Ask the average person what they know about Bitcoin and they might be able to tell you that it is a digital currency. Most have probably heard the name mentioned in articles about its giant fluctuations in value or in connection with black market internet transactions. Beyond that, how Bitcoin actually operates remains relatively unknown to the general public. Public opinion of Bitcoin varies wildly and headlines range from “Bitcoin is Flawed, But It Will Still Take Over the World” to “Welcome to 21st-century Ponzi scheme: Bitcoin.

Recent problems with one of the largest Bitcoin exchanges provides some validation for people’s hesitancy to jump into the world of digital currencies. But it is important to remember that Bitcoin and other so-called “crypto currencies” are a new technology and their prevalence is growing – rapidly. In its 2013 Annual Report to Congress, the Taxpayer Advocate Service, an independent organization within the IRS, noted:

In the four months between July and December 2013, Bitcoin usage has increased by over 75 percent – from about 1,700 transactions per hour to over 3,000. Over the same period, the market value of bitcoins in circulation increased more than ten-fold from about $1.1 billion to $12.6 billion.

The allure of lower transaction costs and publicity has also allowed Bitcoin to gain a footing in the business world. Expensify, an online expense reporting company, even allows its client businesses to reimburse their employees with bitcoins.

While this post is not intended as an in-depth discussion of how Bitcoin or any other crypto currency works, a basic understanding is needed to know why it could be important to your organization and employees.

Bitcoins may be exchanged over the internet, but they are not digital credits to some online account. Commentators usually analogize bitcoins to cash or gold, meaning there is an aspect of possession. Bitcoins are held in “wallets” and there are three general types: desktop, mobile, and web-based. Different wallet applications have different features. Some wallets will only store the bitcoin on the device, where others may have web-based backup. To put it more simply, if you have not taken precautions and lose your Bitcoin wallet, you lose your bitcoins. A quick internet search will turn up a number of sad stories about people who tossed out their old computers now worth millions.

As the prevalence of digital currencies increase, so does the chance that an employee may be storing bitcoins on his or her mobile device. That same mobile device might also contain an employer’s sensitive data. So what should an employer do if an employee calls to say, “I lost my phone, and by the way, my Bitcoin wallet has $1,700 in it?”

A common practice by employers to protect confidential information when an employee loses a company mobile device is the “remote wipe.” A remote wipe is typically executed by a system administrator by sending an email to the employee’s account. In some cases, a remote wipe will simply terminate access to company email and other applications. More commonplace, however, is that the system administrator is hitting the reset button, erasing all data from the phone and returning the device to the original factory settings as if it were just pulled out of the box. Unless an employee is running a wallet application with backup protocols or has taken other prudent security measures, an employer may be deleting its employee’s bitcoins in an effort to prevent unauthorized access to confidential company data.

Bitcoin is illustrative of the problems that employee property on either company or bring-your-own-device phones might create because there is an ascertainable value. But family photos, personal notes, and downloaded media also have value to employees. Rather than taking a wait-and-see approach to how the law may develop relating to issues surrounding the deletion of employee property stored on their phone, employers should be proactive and take the time to review their mobile device policies. Although employees may have notice that a remote wipe is possible, they should also be advised that it is their responsibility to backup and protect their personal property, including their “wallets.”

Healthcare providers and their business associates frequently face difficult questions relating to when they are able to share protected health information with the family members and friends of the patients they serve. These questions often require consideration of a number of different laws and rules, such as HIPAA, Federal alcohol and drug abuse confidentiality regulations, state mental health laws, ethical obligations and so on. In what is sure to be welcomed guidance, the U.S. Department of Health and Human Services (HHS) has released new FAQs explaining how the HIPAA Privacy Rule operates to protect individuals’ privacy rights with respect to their mental health information and in what circumstances the Privacy Rule permits health care providers to communicate with patients’ family members and others.

The guidance reminds covered entities and business associates of, among other things, the heightened protections for psychotherapy notes, a parent’s right to access the protected health information of a minor child, the application of state laws that provide more stringent protections than HIPAA, and the intersection of HIPAA and FERPA in a school setting. However, many of the FAQs also address some specific issues and scenarios that will be helpful to providers and their business associates. For example, the FAQs address topics, such as:

  • Communicating with a patient’s family members, friends, or others involved in the patient’s care;
  • Communicating with the parent of a patient who is a minor;
  • Assessing the patient’s capacity to agree or object to the sharing of their information; and
  • Determining whether to tell family members, friends, or others that a patient has stopped taking prescribed medications or other therapies.

There are, for sure, clear limits on a provider’s ability to share mental health information in the circumstances described in this guidance, however, there is also considerable discretion extended to providers. For instance, when it is suspected that a patient does not have the capacity to agree or object to the sharing of personal health information, in addition to determining whether the patient in fact has lost capacity, providers have significant concerns about whether and under what circumstances they may share the patient’s mental health information in such a state. According to the FAQs, a patient has lost capacity when he or she is unconscious, and may include circumstances in which a patient is suffering from temporary psychosis or is under the influence of drugs or alcohol. In those cases and other where capacity is lost, the provider is allowed to discuss the patient’s condition or treatment with a family member if the provider believes it would be in the patient’s best interests. In making this determination about the patient’s best interests, the provider should take into account the patient’s prior expressed preferences regarding disclosures of his or her information, if any, as well as the circumstances of the current situation. Once the patient regains the capacity to make these choices for herself, the provider should offer the patient the opportunity to agree or object to any future sharing of her information.

Providers and business associates that provide mental health services or otherwise handle mental health records should review this guidance and the other applicable federal and state laws that affect their handling of this information, and make any appropriate changes in their policies and procedures. Discussing this guidance with workforce members is a good opportunity to provide another reminder about the need for privacy and security of protected health information.

Ricardo Rivera Cardona of the Puerto Rico Health Insurance Administration, intending to send a message by imposing the largest penalty to date ($6.8 million) arising out of a breach of protected health information under HIPAA, as reported by Infomation Security Media Group, is quoted as saying:

We are sending a message that we are here to enforce…There are no exceptions, no matter how big or small an institution is. ASES will make sure patients have access to medical services, and that their patient information is also protected. We are adamant about this.

The incident apparently did not involve a hi-tech hacking, theft of data or even the more popular lost laptop. It is reported to have resulted from a mailing error by Triple S Salud, a local insurer and division of Triple-S Management Corp., to approximately 13,000 individuals that displayed the individuals’ Medicare health insurance claim number. Note that many believe that information is not PHI unless it includes sensitive medical information about an individual, such as the individual’s diagnosis. That is simply not the case.

Of course, the covered entity can appeal the penalty. However, the federal Office for Civil Rights also can decide to take enforcement action, although that agency has not decided what, if any, action it will take.  We know that OCR has tried to send a message similar to the Puerto Rico enforcement authority concerning enforcement regardless of the size of the covered entity. In remains to be seen how vigorous enforcement will be given the lack of resources at these agencies, however, these enforcement actions certainly should spur covered entities and business associates to review their level of compliance.

A study (registration required) by two data security firms, Norse in Silicon Valley and SANS, discussed in a recent L.A. Times article, confirms the concerns raised by the FDA and others about increased use of internet-connected medical devices by healthcare providers and the corresponding increase in the information systems of those providers being attacked, and in some cases “infiltrated without their knowledge.” Raising significant HIPAA and data privacy and security exposures, the study finds that between September 2012 and October 2013, 375 healthcare providers have been attacked – that is, those that have discovered and reported the attack. According to the article, the attackers are able to get into systems such as “radiology imaging software, conferencing systems, printers, firewalls, Web cameras, and mail servers.”

Just as we are seeing rapid development in smartphone, tablet and similar computing technologies, there are similar advancements in medical device technologies, influenced by “Big Data” and the significant benefits that can be derived from the information obtained from connected devices. Clearly, healthcare practices, which includes their practitioners, IT professionals and compliance officers, need to be more aware of the security risks relating to the latest devices used in the practice, and address those risks before installing the new devices for use in patient care. Locking the file cabinet drawers just does not cut it any longer.

If the intersection of social networking and workplace privacy laws piques your attention, you may find an article written by my colleague Michael Frankel particularly interesting. He writes about a recent case, Pecile v. Titan Capital Group, LLC out of New York, where the court refused to grant the defendants’ request for access to the plaintiffs’ social network accounts. The court held that the fact that information contained in the plaintiffs’ social network accounts could contradict the plaintiffs’ claims of emotional distress was not a sufficient reason to compel production of that information.

The issue of the discoverability of an employee’s social networking activities in litigation provides an opportunity to remind companies that several states have laws that restrict an employer’s ability to access employee and prospective employee social media accounts, or even request permission to access. The following states currently have such laws in effect: Arkansas, California, Colorado, Illinois, Maryland, Michigan, Nevada, New Jersey, New Mexico, Oregon, Utah, and Washington, while a Vermont law commissioned a study to look at the issue. Click here for more information about these laws.

This legislation portends a potential increase in litigation against employers in these states that have not taken appropriate steps to bring outdated hiring and monitoring practices into compliance with these laws. Even if upper-level management has taken, or is taking, steps to correct past practices which may now be prohibited, it is also important to ensure that lower-level managers and supervisors are informed of these developments as they frequently have more day-to-day contact with the employees and prospective employees whom these laws are designed to protect.

These privacy-in-employment issues are also discussed in our Special Report – Social Media in the Workplace.

Written by Jeffrey M. Schlossberg

When does a medical clinic’s employee’s unauthorized texting of patient confidential health information result in liability to the clinic? The answer; it depends.

In Doe v. Guthrie Clinic, Ltd., the Second Circuit Court of Appeals dismissed a patient’s claim against a medical corporation for alleged breach of fiduciary duty based on a non-physician employee’s unauthorized disclosure of confidential medical information. It did so because the New York State Court of Appeals answered the following certified question in the negative: “Whether, under New York law, the common law right of action for breach of the fiduciary duty of confidentiality for the unauthorized disclosure of medical information may run directly against medical corporations, even when the employee responsible for the breach is not a physician and acts outside the scope of her employment.”

In Doe, John Doe was treated at a clinic for a sexually transmitted disease (“STD”). A nurse, who knew Doe’s girlfriend, texted the girlfriend to let her know of Doe’s STD. Her texts were unrelated in any way to Doe’s treatment. After Doe learned of the texts, he complained to the clinic. The nurse was fired. The clinic acknowledged that Doe’s confidential information had been improperly accessed and disclosed and that appropriate disciplinary action had been taken. Doe then commenced a federal diversity action.

In analyzing the certified question presented, the State’s highest court declined to hold the clinic responsible under a claim of breach of fiduciary duty. Generally, a medical corporation might be vicariously liable for the wrongful acts of its employees, but under the doctrine of respondeat superior, liability extends only if those acts were committed in furtherance of the employer’s business. In Doe, the nurse’s conduct was not within the scope of her employment.

However, health care employers must still take caution. Despite the ruling in the case, the court did state that a medical corporation “may also be liable in tort for failing to establish adequate policies and procedures to safeguard the confidentiality of patient information or to train their employees to properly discharge their duties under those policies and procedures.” A health care practice that complies with the privacy and security regulations under HIPAA and applicable state law will be in a good position to avoid this kind of liability. Of course, inadequate policies addressing the protection of confidential patient information could expose the practice to damages in these kinds of suits, as well as penalties under HIPAA.

A New Jersey Appellate Court recently ruled that an employee who removes or copies her employer’s documents for use in her whistleblower or discrimination case may be prosecuted criminally for stealing.  In State v. Saavedra, the employee had taken highly confidential original documents owned by her employer, contending that she did so to support her employment discrimination suit and therefore she should be free from prosecution.  As we have detailed, both the trial court and the Appellate Court agreed that the employee’s taking of documents could sustain an indictment. 

Saavedra argued on appeal that the trial judge had erred because a 2010 New Jersey Supreme Court case had established an absolute right for employees with employment discrimination lawsuits to take potentially incriminating documents from their employers. The Appellate Division disagreed and found the Supreme Court case did not establish such a bright-line rule; instead, it said, the Supreme Court delivered a seven-part “totality-of-the-circumstances” test to determine whether a private employer can terminate its employee for the unauthorized taking of its documents.  The Court went on to hold that the State had put forth enough evidence before the grand jury to establish a prima facie case.

An employee’s taking company documents prior to or at the time of termination is a scenario that may be familiar to many employers.  While the taking of documents may often be discovered in connection with whistleblower or discrimination claims, many employers also discover that documents and/or confidential information have been taken in connection with non-compete or unfair competition matters.  The Court’s decision could have serious implications any time an employee takes documents and and illustrates that employers are not without recourse.

 

If you are a public sector employer, you may be particularly interested in an article written by my fellow shareholder and practice group member, Marlo Johnson Roebuck. She writes about a recent case, Graziosi v. City of Greenville, involving a police department’s decision to terminate a police officer for statements she made on Facebook.

As Marlo notes in her article, these situations can arise in all kinds of workplaces, no matter the city, state or country, and whether in the public or private sector. Here, Graziosi involved first amendment concerns because the police department is a public sector employer. But there could be a range of other issues that flow from employee activity in social media. These include inappropriate endorsements of company products and services by employees, complying with industry-specific regulatory guidance such as in the finance industry, disclosures of trade secrets, allegations of infringement on protected concerted activity rights under the National Labor Relations Act (NLRA), discrimination under the Americans with Disabilities Act (ADA) or the Genetic Information Nondiscrimination Act (GINA), and so on. Many of these issues and others are discussed in our Special Report – Social Media in the Workplace.

A well-crafted social media policy is a critical starting point. However, businesses need to also consider their game plan when, inevitably, the company learns about activity by one or more of their employees in social media that creates business, legal and other risks. Every situation is different and there will be twists and turns that have to be addressed at the time. However, thinking through certain strategies and approaches ahead of time can help the business to avoid some potentially risky missteps. For example, businesses should (i) consider having a process for determinining whether to investigate, (ii) think about who ought to be involved/coordinate the investigation, (iii) determine whether a third-party monitoring company should be engaged, and possibly develop a relationship with one ahead of time so that it will be ready to quickly step in as needed, (iv) examine whether current policies and laws limit the company’s ability to investigate and the scope of that investigation, (v) identify who should be responsible to manage client and business partner relationships that also might be affected by such an incident, and (vi) set out a plan for how to handle the information obtained in the investigation and what disciplinary steps, if any, should be taken. By no means exhaustive, thinking through a list like this certainly would help to prepare a company should it need to quickly address a flare up in social media that could have harsh consequences for the organization.

DPD

In honor of National Data Privacy Day, we provide the following “Top 14 for 2014.”  While the list is by no means exhaustive, it does provide critical areas businesses will need to consider in 2014.

  1. Location Based Tracking.  As the utilization of GPS enable devices becomes more and more prevalent, employers are often faced with the difficult decision of just how much information they may obtain about an employee’s whereabouts.  This is particularly true when an employee is absent from work, is traveling for business, or makes a representation as to their location which the employer questions for one reason or another.  The case law in this area is evolving rapidly, and both the public and private sector can expect to face this issue in the near future.
  2. Bans On Requesting Social Media Passwords. As we have previously discussed numerous states have passed legislation prohibiting employers from requiring current, or prospective, employees to disclose a user name or password for a personal social media account. 16 states introduced measures in 2013 and it is expected that many of these measures will be passed in 2014.
  3. Disaster Recovery Plans. Protecting information and technology assets from natural disasters and other emergencies is often an afterthought. This is especially relevant given the numerous weather difficulties faces by businesses through 2013, from floods to fires, to subzero temperatures.  However, developing a comprehensive disaster recovery plan now can avoid the significant expense, and often irretrievable loss of data, associated with natural disasters.
  4. BYOD. More and more businesses are realizing the risks of allowing employees to utilize their own electronic devices in the workplace and are turning to Bring Your Own Device (“BYOD”) programs to diminish some of these risks.  Businesses considering BYOD should review our comprehensive BYOD issues outline.
  5. User Generated Health Data.  The transformation of health information into electronic format has been well documented and will continue into the future.  However, one of the newest concerns for 2014 is health data which an individual voluntarily provides to track or chart their own health or fitness.  Devices such as Nike Fuelband, Fitbits, or similar devices or applications are allowing individuals to enter more and more health information about themselves electronically.  However, the privacy or security of this information is largely up for debate.
  6. Insurance. Like many other risks, information risk can be addressed in part through insurance. More carriers are developing products dealing with personal information risk, and specifically data breach response. This kind of coverage should be considered by any organization which maintains personal information.
  7. Risk Assessment. Many businesses remain unaware of how much personal and confidential information they maintain, who has access to it, how it is used and disclosed, how it is safeguarded, and so on. Getting a handle on a business’ critical information assets must be the first step, and is perhaps the most important step to tackling information risk. It is logically impossible to adequately safeguard something you are not aware exists. In fact, failing to conduct a risk assessment may subject the business to penalties under federal and/or state law.
  8. Develop a Written Information Security Program. Even if adopting a written information security program (WISP) to protect personal information is not an express statutory or regulatory mandate in your state (as it is in MA, MD, TX, CT, etc.), having one is critical to addressing information risk. Not only will a WISP better position a company when defending claims related to a data breach, but it will help the company manage and safeguard critical information, and may even help the company avoid whistleblower claims from employees.
  9. Training. A necessary component of any WISP and a required element under most federal and state laws mandating data security is training. In addition to meeting compliance requirements, training employees and supervisors also will not only aid in defending any potential breach of privacy claim that may be asserted against the company, but also may prevent a potential breach from occurring.
  10. HHS/OCR Investigations.  The Office of Civil Rights has recently stepped up its efforts to enforce the HIPAA Security Rule.  As we previously discussed, these enforcement activities are likely to increase in 2014 following a recent report from the Office of the Inspector General which concluded the OCR did not meets its federal requirements for oversight and enforcement.
  11. Develop a Plan for Breach Notification. All state and federal data breach notification requirements currently in effect require notice be provided as soon as possible. Failing to respond appropriately could result in significant liability.  This is true even when the number of individuals affected is relatively small.  Developing a breach response plan is not only prudent but also may be required under federal or state law.
  12. Investigating Social Media.  Social media continues to grow on a global scale, and the content available on a user’s profile or account is often being sought in connection with litigation.  In fact, failure to preserve relevant information in social media may have dire consequences.  Further, while public content may generally be utilized without issue, if private content is accessed improperly, serious repercussions can follow.
  13. New Technologies. As anyone who has purchased a phone or television in the last year has seen, technology is evolving extremely rapidly and a product which may be the “latest and greatest” today if often outdated 6 months down the road.  Staying familiar with these types of technologies and their capabilities will only allow businesses to better address any potential issues or concerns which may be implicated, including how those technologies address information risk.
  14. Watch for New Legislation. Today, managing data and ensuring its privacy, security and integrity is critical for businesses and individuals, and is increasingly becoming the subject of broad, complex regulation. As no national law requiring the protection of personal information has yet to be passed in the U.S., companies are left to navigate the constantly evolving web of growing state legislation. Companies therefore need to stay tuned in order to continue to remain compliant and competitive in this regard.

As one nursing facility in New York has learned, asking employees or applicants about their family medical history can violate the Genetic Information Nondiscrimination Act (“GINA”) and draw the ire of the U.S Equal Employment Opportunity Commission (EEOC). Founders Pavilion, Inc., a former Corning, N.Y. nursing and rehabilitation center, will pay $370,000 to settle discrimination claims, the agency reported.

To help avoid these kinds of claims, check out our GINA FAQs. As discussed in those FAQs, under the GINA regulations, employers can take steps to protect themselves from liability such as by using a GINA “Safe Harbor Notice” – a statement directing the doctor not to ask for and/or disclose “genetic information” (i.e., family medical history).

According to the EEOC, the nursing facility requested family medical history as part of its post-offer, pre-employment medical exams of applicants. Subject to limited exceptions, GINA prevents employers from requesting genetic information or making employment decisions based on genetic information.

Many businesses conduct such exams. But what many of these businesses do not realize is that regulations issued by the EEOC to enforce GINA prohibit employers from requesting information about family medical history. This prohibition includes questions for which it is reasonably likely to acquire such information. It also applies to virtually all inquiries employers make of employees and applicants such as, fitness for duty evaluations, examinations or inquiries in response to ADA reasonable accommodation requests, FMLA medical certifications, return to work exams, periodic annual medical exams, and even some purportedly “voluntary” wellness-related exams (unless the situation fits within a narrow GINA exception).

From the EEOC’s perspective, it may not matter if the request is made or the information received by the employer, or the employer’s agent, and the prohibition applies even if the request is not made directly to the employee or applicant. For example, EEOC regulations prohibit employers from searching employees’ or applicants’ social media sites for genetic information, although inadvertent acquisition does not violate the law.

Genetic discrimination is one of the six national priorities identified by the EEOC’s Strategic Enforcement Plan (SEP) and, therefore, an area employers should address as soon as possible through policy and training. However, employers should remember that GINA’s protections are not limited to prohibiting certain inquiries or acquisitions concerning genetic information. Genetic information can and frequently is acquired by employers. In that case, that information is subject to the same confidentiality requirements under the ADA. In addition, GINA has specific rules about when genetic information can be disclosed. So, employers need to be concerned not only about genetic information coming in, but also about how it can be used and whether it should be sent out.