North Dakota has amended its data breach notification law to include "medical information" and "health insurance information." See N.D. Century Code, Section 51-30-01.  Amendments to the law also provide an exemption for HIPAA  covered entities, business associates, or subcontractors so long as they are in compliance with breach notification requirements under title 45, Code of Federal Regulations, subpart D, part 164. The new law takes effect August 1, 2013.

Other states that include health information as part of their data breach notification statutes include California, Texas and Missouri. 

At the same time, North Dakota added "unauthorized use of . . . an individual’s health insurance policy number or subscriber identification number or any unique identifier used by a health insurer to identify the individual" to the list of prohibited acts under its identity theft statute, N.D. Century Code. 12.1-23-11.

The Washington, D.C. and Chicago offices of the U.S. Equal Opportunity Commission ("EEOC") filed a lawsuit against the Davis Typewriter Company on August 27, 2012 alleging that the company failed to take appropriate corrective action to prevent sexual harassment by a supervisor who used office surveillance cameras to zoom in on an employee’s breasts and other parts of her body.  The complaint in EEOC v_ Davis Typewriter Company, No. 13-cv-02345 (D. Minn.) alleges that Stacey Alm, the company’s operation manager and supervisor of  the charging party,Tracey Kelley, manipulated the security camera system to conduct on-going, surreptitious video surveillance of Kelley, focusing the camera on her face, body and chest, which created a sexually hostile work environment. The complaint further alleges that Kelley complained of the conduct to the company’s president and manager, but the company failed to take prompt and appropriate measures to stop the harassment. Kelley eventually resigned and filed a charge with the EEOC. After settlement and conciliation talks failed the agency filed suit.

Video surveillance of employees is not per se illegal in Minnesota.  The general rule, as in most states, is that an employer may photograph employees in plan view, at their workstations, and during working hours for a legitimate purpose such as time and motion studies, or as part of an investigation.  Like other facets of workplace privacy, however, the law on use of video surveillance varies widely state to state based on local legislation. CA, CT, WV, RI and MI, for example, have laws prohibiting video cameras in bathrooms or locker rooms.  Other states require employers to provide notice before monitoring employees.  Employers should consider the use of video or any type of monitoring carefully, and put in place safeguards to avoid abuse by rogue employees. The take away from the Davis lawsuit is that misuse of video surveillance can potentially lead to expensive sexual harassment claims, as well as privacy concerns. While old technology like typewriters may be going away, new technology can often lead to problems, and liability.

 

Today, the Centers for Medicare and Medicaid Services (CMS) requested an "emergency review" of its recently proposed rule that "[Federally-facilitated Exchanges or FFEs], non-Exchange entities associated with FFEs, and State Exchanges must report all privacy and security incidents and breaches to HHS within one hour of discovering the incident or breach." 

We reported on the proposed rule in June. CMS is taking this step "to ensure compliance with an initiative of the Administration…[and] because public harm is reasonably likely to result if the normal clearance procedures are followed."  There has been a considerable amount of pressure on the Obama Administration relating to significant privacy and data security concerns inherent in the massive information grab soon to take place with the implementation of the Exchanges.

CMS is requesting OMB review and approve its emergency request by September 25, 2013, and that any public comments be received by September 20, 2013. So, if you have concerns about the process (whether they pertain to privacy and data security generally, or the practicalities of reporting in one hour) you will need to voice those concerns quickly.

We have prepared a 60 minute webinar* to provide plans, health care providers and business associates with a high-level compliance roadmap concerning the Omnibus Privacy Rule under HIPAA that for the most part becomes effective next month.  We hope this presentation is helpful for your organization.

On January 25, 2013, the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services issued long-awaited final privacy and security regulations (“Omnibus Rule”) under the Health Insurance Portability and Accountability Act (“HIPAA”) to implement the changes made in 2009 by the Health Information for Economic and Clinical Health Act (“HITECH Act”). The Omnibus Rule became effective March 26, 2013, and, in general, covered entities and business associates are required to comply by September 23, 2013.

This webinar provides a high-level overview of the key requirements facing health plans, health care providers and business associates. Following a brief refresher on HIPAA, the webinar covers key compliance topics such as the new data breach notification standard, required changes to the Notice of Privacy Practices and updating business associate agreements. 

 

* Of course, as with all of the materials and information provided on this blog, this webinar is for informational purposes only and not for the purpose of providing legal advice. For advice about a particular problem or situation, please contact an attorney of your choice. Use of and access to this blog does not create an attorney-client relationship between Jackson Lewis and the recipient, reader, or user. This email may be considered attorney advertising in some states. Furthermore, prior results do not guarantee a similar outcome.

It seems more companies are considering whether to purchase or enhance their cyber or data breach insurance coverage. In recent years, these offerings have expanded giving businesses more choice, and perhaps so has the need for such coverage given the explosion of access to and transmission of confidential data. What is interesting about this development is the different approaches companies seem to take when evaluating this type of coverage.

Networkworld reports today on a study by the Ponemon Institute that of the companies surveyed "chief information officer[s] and chief information security officer[s] have ‘very little influence’ in deciding whether to buy cyber security insurance." According to the report, the survey also shows that

companies rarely do a formal risk assessment by in-house staff to figure out how much insurance coverage should be purchased. Instead, they rely on the insurer to do that or take a very informal approach. Only 32% of the respondents said the IT security department had a very significant level of involvement; 35% cited “some involvement;” and 33% said there was absolutely “no involvement” for IT security staff.

It is not surprising that chief information officers do not hold the purse strings in most organizations when it comes to decisions about buying insurance. However, risk assessments are critical. Doing a proper risk assessment, one that takes into account all aspects of an organization that could pose information risks, of course including IT, seems fundamental to understanding what risks exist and what role insurance can play in addressing those risks. Additionally, in some cases, risk assessments are required – e.g., HIPAA security regulations, Massachusetts data security regulations.    

According to the results of a study announced today by the Pew Research Center, there has been a significant increase since 2005 in the percentage of adults who are online that participate in social networking. Notably, Pew says that 72% of online adults use social networking sites – and the growth is not just in younger adults. Pew reports that

those ages 65 and older have roughly tripled their presence on social networking sites in the last four years—from 13% in the spring of 2009 to 43% now.

Besides being a telling statement about the rapid transformation in our society, fueled by technology, it also should serve as a reminder to employers that an increasing percentage of their workers regularly engage in social media activity that in all likelihood is for both personal and business purposes. For many employers, existing policies and procedures have not caught up with technology and societal trends, such as indicated in the Pew report. When many employers set out to tackle social networking, they often are surprised about some law changes and other developments over the past few years. Here are some examples:

  • Do our discrimination policies need to cover on-line activity?
    • If not, they probably should be revised accordingly.
  • We want our employees to promote our products and services online, do we need to guide them about how to do so?
    • Well, yes. For example, you need to consider FTC guidelines which address appropriate online endorsements. If you are in the finance industry, you may have FINRA and SEC obligations. 
  • Of course, we do not want employees to be posting all over Facebook, LinkedIn and Twitter disparaging comments about the company. We could prohibit that right?
    • No, not really. Doing so could put you in legal hot water with the National Labor Relations Board – whether you have union employees or not.
  • Some of our managers like to review applicants’ public social media profiles. Are there risks there?
    • There can be. If the profile includes information about the manifestation of disease in the family members of the applicants (including an applicant’s spouse), for example, digging deeper into that information could expose the company to a discrimination claim under the Genetic Information Nondiscrimination Act. 
  • Seeing this increase in adult participation in social networking, we want to screen more applicants’ social media accounts before making offers of employment, so we have included a place on our job application for the individuals to put usernames and passwords to all social networking accounts. Is this a good risk avoidance strategy? 
    • Probably not. Many states have passed or are considering new laws that prohibit employers from asking employees or applicants about this information.
  • Can we at least prohibit employees engaged in social networking from disclosing all confidential information of the company?
    • Not if the prohibition is stated that broadly. You must narrow the scope of that information to the kind of information that would not infringe on an employee’s right to engage in "protected concerted activity" – that is, very generally, an employee’s right to commiserate with other workers about working conditions.    

Regulating employee social networking activity can be a legal minefield, but given the increasing presence of employees in that medium, there is no time like the present to begin addressing this issue in the workplace.

Nevada becomes the 12th state to restrict an employer’s access to employee and prospective employee personal social media accounts. Learn more about the law; it takes effect on October 1, 2013.

The other states are Arkansas, Colorado, New Mexico, Oregon, Utah, Vermont and Washington, which adopted similar laws this year, and California, Illinois, Maryland, and Michigan, which did so in 2012. Click here for more information about these laws.  

According to a press release by the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS), the managed care company WellPoint Inc. may not have adequately implemented policies and procedures for authorizing access to its on-line application database or performed an appropriate technical evaluation when doing a software upgrade to its information systems. Additionally, OCR alleged that Wellpoint did not have appropriate technical safeguards in place to verify the person or entity seeking access to electronic protected health information (PHI) maintained in its application database, leaving the PHI of over 600,000 accessible via the database. This data included names, dates of birth, addresses, Social Security numbers, telephone numbers and health information.

To settle these allegations, Wellpoint agreed to pay HHS $1.7 million.

OCR cautions:

This case sends an important message to HIPAA-covered entities to take caution when implementing changes to their information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet.

As software upgrades often involve the assistance of outside third parties – business associates – in addition to compliant business associate agreements, covered entities may want to be more specific in the scope of work described in their services agreements about the privacy and security safeguards that will apply in the process of such conversions or upgrades. OCR notes that beginning Sept. 23, 2013, liability for many of HIPAA’s requirements will extend directly to business associates.

In a case reflecting the challenges faced by institutions of higher education in trying to prevent violence on campus, a judge in the U.S. District Court for the Eastern District of Pennsylvania declined to dismiss claims against Widener University by a former student under the Electronic Communications Privacy Act (ECPA) and the Stored Communications Act (SCA) for accessing the student’s Facebook account without permission. Rodriguez v. Widener University, No. 13-1336 (E. D. Pa. June 17, 2013).

According to the court, friction between Rodriguez, a Navy veteran enrolled in a pre-med program, and the University apparently began when Rodriguez had a disagreement with his faculty adviser about creationism. Rodriguez was subsequently summoned to the Deans’ office where he was confronted with printed images from his Facebook account and an email that he had allegedly sent to 48 widener.edu addresses in which he said that he had recently been detained in a psychiatric ward in North Carolina and further stated:

"I am moving and operating in a cold-fury….I have been harassed about there being a God, and I can’t make anyone agree with me, but I promise you that my belief is the only thing keeping me from doing a significant amount of damage to a small town in NC; property, police and public citizens, all of which treated me lower than dirt…"

On his Facebook page, where he referred to himself as "Broseidon Steele," he had allegedly written, "I am Superman; and there’s no such thing as Kryptonite… Finally after years of patiently waiting, I will show you how to weapon eyes [sic]" and posted photographs of firearms. The University suspended Rodriguez in part due to the images of firearms and sent him for an involuntary mental health evaluation. He was also searched and allegedly found to possess a knife and some marijuana. According to the Court’s decision, after being committed involuntarily for seven days, during which time he missed an award ceremony and medical school admissions interview, Rodriguez was cleared to return to school.

Rodriguez sued the University under various legal theories including deprivation of his constitutional rights under 42 U.S.C. Sections 1983 and 1985, violation of the ECPA, violation of the SCA, violation of the Rehabilitation Act, and a state law claim of invasion of privacy. The Court dismissed most of his claims, but allowed Rodriguez to proceed on the ECPA and SCA counts to the extent they were based on the allegation that the defendants improperly accessed his Facebook images because they were not generally available to the public. Rodriguez also claimed the University had improperly accessed his email account, but since the email was sent to one of the individually-named defendants, the Court held that there was no improper access. Rodriguez also alleged that the University obtained information from his medical providers without authorization but the court did not address that part of his claim in its decision. It was not clear from the record how Defendants obtained access to Rodriguez’s private Facebook account, but the decision suggests a greater willingness by the courts to apply the provisions of the ECPA and SCA in situations where institutions or employers gather electronic  information without authorization.