gain or loss from the sale or exchange of virtual currency depends on whether the virtual currency is a capital asset in the hands of the taxpayer.
  • A payment made using virtual currency is subject to information reporting to the same extent as any other payment made in property.

This may sound like an insurmountable hurdle of onerous recordkeeping for virtual currencies, but automated accounting solutions are already in the works with more likely on the way. With a request for public comments included in its guidance, the IRS has signaled that these rules are not set in stone and changes may be ahead to the tax treatment of virtual currencies.

What seems unlikely to change is the continuing momentum bitcoin and other virtual currencies appear to be gaining. The failure of Mt. Gox may have been bad for Bitcoin’s public image, but supporters of the virtual currency seem undeterred. Despite security concerns, Bitcoin ATMs continue to pop up in the United States and abroad. The number of e-commerce retailers accepting bitcoin has outpaced those accepting in-store purchases, but that is starting to change. And even if your store of choice does not let you spend bitcoins, other companies have begun to find innovative ways around that problem too.

But perhaps the most intriguing item on the horizon is the race to open regulated investment funds and exchanges in the United States. Bitcoin might soon see an enormous influx of capital if investors are comfortable with the regulatory safeguards. The hope amongst the Bitcoin community is that this will lead to new innovations, making the use virtual currencies more prevalent and practical for everyday use.

New technologies almost always trend to the ‘more’ side of the spectrum. Whether Mr. Nakamoto’s (who(m)ever he or she is) vision of a global economy utilizing peer-to-peer transactions will come to pass is anyone’s guess, but you may not want to bet too much bitcoin against it.

A New Jersey student has filed a federal court lawsuit, H.W. v. Sterling High School District, alleging that she has been subject to disability discrimination and that her First Amendment rights have been violated.

The student, known only as H.W. in court papers, was banned from the prom, senior trip, and the school’s commencement ceremony following a tweet wherein the student called the principal a “pussy ass bitch.”  The student alleges in her suit that the tweet was the result of “oppositional defiant disorder,” a psychological disorder, which the student alleges causes her to have difficulty with authority and dramatic mood swings.  The suit claims that the school’s punishment of the student violated the New Jersey Law Against Discrimination since the school failed to consider the student’s behavior as a consequence of her psychological condition.

Additionally, the student claims the remark, although offensive, is entitled to First Amendment protection because it was made off of school grounds, outside school hours, and did not disrupt school activities.  As we have previously discussed (and as raised by plaintiff’s counsel), two prominent rulings in J.S. v. Blue Mountain School District, 650 F.3d 915 (2011) and Laycock v. Hermitage School District, 650 F.3d 205 (2011) have upheld a student’s free-speech rights concerning online posts about school officials.

In addition to the tweet about the school’s principal, the student also claims that another one of her tweets, an invitation for her classmates to “smoke with [her] before school tomorrow,” was also protected by the First Amendment.  The school interpreted that tweet as a reference to smoking marijuana and ordered the student to submit to drug test.

Both tweets were sent after the student received a 2 day suspension for using her cell phone during the school day in violation of school rules.  The suit seeks an apology, an injunction against the school barring the student from school activities, an injunction against the drug test, an expungement of documents related to the incidents, a revision of  school policies, damages,  legal fees and costs.

Many organizations believe they have taken all steps necessary to eliminate the risk of a data breach. They often point to the organization’s deft IT team and tout the installation of some of the latest software solutions to protect sensitive data. However, some of these same organizations often fail to take some very basic steps to address the kind of low-hanging fruit that can help to prevent significant data breaches. Recent examples include:

  • An Internal Revenue Service employee potentially caused the Social Security numbers, names and addresses of 20,000 or so employees and contract workers to be accessible online when the employee took a thumb drive home from work and plugged it into the employee’s unsecure home network, as reported in Bloomberg.
  • Also within the past week, the Metropolitan Transportation Authority notified some 15,000 MTA workers that their Social Security numbers and other personal information had been found on a CD inside a refurbished CD drive sold by a retailer, according to a report by the Wall Street Journal.

Safeguards that might have prevented these kinds of incidents include clearly written policies, regular employee training and reminders, and purging of mobile electronic devices before they are sold, donated or otherwise discarded. Of course, there are others and often these basic measures can be implemented with relatively little cost, and they are in many cases required by law. For example, a number of states have law mandating the proper of personally identifiable information, which would include information stored on electronic devices.

The U.S. Equal Employment Opportunity Commission (EEOC) and the Federal Trade Commission (FTC) issued joint informal guidance concerning the legal pitfalls employers may face when consulting background checks into a worker’s criminal record, financial history, medical history or use of social media.  The FTC enforces the Fair Credit Reporting Act, the law that protects the privacy and accuracy of the information in credit reports. The EEOC enforces laws against employment discrimination.

The two short guides, Background Checks: What Employers Need to Know and Background Checks: What Job Applicants and Employees Should Know, explain the rights and responsibilities of both employers and employees.

The agency press releases state that the FTC and the EEOC want employers to know that they need written permission from job applicants before getting background reports about them from a company in the business of compiling background information. Employers also should know that it’s illegal to discriminate based on a person’s race, national origin, sex, religion, disability, or age (40 or older) when requesting or using background information for employment.

Additionally, the agencies want job applicants to know that it’s not illegal for potential employers to ask someone about their background as long as the employer does not unlawfully discriminate. Job applicants also should know that if they’ve been turned down for a job or denied a promotion based on information in a background report, they have a right to review the report for accuracy.

According to EEOC Legal Counsel Peggy Mastroianni, “The No. 1 goal here is to ensure that people on both sides of the desk understand their rights and responsibilities.”

 

 

Skagit County, Washington, has agreed to settle potential violations of the privacy and security rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), according to an announcement by the Office for Civil Rights (OCR) on Friday.  OCR reported that Skagit County, home to approximately 118,000 residents, agreed to a $215,000 monetary settlement and to comply with a three-year HIPAA compliance program under OCR’s watchful eye.

OCR began investigating Skagit County and its Public Health Department when OCR received

a breach report that money receipts with electronic protected health information (ePHI) of seven individuals were accessed by unknown parties after the ePHI had been inadvertently moved to a publicly accessible server maintained by the County.

A relatively minor breach at first glance. However, OCR’s investigation revealed the incident was broader and included the ePHI of 1,581 individuals, in some cases involving files concerning the testing and treatment of infectious diseases. According to the resolution agreement, Skagit County allegedly failed to provide notification as required by the HIPAA Breach Notification Rule to all of the affected individuals for whom it knew or should have known that the privacy or security of the individuals’ ePHI had been compromised.

Like other OCR investigations, the enforcement activity uncovered “general and widespread non-compliance by Skagit County with the HIPAA Privacy, Security, and Breach Notification Rules.” For example, OCR looked back to April 20, 2005 (the effective date of the HIPAA Security Rule), and alleged that Skagit County had not complied with various aspects of the HIPAA security regulations, including maintaining written policies and training employees.

The Skagit County Public Health Department provides essential services to many individuals who would otherwise not be able to afford health care. A $215,000 payment to OCR certainly will be a hit to the Department’s budget and the services it provides. Cities, counties and other public sector entities that perform HIPAA covered functions should be reviewing their HIPAA compliance efforts to ensure they are in a strong defensible position. Some basic compliance steps – risk assessment, written policies and procedures, training, a breach response plan, documentation, and others – can go a long way.

The U.S. Commodity Futures Trading Commission (Commission) issued a Staff Advisory on best practices for financial institutions that must comply with Gramm-Leach-Bliley Act (GLBA) provisions on data security and customer privacy.

GLBA was enacted to ensure that financial institutions respect the privacy of their customers and protect the security and confidentiality of nonpublic personal information.  Specifically, under the Commission’s regulations, futures commission merchants, commodity trading advisors, commodity pool operators, introducing brokers, retail foreign exchange dealers, swap dealers, and major swap participants (covered entities) “must adopt polices and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.”  Those policies and procedures must:

  1. Insure the security and confidentiality of customer records and information;
  2. Protect against any anticipated threats or hazards to the security or integrity of such records; and
  3. Protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.
The recommended best practices include:
  • Designating a specific employee with privacy and security management oversight responsibilities;
  • Identifying, in writing, all reasonably foreseeable internal and external risks to security, confidentiality, and integrity of personal information and systems processing personal information;
  • Designing and implement safeguards, in writing, to control the identified risks;
  • Training staff to implement the program;
  • Regularly testing and monitoring the safeguards;
  • Implementing third party service provider agreements which specify that the third party is maintaining appropriate safeguards;
  • Regularly evaluating and adjusting the program; and
  • Designing and implementing policies and procedures to respond to incidents involving unauthorized access, disclosure, or use of personal information.
The best practices should look familiar to those who are familiar with the various state laws which require companies to implement written information security programs, as well as entities which are required to comply with HIPAA’s requirements.  Ultimately, every entity who maintains personal information, whether that of customers, clients, patients, or employees, should consider implementing a program to safeguard such information.

The U.S. Department of Health and Human Services, Food and Drug Administration (FDA) recently issued draft guidance entitled “Guidance for Industry-Fulfilling Regulatory Requirements for Postmarketing Submissions of Interactive Promotional Media For Prescription Human and Animal Drugs and Biologics.”

The draft guidance is intended to describe the FDA’s current thinking about how manufacturers, packers, and distributors (firms) can fulfill regulatory requirements for post marketing submissions of interactive promotional media (e.g. blogs, microblogs such as Twitter, social networking sites like Facebook, online communities, and online podcasts) for FDA-approved products.

Under FDA regulations, if a firm has any control of, or influence on a site, it must submit promotional material about its product(s) to the FDA under the FDA’s postmarketing submission requirements.

Recognizing the challenges of submitting promotional materials that display real-time information, the FDA provided recommendations for submitting interactive promotional media.  In its examples, the FDA explained:

  • At the time of initial display, a firm should submit in its entirety all sites for which the firm is responsible, including submission in a way that allows the FDA to view and interact with the submission in the same way as the end user;
  • For third-party sites on which the firm’s participation is limited to interactive or real-time communications, a firm should submit the third-party site’s home page, along with the interactive page within the third-party site and the firm’s first communication;
  • Once a month, a firm should submit an updated listing of all non-restricted sites for which it is responsible or in which it remains an active participant;
  • If a site has restricted access, a firm should submit all content related to the discussion to adequately provide context to facilitate the review; and
  • A submitting firm should take formatting factors into consideration to enable the FDA to view the communications as a whole.

When finalized, the guidance will not create or confer any rights, and will not operate to bind the FDA or the public.  Rather, the guidance should be viewed as recommendations, unless specific regulatory or statutory requirements are cited.

Specific industry guidance concerning social media is not a novel idea.  In fact, the financial industry issued its own guidance late last year.  When examining your businesses social media participation, it is imperative you familiarize yourself with any applicable industry specific guidance.

The U.S. Equal Employment Opportunity Commission (EEOC) just announced they will be holding a meeting on March 12, 2014 to discuss the use of social media in the workplace and its impact on the enforcement of equal employment opportunity laws.  According to the EEOC’s announcement, the participants will address a range of issues, including recruitment and hiring, harassment, records retention, and discovery.

The EEOC’s announcement, the opinions of the NLRB’s Acting General Counsel, state laws prohibiting employers from requesting social media account access, and numerous industry specific guidance all highlight the need for employers to examine their own social media practices and the impact social media may have on their business. 

Our Special Report-Social Media in the Workplace has examined each of the issues the EEOC plans to discuss and considered many of the opinions, laws, and guidance that have been issued with regard to social media.