Former New York Yankee Lou Gehrig died 71 years ago from amyotrophic lateral sclerosis or ALS, now known as Lou Gehrig’s disease. Now some legislators in Minnesota want to make his medical records, maintained at the Mayo Clinic, public. A story in the Star Tribune raises the question of how long a patient’s personal health information is private after the patient’s death. According to the Mayo Clinic, "only the spouse, parents, or Gehrig’s appointed representative have access to his medical records." Phyllis Khan, a Minnesota state Representative, has proposed a state law which would not prohibit the release of medical records of someone who has been dead at least 50 years, does not have a will that blocks the records release, and does not have any direct descendants objecting. A similar proposed federal regulation is also under discussion. Advocates stress that access to medical records after a period of time has elapsed could assist scientific research. The slugger who described himself as the luckiest man on the face of the earth may have more to contribute to privacy regulation, and perhaps medical science. Stay tuned.

Late last week, California Governor Jerry Brown "took to Twitter, Facebook, Google+, LinkedIn and MySpace to announce that he has signed two bills that increase privacy protections for social media users in California."

As discussed, one of the bills, A.B. 1844, updates California’s Labor Code to significantly limit when employers could ask employees and job applicants for social media passwords and account information. However, the law permit employers to request an employee to divulge personal social media activity reasonably believed to be relevant to an investigation of allegations of employee misconduct or employee violation of applicable laws and regulations. This exception  applies so long as the social media is used solely for purposes of that investigation or a related proceeding.

The other bill, S.B. 1349, establishes a similar privacy policy for postsecondary education students with respect to their use of social media. While the bill prohibits public and private institutions from requiring students, prospective students and student groups to disclose user names, passwords or other information about their use of social media, it stipulates that this prohibition does not affect the institution’s right to investigate or punish student misconduct

The new laws take effect Jan. 1, 2013.

To help businesses comply with amendments to Connecticut’s data breach notification law, which becomes effective October 1, 2012, CT Attorney General George Jepsen’s Privacy Task Force has made an email address – ag.breach@ct.gov – available to facilitate breach reporting, reports Hartford Business.com.

According to the AG’s press release, a Web page detailing the new law’s requirements will go live on the AG’s Website when the amendment goes into effect. The key change made by the amendment is that persons, including businesses, required to notify residents of the Nutmeg State of a security breach must also notify the Attorney General’s office within the same time frame. The email address and informational website should facilitate the breach reporting process in Connecticut.  

In another case of a breach reported to HHS Office for Civil Rights (“OCR”), a HIPAA covered health care provider, the Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively, “MEEI”), has settled charges of potential HIPAA security rule violations. MEEI agreed (i) to pay $1.5 million and (ii) to take corrective action to improve policies and procedures to safeguard the privacy and security of its patients’ protected health information.

As in the Alaska Department of Health and Social Services (DHSS) case, an unencrypted electronic storage device was stolen, the covered entity reported the breach, OCR investigated the breach and broader compliance with HIPAA’s privacy and security rules, and found potential violations.  

For more information about the MEEI incident, click here.

This kind of enforcement activity could be lucrative for cash-strapped federal and state agencies. It is no wonder that some states are amending their statutes to require Attorney General notification. Accordingly, because data breaches can and will occur, HIPAA covered entities and businesses subject to HIPAA and state data breach notification statutes should be doing more to prepare for the audit that may follow the reporting of a data breach. That is, they should be doing more to safeguard personal information and PHI pursuant to the applicable standards.  

The U.S. Department of Defense (DOD), General Services Administration (GSA) and National Aeronautics and Space Administration (NASA) on August 24, 2012, proposed amendments to the Federal Acquisition Regulation – the rules governing the process through which the government purchases goods and services – addressing data security.

In short, the proposed rule would add a required contract clause for federal contractors to “address requirements for the basic safeguarding of contractor information systems” containing or processing government information. DoD, GSA, and NASA all recognize that an outgrowth of the requirements for Federal agencies to provide information security for information and information systems that support agency operations and assets, as set forth under the Federal Information Security Management Act (FISMA) of 2002, includes the information and information systems managed by contractors.

The rule would apply to information provided by or generated for the Government that will be contained in or processed through a contractor’s or subcontractor’s information system. Basic safeguarding of such systems would include:

  • Protecting information on public computers or web sites;
  • Transmitting electronic information using technology and processes that provide the best level of security and privacy;
  • Transmitting voice and fax information only with reasonable assurances that access is limited to authorized recipients;
  • Protect information by at least one physical or electronic barrier;
  • Sanitize media in accordance with the National Institute of Standards and Technology (NIST) before external release or disposal;
  • Provide protection against computer intrusions and the unauthorized release of data including current and regularly updated malware protection services and security-relevant software upgrades.

Additionally, contractors would be required to include the substance of the contract clause in all subcontracts for subcontractors who may have information subject to the rule residing in or transiting through the subcontractors’ information systems.

Federal contractors will need to reevaluate their information systems and written information security programs (WISPs) if this rule is made final and such provisions are added to their contracts.

Two New Jersey defense lawyers face attorney ethics charges in connection with the way they allegedly accessed Facebook. Regardless of how these charges are resolved, the facts in the case should serve as a reminder to attorneys to become more familiar with social media, and perhaps be more specific in the direction they give to their staff.  

The New Jersey Office of Attorney Ethics (OAE) alleges that John Robertelli and Gabriel Adamo caused a paralegal to "friend" the plaintiff in a personal injury case so they could access information on the plaintiff’s Facebook page that was not publicly available.  The OAE alleges that the conduct violated Rules of Professional Conduct governing communications with represented parties, along with other rules.  Both attorneys deny the charges and claim that they only directed the paralegal to do general internet research, and that they did not tell her to add the plaintiff as a “friend” to gain access to otherwise private information. 

The Facebook access came to light during deposition questioning when the plaintiff was asked very specific questions about his travel, dancing, wrestling, or activities which would tend to disprove his claims as to the seriousness of the injuries he allegedly suffered after being struck by a police cruiser while doing push-ups in a driveway.   

The attorneys are charged with violating RPC 4.2, concerning communications with represented parties; 5.3(a), (b) and (c), failure to supervise a nonlawyer assistant; 8.4(c), conduct involving dishonesty and violation of ethics rules through someone else’s actions or inducing those violations; and 8.4(d), conduct prejudicial to the administration of justice. Mr. Robertelli, the supervising partner, is also charged with breaching RPC 5.1(b) and (c), which impose ethical obligations on lawyers for the actions of attorneys they supervise.

While no New Jersey ethics opinion to date addresses “friending” individuals in connection with litigation, the bars of New York, New York City, Philadelphia, and San Diego have deemed it unethical.

These OAE charges, along with other New Jersey legal precedent, highlights the concerns and issues surrounding improper access to otherwise private social media content. 

Updating an earlier post, California A.B. 1844 is on its way to Gov. Jerry Brown. If signed into law, the bill would update California’s Labor Code to significantly limit when employers could ask employees and job applicants for social media passwords and account information. However, the law would still permit employers to request an employee to divulge personal social media reasonably believed to be relevant to an investigation of allegations of employee misconduct or employee violation of applicable laws and regulations. This exception would apply so long as the social media is used solely for purposes of that investigation or a related proceeding.

If A.B. 1844 becomes law, it would join Maryland and Illinois which have enacted similar laws.

One of the consequences faced by companies that neglect workplace privacy issues is the possibility of a defamation lawsuit. Human resources departments should be careful to limit information about employees and former employees, including the reasons for a termination or leave of absence, to those with a need to know. References and requests for references should be treated carefully lest a provably false statement lead to the loss of a job and result in litigation. Carefully crafted social media policies can also help mitigate the possibility of one employee smearing another on the Internet. 

Anecdotal evidence suggests the use of email and social media is increasing the potential for defamation claims arising out of the workplace. Never before has it been so easy to have a career ruined so publicly and so quickly. High unemployment has also raised the stakes for litigation involving one’s professional reputation. Many litigants decide to sue after they are unsuccessful finding a new job and feel they have no other choice.

Here is a link to an article I wrote for Bench & Bar magazine about Workplace Defamation Claims in Minnesota. Most of the concepts are applicable in other states as well.

 

"Back to School" is upon us and over the next couple of weeks millions of parents (including me) will be in local stores getting our kids the stuff they need for a successful school year. The Federal Trade Commission (FTC) reminds parents, for good reason, to be mindful of how their children’s personal information is used and disclosed. In fact, the agency provides a guide for parents that could be very helpful. As we have written and others have reported, the risk to children’s untouched credit histories and other information is real.  

New York takes another step toward safeguarding Social Security Numbers (SSN), this time limiting certain entities, including employers, from requiring a person to disclose or furnish his or her SSN for any purpose. Signed into law by Gov. Andrew Cuomo on August 14, 2012, the new law (A.8992-A / S.6608-A) adds a new section 399-ddd to the General Business Law of the Empire State, that becomes effective 120 days from enactment (December 12, 2012). Businesses will need to revisit their practices with employees, customers and other individuals in situations where all or a part of the Social Security Number is involved. 

There are two important points to note about the law: (i) the definition of SSN; and (ii) the exceptions.

Under the new law, SSN includes the 9-digit number issued by the Social Security Administration, but also "any number derived from such number," unless the number is encrypted.  So, for example, unless one of the exceptions below applies, requiring employees or customers to use the last four digits of their SSN as part of an identification number will become unlawful later this year.  

Here are some of the exceptions:  

  • The individual consents to the acquisition or use of his or her SSN (of course, while not expressly stated in the statute, a court would likely interpret this provisions to mean a voluntary consent);
  • The SSN is expressly required by federal, state or local law or regulation; 
  • The SSN is used for internal verification or fraud investigation;
     
  • The SSN is requested for credit or credit card transaction initiated by the consumer or in connection with a lawful request for a consumer report or investigating consumer report (in addition to permissible background checks under the Fair Credit Reporting Act and New York law, this provision also may cover corporate credit card programs, frequently used by companies to better manage business expense reimbursement);
  • The SSN is requested for purposes of employment, including in the course of administration of a claim, benefits, or procedure related to employment, such as termination from employment, retirement, workplace injury, or unemployment claims;
  • The SSN is requested for tax compliance, collecting child or spousal support, or determining whether a person has a criminal record; and
  • The SSN is requested by an authorized insurance company for purposes of furnishing information to the Centers for Medicare and Medicaid Services (this likely captures the recent reporting requirements under Section 111 of the Medicare, Medicaid and SCHIP Extension Act of 2007)

The law does not provide for a private right of action; it is enforced by Attorney General of the State and carries a civil penalty for a first offense of not more the $500 per violation ($1,000 for second offenses). However, the law seems to suggest that so long as reasonable measures have been adopted to avoid a violation, unintentional, bona fide errors will not result in penalties.