Privacy and data protection rules of the European Union place a heavy compliance burden on European companies and all foreign companies handling or possessing EU data and the latest proposal under consideration by the European Parliament for a uniform rule is no exception. As reported by L&E Global, the worldwide alliance of premier boutique employment law firms of which Jackson Lewis LLP is a founding member, a proposal to amend and replace the 1995 Data Protection Directive with the most stringent data protection laws in the world, which would require reporting of any data privacy breach to national authorities, received a favorable vote from the European Parliament’s Legal Affairs Commission. However, the drive for a uniform data privacy rule has received pushback from both business and government alike. They are concerned about the scope of the proposal, which are expected to be effective in 2016. EU justice ministers meeting in Luxembourg on June 6 agreed to dilute proposal in response. According to Reuters, lawmakers have offered approximately 4,000 amendments to the proposal and agreed to a "risk-based" approach for reporting data breaches. In its present form, the proposal requires data breaches to be reported within 24 hours and notification be given to government entities as well as affected individuals. The final rule, in any form, will impact global business and worldwide company use of data. Businesses should continue to monitor developments. Additional information about the proposal can be found here.

 

Numerous companies are considering, or already transitioned to, a "bring your own device" (BYOD) model.  Under a BYOD program, employees are permitted to connect their own personal devices (iPhone, iPad, Blackberry, PDA, etc.) to the employer’s networks and systems to complete job duties either in the office or working remotely.  While a BYOD program has numerous benefits, there are also a number of issues which should be considered.

The BYOD Issues Outline below highlights key issues and policy considerations for companies considering moving to, or continuing, a BYOD program. 

*Jackson Lewis’ Bring Your Own Device (BYOD) Issues Outline*

The New York Times recently reported that hackers from China have resumed attacks on U.S. targets, despite efforts by the Obama Administration to curb these intrusions. According to the article and a report by a security company, Mandiant, hackers from China have been behind…

scores of thefts of intellectual property and government documents over the past five years…They have stolen product blueprints, manufacturing plans, clinical trial results, pricing documents, negotiation strategies and other proprietary information from more than 100 of Mandiant’s clients, predominantly in the United States. 

For some, the thought of a data breach means stolen credit card numbers and identity theft. For others, it involves trade secret information, often critical data that provides a significant competative advantage in the global marketplace. In the worst case, it involves military and other secrets that could jeopardize national security.  

Businesses need to assess and address these risks from an enterprise-wide perspective and on a continuous basis. A key source of these risks, as many experts have noted, is the explosion of smartphone utilization. So, in addition to network and perimeter e-security, a good place for many companies to start is dealing with the rapid evolution to a mobile workforce and the demand by employees to use their own devices. One approach is to adopt a comprehensive "Bring Your Own Device" (BYOD) policy. Of course, mobile devices are only one aspect of an organization’s information systems to be safeguarded, but they do create significant vulnerabilities.

In addition to limiting employers’ access to the online accounts of employees and applicants, effective July 1, 2013, Colorado becomes the ninth state to restrict an employer’s right to obtain and use credit information for making employment decisions. Colorado joins California, Connecticut, Hawaii, Illinois, Maryland, Oregon, Vermont and Washington.

Under Colorado’s new law, a covered employer cannot require an employee to consent to a background check containing credit information unless: (1) the employer is a bank or financial institution; (2) the report is required by law; or (3) the report is “substantially related to the employee’s current or potential job,” and the employer has a bona fide purpose for such information, and this information is disclosed in writing to the employee. Further, such information can be used only if it is “substantially related to the employee’s current or potential job.”

The statute provides that the phrase, “substantially related to the employee’s current or potential job,” means the information in the credit report is related to the position for which the subject is being evaluated, because the position is one for executive or management level personnel or officers,  or employees who constitute professional staff to executive and management personnel, and the position involves one or more of the following:

  • Setting the direction or control of a business, division, unit, or an agency of the business;
  • A fiduciary responsibility to the employer;
  • Access to customers, employees, or the employer’s personal or financial information, other than information customarily provided in a retail transaction;
  • The authority to issue payments, collect debts, or enter into contracts; or
  • Involves contracts with defense, intelligence, national security, or space agencies of the federal government.

More information about the law can be accessed here, or at the link above. 

Like many universities, Idaho State University (ISU) operates a number of health facilities, some of which are subject to the HIPAA privacy and security regulations. According to a U.S. Department of Health Human Services (HHS) press release, the Office for Civil Rights (OCR) opened an investigation after ISU notified HHS of a breach in which the electronic "protected health information" (ePHI) of approximately 17,500 patients was unsecured for at least 10 months, due to the disabling of firewall protections at servers maintained by ISU. To settle the alleged violations of the HIPAA security rules, ISU has agreed to pay $400,000, and to comply with a two-year corrective action plan.

OCR’s action here is consistent with prior reported breaches and with its discussions of enforcement in recent final regulations, which we reported on. It is important to note that OCR’s investigation indicated that:

ISU’s risk analyses and assessments of its clinics were incomplete and inadequately identified potential risks or vulnerabilities. ISU also failed to assess the likelihood of potential risks occurring.

Additionally, OCR concluded that ISU did not apply proper security measures and policies to address risks to ePHI and did not have procedures for routine review of their information system in place, which could have detected the firewall breach much sooner.

This makes clear that it is NOT sufficient to simply create policies and procedures that safeguard protected health information. A HIPAA covered entity must conduct and document a risk assessment, a process OCR Director Leon Rodriguez noted is a cornerstone of an effective HIPAA security compliance program. This basic requirement also applies to business associates, and is a common sense practice any entity should follow when setting out to safeguard data.

In addition to requirements to safeguard increasingly vast amounts of patient data, healthcare providers also need to be mindful of when that data can be used and disclosed. One key challenge in that area is understanding whether state or federal law applies. The U.S. Eleventh Circuit Court of Appeals (which covers Florida, Georgia, and Alabama), held that the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) preempted a Florida law, Section 400.145, that allowed for the release of medical records of deceased residents of nursing homes to specified individuals without prior authorization. Opis Management Resources, LLC et al. v. Secretary Florida Agency for Health Care Administration.

The plaintiffs, comprised of several nursing home facilities, filed suit in federal district court challenging the Florida Agency for Health Care Administration’s (“AHCA”) citations to the facilities for their refusal to disclose deceased residents’ medical records to surviving spouses, family members, and attorneys-in-fact who were not personal representatives under the relevant HIPAA provisions. The nursing homes asked a federal district court judge to declare that Florida Statute § 400.145 was preempted by HIPAA. The district (trial) court granted summary judgment in favor of the nursing facilities finding that the Florida law provided nursing home residents less protection than required under HIPAA.

On appeal, the Eleventh Circuit affirmed the district court’s grant of summary judgment concluding that Section 400.145

impedes the accomplishment and execution of the full purposes and objectives of HIPAA and the Privacy Rule in keeping an individual’s protected health information confidential.

As the court explained, HIPAA includes a preemption clause providing that HIPAA supersedes any contrary state law provision, including any state law which “stands as an obstacle to the accomplishment and execution of [HIPAA’s] full purposes and objectives.” In other words, if a state law provides for less stringent protection than that already provided by HIPAA, it is preempted or superseded by HIPAA. HIPAA, however, does not preempt state laws providing more stringent protections.

Since 2000, the federal Department of Health and Human Services has issued extensive regulations, known as the Privacy Rule, that establish procedures by which protected health information (“PHI”) may be used or disclosed by a covered entity or business associate. Under the most recent set of regulations issued in January, HIPAA protection of PHI for deceased individuals remains in effect for a period of fifty (50) years after the individual’s death. The Privacy Rule further provides that PHI may be disclosed to a personal representative (one who under applicable state law is an executor, administrator or other individual with the authority to act on behalf of a deceased person or the individual’s estate). Additionally, a covered entity may disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity. In such a case, PHI of the deceased can be released to the extent it is relevant to such person’s involvement in the care or payment for the care.

Section 400.145, Florida Statutes, provides in pertinent part that “[u]nless expressly prohibited by a legally competent resident, any nursing home licensed pursuant to this part shall furnish to the spouse, guardian, surrogate, proxy, or attorney in fact . . . of a current resident, . . . or of a former resident, . . . a copy of that resident’s records which are in the possession of the facility.” The court found that although the statute lists a number of individuals to whom records could be disclosed, it “does not empower or require an individual to act on behalf of a deceased resident,” and, therefore, does not identify any of those individuals to qualify as personal representatives under HIPAA. Therefore, the statute provides a much broader class of individuals than under HIPAA to whom the deceased’s PHI may be disclosed without authorization. Additionally, the Florida statute does not contain the same limitations or restrictions as the Privacy Rule with regard to releasing PHI of a deceased individual to those involved in the individual’s care or who paid for it and only to the extent the information is relevant to the person’s involvement or payment. Accordingly, the court found HIPAA provided more stringent protections of PHI than the Florida statute and held HIPAA preempts Section 400.145.

In the face of increasing incidences of and rising public concern regarding identity theft, the California Legislature is considering a bill with new personal information data disclosure requirements for California businesses and a broad definition of what constitutes personal information.

California Assembly Bill 1291, would require businesses who have customer personal information and have disclosed such information to provide each such customer with notice of the names and contact information of all third parties who received personal information from the business and provide a designated request address at which to receive requests from customers as provided for under the bill. Additionally, the business must make available, free of charge, access to or copies of all of the customer’s personal information that the business holds. Also, if the business has any online privacy policies, each privacy policy must also include a statement of the customer’s rights as provided in the legislation and a designated request address.

Personal information broadly includes, but is not limited to, any of the following: (1) identity information such as real name, alias, nickname, and user name; (2) address information, including but not limited to, postal address, e-mail, internet protocol address; (3) telephone number; (4) account name; (5) social security number or other government-issued identification number, such as a driver’s license number, identification card number, and passport number; (6) birthdate or age; (7) physical characteristic information such as height and weight; (8) sexual information, including but not limited to, sexual orientation, sex, gender status, gender identity, and gender expression; (9) race or ethnicity; (10) religious affiliation or activity; (11) political affiliation or activity; (12) professional or employment-related information; (13) educational information; (14) medical information; (15) financial information; (16) commercial information; (17) location information; (18) internet or mobile activity information; (19) content including text, photographs, audio or video recordings, or other material generated by or provided by the customer; and (20) any of the above information as it relates to the customer’s children.

Customer is defined as an individual who is a resident of California and provides personal information to a business “in the course of purchasing, viewing, accessing, renting, leasing, or otherwise using real or personal property, or any interest therein, or obtaining a product or service from the business including advertising or any other content.” Customers also include individuals for whom the business obtained personal information from another business. Accordingly, the bill would cover individuals who are not traditionally thought of as customers and may also include a business’ employees.

All businesses, including employers, with operations in California or with California customers must stay abreast of these developments and, given the breadth of personal information implicated, no such business can be exempt from the requirements. In preparation for the passing of this or a similar bill, it is important to determine how customer personal information is disclosed and set forth a compliance plan to meet the pending disclosure and access requirements.

The Fourth District Court of Appeal for the State of California expanded the tort of "public disclosure of private facts" under that state’s common law right to privacy in a case involving a claim by an employee against her supervisor and employer. Ignat v. Yum! Brands, Inc. et al, No. G046434, (Cal. Ct. App. March 18, 2013). The plaintiff in that case suffered from bi-polar disorder and occasionally missed work due to the side effects of medication adjustments.  After returning from such an absence, the plaintiff alleged that her supervisor had informed everyone in her department about her medical condition and that, as a result, she was "shunned" and a co-worker asked if she was going to "go postal."  The plaintiff filed suit alleging a single cause of action for invasion of privacy by public disclosure of private facts. The trial court dismissed her claim on summary judgment because the disclosure of her condition was not in writing, relying on California case law from the early 1930’s.

On appeal, the court reversed the dismissal, concluding that "limiting liability for public disclosure of private facts to those recorded in writing is contrary to the tort’s purpose, which has been since its inception to allow a person to control the kind of information about himself made available to the public – in essence to define his public persona."  The court went on to note that, "[w]hile this restriction may have made sense in the 1890’s – when no one dreamed of talk radio or confessional television – it certainly makes no sense now."

The court also clarified that the common law tort of invasion of privacy was not based on the guarantee of privacy which was added to the California Constitution in 1972 and noted that the two legal theories (common law and the State Constitution) provide "separate, albeit related ways to ensure privacy."

Different states have interpreted the common law right of privacy in the workplace in different ways. In Minnesota, for example, a district court rejected a lawsuit by an employee who claimed that her employer violated her right to privacy when it informed approximately 12 to 15 individuals that she suffered from multiple sclerosis. That court determined that because the disclosure was not "accessible to the public at large," it did not qualify as public in nature for purposes of maintaining an invasion of privacy claim. Johnson v. Cambell Mithun, 401 F. Supp.2d 964 (Minn. 2005).

If an employee is out on medical leave or requires an accommodation, employers may be asked what information, if any, can be disclosed to co-workers and supervisors about that employee’s medical condition, and the reason for her leave or accommodation. HIPAA is probably not implicated in such situations because most employers are not covered entities in this context. Both the Americans with Disabilities Act (ADA) and the Family Medical Leave Act (FMLA), however, require employers to maintain confidentiality of medical information. See 29 C.F.R. Section 1630.14(c) (relating to ADA) and 29 C.F.R. Section 825.500 (relating to FMLA).

Employees asserting a common law claim for invasion of privacy against their employer based on the disclosure of medical information have not often been successful, but Ignat suggests the tide may be changing. The best practice is to reveal as little as possible to those with a need to know.