Since we last published our social media white paper in 2010, a lot has happened!

Three opinions from the National Labor Relations Board’s Acting General Counsel, the passage of state laws prohibiting employers from requesting social media account passwords, and industry specific guidance affecting certain businesses and professions are examples of some of these developments.

We hope our updated Special Report (CLICK HERE), which covers many of these key developments, is helpful to your organization. 

Since it was enacted in 2008, plaintiffs suing under the Genetic Information Nondiscrimination Act ("GINA"), 42 U.S.C. Section 2000ff et seq., have not had much success. Most cases have been dismissed at an early stage.  As reported on our Disability, Leave and Health Management Blog, however, this summer the U.S. Equal Employment Opportunity Commission ("EEOC") burst on the scene with its first two lawsuits under GINA.  These two cases provide a simple but important lesson for employers: Always use the safe harbor language when requesting medical information from a health care provider, especially when arranging for a post-offer pre-employment physical examination of a new hire.

In EEOC v. Fabricut, Inc., No. 13-CV-248 (CVE/PJC), (N. D. Ok. 2013), the EEOC settled a lawsuit brought under both GINA and the Americans with Disabilities Act (ADA) for $50,000 and a consent decree. In that case, Fabricut made a job offer to a candidate and sent her to a clinic for a pre-employment physical examination. When she reported for her physical she was asked to fill out a medical history questionnaire which included standard questions about her family medical history. She was determined to have carpal tunnel syndrome, which has nothing to do with her genetic or family history, and was not hired. The EEOC took the position that GINA prohibited the employer from asking about the candidate’s family medical history, even through its contracted third-party clinic.

In EEOC v. The Founders Pavilion, Inc., No 6:13-CV-06250 (W.D.N.Y. 2013), the EEOC filed its first class action against an employer under GINA for similar alleged violations, namely requiring post-offer, pre-employment medical examinations at which the person was asked to provide family medical history as part of the exam.

It may make sense as a matter of medical science for doctors to obtain family medical history information, especially for treatment.  In pre-employment physicals, however, science clashes with the law. Human Resources must be vigilant about instructing medical providers to comply with GINA, because the medical providers will not do so on their own.

The easy solution to this technical compliance matter is provided in proposed "safe harbor" language set forth at 29 C.F.R. Section 1635.8(b)(1)(i)(B) as follows:

The Genetic Information Nondiscrimination Act of 2008 (GINA) prohibits employers and other entities covered by GINA Title II from requesting or requiring genetic information of an individual or family member of the individual, except as specifically allowed by this law. To comply with this law, we are asking that you not provide any genetic information when responding to this request for medical information. “Genetic information,” as defined by GINA, includes an individual’s family medical history, the results of an individual’s or family member’s genetic tests, the fact that an individual or an individual’s family member sought or received genetic services, and genetic information of a fetus carried by an individual or an individual’s family member or an embryo lawfully held by an individual or family member receiving assistive reproductive services.

Human Resources professionals scheduling medical examinations for new hires should keep in mind: Don’t forget the safe harbor language or you may get a visit from the EEOC.

 

The Driver’s Privacy Protection Act ("DPPA"), 18 U.S.C. Section 2721, et seq, was enacted by Congress in 1994 after the highly-publicized murder of actress Rebecca Schaeffer by a stalker who obtained her unlisted address from the California Department of Motor Vehicles. ("DMV").  The Act restricts state DMVs from disclosing personal information contained in motor vehicle records except for specific governmental and business purposes. In addition, the statute provides that is "unlawful for an person knowingly to obtain or disclose personal information from a motor vehicle record" for any use not permitted under 18 U.S.C. Section 2722(a).

In January of this year, the Minnesota Department of Natural Resources ("DNR") sent a letter to more than 5,000 individuals stating that it had discovered that one of its former employees, John Hunt, had improperly accessed their motor vehicle record data approximately nineteen thousand times. Hunt is no longer employed by the Minnesota DNR.

Attorneys for some of the recipients of the breach notification letter filed a total of five class action lawsuits under the DPPA, which were consolidated in U.S. District Court for the District of Minnesota under the caption Kiminski, et al v. Hunt, et al, No. 13-185.  Plaintiffs named a number of supervisors and commissioners of the DNR and the Minnesota Department of Public Safety as defendants in their personal capacities, along with Hunt. In addition to claims under the DPPA, plaintiffs asserted claims under 42 U.S.C. Section 1983, a catch-all cause of action allowing claims against state actors for denying someone their rights under a law or the Constitution.

On September 20, 2013, District Judge Joan N. Ericksen issued an order granting a motion to dismiss all of the state-affiliated employees, leaving only Hunt himself as a defendant. Judge Ericksen held that plaintiffs had not stated a cause of action as to the dismissed defendants because none of them obtained or disclosed information for improper purposes, even though Hunt allegedly did so under their watch. The court dismissed the Section 1983 claim because she interpreted the DPPA as including an express private means of redress that precludes a more expansive remedy under Section 1983.

Minnesota has been the land of 10,000 privacy leaks lately, as the State grapples with negative publicity from the disclosure that an employee of the state’s new on-line health insurance exchange, MNsure, accidentally distributed confidential information, including Social Security numbers, of insurance agents who had participated in training on the system. State officials are concerned that the leak will erode the public’s confidence in the system which is scheduled to go live in October. Minnesota’s Legislative Auditor is currently investigating MNsure’s data security practices. 

As the compliance date for the final Omnibus HIPAA privacy and security rule looms, September 23, 2013, the Office for Civil Rights and Office of the National Coordinator for Health Information Technology lend a helping hand to covered entities by publishing model Notices of Privacy Practices (NPP) for health care providers and health plans. The Omnibus Rule implements a number of changes required under HITECH (see webinar outlining those changes), including "material" changes to NPPs.

The model NPPs reflect these changes and are designed to help covered entities meet their obligation to develop and distribute clear, user friendly notices. The agencies also provided optional formats for the NPPs:

  • Notice in the form of a booklet;
  • A layered notice that presents a summary of the information on the first page, followed by the full content on the following pages;
  • A notice with the design elements found in the booklet, but formatted for full page presentation; and
  • A text only version of the notice.

Note to covered entities: The agencies state that the model NPPs reflect the regulatory changes of the Omnibus Rule, and can serve as a baseline for compliance. Covered entities will still have to tailor the notices to their particular circumstances and insert information specific to their organizations. In addition, covered entities should review the rules for how and when notices need to be provided. See 45 CFR 164.520. For example, NPPs generally can be provided by email provided the recipient has consented. Also, if a covered entity maintains a website about its customer services or benefits, it must prominently post the NPP on that site.

California law soon may require commercial websites that collect personal data to disclose how they respond to “Do Not Track” signals from Web browsers. AB 370, an amendment to the California Online Privacy Protection Act (Act), which was sponsored by Attorney General Kamala Harris, passed the California Senate and Assembly at the end of August. Governor Jerry Brown is expected to sign the amendment soon.

The bill does not prohibit tracking but instead requires a website operator to disclose its tracking practices in the privacy policy posted on the website. Under the Act, if a website fails to clearly set forth its disclosure practice in its privacy policy, it will be given a warning and 30 days to come into compliance.

If signed into law, many businesses will need to update the privacy policies for the websites they operate to address their tracking policies. Specifically, although the bill does not set a standard for how a website must respond to Do Not Track browser signals, it would require websites to elect whether to honor or ignore those Do Not Track browser signals. Of course, this also would be a good opportunity to revisit website policies to ensure they accurately reflect company operations concerning the handling of personal information captured from the site.

North Dakota has amended its data breach notification law to include "medical information" and "health insurance information." See N.D. Century Code, Section 51-30-01.  Amendments to the law also provide an exemption for HIPAA  covered entities, business associates, or subcontractors so long as they are in compliance with breach notification requirements under title 45, Code of Federal Regulations, subpart D, part 164. The new law takes effect August 1, 2013.

Other states that include health information as part of their data breach notification statutes include California, Texas and Missouri. 

At the same time, North Dakota added "unauthorized use of . . . an individual’s health insurance policy number or subscriber identification number or any unique identifier used by a health insurer to identify the individual" to the list of prohibited acts under its identity theft statute, N.D. Century Code. 12.1-23-11.

The Washington, D.C. and Chicago offices of the U.S. Equal Opportunity Commission ("EEOC") filed a lawsuit against the Davis Typewriter Company on August 27, 2012 alleging that the company failed to take appropriate corrective action to prevent sexual harassment by a supervisor who used office surveillance cameras to zoom in on an employee’s breasts and other parts of her body.  The complaint in EEOC v_ Davis Typewriter Company, No. 13-cv-02345 (D. Minn.) alleges that Stacey Alm, the company’s operation manager and supervisor of  the charging party,Tracey Kelley, manipulated the security camera system to conduct on-going, surreptitious video surveillance of Kelley, focusing the camera on her face, body and chest, which created a sexually hostile work environment. The complaint further alleges that Kelley complained of the conduct to the company’s president and manager, but the company failed to take prompt and appropriate measures to stop the harassment. Kelley eventually resigned and filed a charge with the EEOC. After settlement and conciliation talks failed the agency filed suit.

Video surveillance of employees is not per se illegal in Minnesota.  The general rule, as in most states, is that an employer may photograph employees in plan view, at their workstations, and during working hours for a legitimate purpose such as time and motion studies, or as part of an investigation.  Like other facets of workplace privacy, however, the law on use of video surveillance varies widely state to state based on local legislation. CA, CT, WV, RI and MI, for example, have laws prohibiting video cameras in bathrooms or locker rooms.  Other states require employers to provide notice before monitoring employees.  Employers should consider the use of video or any type of monitoring carefully, and put in place safeguards to avoid abuse by rogue employees. The take away from the Davis lawsuit is that misuse of video surveillance can potentially lead to expensive sexual harassment claims, as well as privacy concerns. While old technology like typewriters may be going away, new technology can often lead to problems, and liability.

 

Today, the Centers for Medicare and Medicaid Services (CMS) requested an "emergency review" of its recently proposed rule that "[Federally-facilitated Exchanges or FFEs], non-Exchange entities associated with FFEs, and State Exchanges must report all privacy and security incidents and breaches to HHS within one hour of discovering the incident or breach." 

We reported on the proposed rule in June. CMS is taking this step "to ensure compliance with an initiative of the Administration…[and] because public harm is reasonably likely to result if the normal clearance procedures are followed."  There has been a considerable amount of pressure on the Obama Administration relating to significant privacy and data security concerns inherent in the massive information grab soon to take place with the implementation of the Exchanges.

CMS is requesting OMB review and approve its emergency request by September 25, 2013, and that any public comments be received by September 20, 2013. So, if you have concerns about the process (whether they pertain to privacy and data security generally, or the practicalities of reporting in one hour) you will need to voice those concerns quickly.

We have prepared a 60 minute webinar* to provide plans, health care providers and business associates with a high-level compliance roadmap concerning the Omnibus Privacy Rule under HIPAA that for the most part becomes effective next month.  We hope this presentation is helpful for your organization.

On January 25, 2013, the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services issued long-awaited final privacy and security regulations (“Omnibus Rule”) under the Health Insurance Portability and Accountability Act (“HIPAA”) to implement the changes made in 2009 by the Health Information for Economic and Clinical Health Act (“HITECH Act”). The Omnibus Rule became effective March 26, 2013, and, in general, covered entities and business associates are required to comply by September 23, 2013.

This webinar provides a high-level overview of the key requirements facing health plans, health care providers and business associates. Following a brief refresher on HIPAA, the webinar covers key compliance topics such as the new data breach notification standard, required changes to the Notice of Privacy Practices and updating business associate agreements. 

 

* Of course, as with all of the materials and information provided on this blog, this webinar is for informational purposes only and not for the purpose of providing legal advice. For advice about a particular problem or situation, please contact an attorney of your choice. Use of and access to this blog does not create an attorney-client relationship between Jackson Lewis and the recipient, reader, or user. This email may be considered attorney advertising in some states. Furthermore, prior results do not guarantee a similar outcome.