Accretive Health, Inc.’s legal issues continue to evolve as new allegations by Minnesota Attorney General Lori Swanson accuse Accretive of operating without a HIPAA-required business associate agreement (BAA) and then creating a back-dated agreement in response to litigation. 

As we previously reported, Accretive, a Chicago-based health care consulting company and debt collection agency, originally caught the attention of Attorney General Swanson when it was discovered that an unencrypted lap top computer with medical information of over 23,531 Minnesota patients was stolen on or about July 25, 2011.  This led to revelations suggesting that Accretive was engaged in improper collection activities in the emergency rooms of two Minneapolis-area hospitals, Fairview Health Systems and North Memorial Hospital, and engaging in bedside collection visits.  It was then disclosed that one or more officers of Fairview had family connections with employees of Accretive.  In January, Minnesota Attorney General Lori Swanson sued Accretive Health for violation of HIPAA, the HITECH Act, the Minnesota Health Records Act and various Minnesota consumer protection and debt collection statutes. Perhaps the strangest twist occurred in May when Chicago mayor Rahm Emanuel reportedly sent a letter to Swanson asking her to back off the litigation until he could arrange a meeting with Accretive’s CEO. Swanson declined the suggestion.

Swanson now seeks to file a second amended and supplemental complaint to add new factual allegations. Specifically, Swanson alleges that at the time she requested documents in October of 2011, Accretive did not have a business associate agreement in place with North Memorial. Following the request, she claims that Accretive created one and made it look as if it had been signed on March 21, 2011. 

The Attorney General acknowledges that it is the covered entity’s obligation to have a BAA in place before making protected health information available to a vendor, such as Accretive. However, the Attorney General argues that Accretive’s actions with respect to not having the BAA supports her claims that Accretive disregarded its HIPAA obligations. It would be surprising if a sophisticated health care provider like North Memorial had not had implemented such a basic required document with a business associate like Accretive, to say nothing of the alleged "deception" as characterized by Swanson. 

This case is a good example of the growing propensity for state Attorneys General to engage in HIPAA enforcement actions as we have discussed. Regardless of how the legal saga turns out, it is also a good reminder to have compliant business associate agreements in place as required by HIPAA.

On June 15, 2012, Connecticut Governor Dannel P. Malloy signed budget bills H.B. 6001 (pdf) and S.B. 501 into law which, among many other things, updated the state’s data breach notification law.

The key change – persons, including businesses, required to notify residents of the Nutmeg State of a security breach must also notify the State’s Attorney General within the same time frame. Adding a requirement to notify the AG makes Connecticut’s law similar to the laws in states such as Massachusetts, New Hampshire, New York, and Vermont

This change becomes effective October 1, 2012.

Effective July 1, 2012, Vermont joins California, Connecticut, Hawaii, Illinois, Maryland, Oregon, and Washington as jurisdictions that restrict an employer’s right to obtain and use credit information for making employment decisions.  Similar legislation is pending in many other jurisdictions. Click here for more information about the Vermont law. 

Recent amendments to Vermont’s Security Breach Notice Act (Act) will further complicate compliance for entities and practitioners handling data breaches, particularly those breaches affecting individuals residing in multiple states, where one of the states is Vermont. The amendments became effective May 8.

After reviewing these changes, businesses should reassess and modify, as necessary, their data incident response procedures. (Or, they should consider creating procedures to address these situations. Data security regulations in Massachusetts and HIPAA require such procedures be in place.)

For example, businesses should consider procedures and materials that facilitate quick action to comply, including draft notification letters, template scripts to respond to inquiries following a breach, and establishing relationships with computer forensic, crisis management and other firms.  Businesses that provide personally identifiable information to third party service providers (such as payroll companies, benefits brokers, accountants, and others) also should review their service contracts with those providers to ensure the businesses will be able to meet the time frames and other breach notification requirements.

What are the key changes?  (Click below for more analysis on each of these changes)

  • 45-Day Notice to Affected Individuals.
  • 14-Day Attorney General Notice.
  • WISP Exception to 14-Day Attorney General Notice.
  • Revised Definition of "Security Breach".   
  • Assistance in determining whether a security breach has occurred.

Continue Reading Vermont Strengthens Data Breach Notification Requirements

To date, State Attorneys General (State AGs) in at least four states (Connecticut, Indiana, Minnesota, Vermont) have exercised their authority to enforce the HIPAA privacy and security rules as granted by the Health Information Technology for Clinical and Economic Health (HITECH) Act (pdf), part of the American Recovery and Reinvestment Act of 2009 (ARRA). Following a nationwide live training campaign, the Office of Civil Rights (OCR) is continuing its efforts to train State AGs by making training materials available online

The training materials now available through the OCR website include videos and slides from in-person training sessions for State AGs that OCR conducted in 2011, as well as computer-based training modules that can be downloaded. Topics include:

  • General introduction to the HIPAA Privacy and Security Rules
  • Investigative techniques for identifying and prosecuting potential violations
  • A review of HIPAA and State Law
  • OCR’s role in enforcing the HIPAA Privacy and Security Rules
  • State AG roles and responsibilities under HIPAA and the HITECH Act
  • Resources for State AGs in pursuing alleged HIPAA violations
  • HIPAA Enforcement Support and Results

State AG interest in pursing these cases may be growing. For example, the Connecticut Attorney General’s website instructs residents on how to file complaints concerning HIPAA. This action by OCR also may indicate it is closer to issuing the long awaited final regulations under HITECH. Health care providers, health plan sponsors and administrators and business associates should be taking steps to ensure they are ready to survive a HIPAA audit, as well as an enforcement action by a State AG. 

Today, the NLRB‘s Acting General Counsel posted a third report regarding social media issues which have been brought to the agency. The cases discussed in this report should provide further guidance to employers struggling with developing strategies for using social media in their business, developing employee policies regulating activity in social media, and enforcing those policies. In six of the seven cases discussed, the General Counsel’s office found some provision of the employer’s social media policy to be lawful.  In the other case, the entire policy was found to be lawful.  Look for follow up analysis from us and our Labor Partners.

Please also check out our prior reporting on social media developments

The vote by the Illinois Senate, 55-0, in favor of HB 3782 may put Illinois ahead of California and other states to follow Maryland in making it illegal for Illinois employers to ask employees or applicants for their Facebook and other social media passwords. The bill awaits signature by Governor Pat Quinn, which was overwhelmingly approved by the House in March.

HB 3782 would amend the State’s Right to Privacy in the Workplace Act to make it illegal for employers to ask potential and current employees for their social media passwords:

It shall be unlawful for any employer to request or require any employee or prospective employee to provide any password or other related account information in order to gain access to the employee’s or prospective employee’s account or profile on a social networking website or to demand access in any manner to an employee’s or prospective employee’s account or profile on a social networking website.

However, the law would not limit an employer’s right to: 

  • have policies to regulate employees’ use of the employer’s electronic equipment, Internet use, social networking site use, and electronic mail use; or
  • monitor the employee’s use of the employer’s electronic equipment and the employer’s electronic mail.

The law also would not prohibit employers from reviewing information about employees or applicants that is in the public domain, so long as the employer complies with other applicable law. Of course, even information in the public domain can have traps for the unwary employer, such as learning about an applicant’s family medical history on his or her Facebook site which would raise issues under the Genetic Information Nondiscrimination Act.

A Virginia district court recently held that an employee’s clicking of the Facebook “like” button is not comparable to speech. Accordingly, the court affirmed the dismissal of First Amendment retaliation claims brought by employees of a Virginia sheriff’s office finding that the employees’ action was insufficient to merit constitutional protection.

Sheriff B.J. Roberts of the Hampton, Virginia Sheriff’s Office was up for re-election in 2009. Employees within the sheriff’s office alleged that Sheriff Roberts learned that the employees were supporting his opponent when the employees “liked” the opponent’s Facebook page. After he was re-elected, Sheriff Roberts terminated the employees allegedly due to staff reductions and performance issues.

The employees sued Sheriff Roberts alleging that he violated their First Amendment rights to freedom of speech and freedom of association when he unlawfully fired them for actively supporting his political opponent.

The U.S. District Court for the Eastern District of Virginia rejected the employees’ claims because the employees failed to allege that they had engaged in protected expressive speech when they “liked” the opponent’s Facebook page. The court explained that without existing speech warranting First Amendment protection, the employees could not prove a violation of the right to freedom of speech occurred. The court held that “merely ‘liking’ a Facebook page is insufficient speech to merit constitutional protection. In cases where courts have found that constitutional speech protections extended to Facebook posts, actual statements existed within the record.”

While this case may be helpful in the context of public employees, private employers must still be conscious of several issues including: how they obtain social media information about their employeespotential NLRB issues if an employee’s “likes” could be considered protected concerted activity; and potential state constitutional protections of an employee’s right to privacy.

Not long after Maryland enacted a law prohibiting employers from demanding passwords to employees’ or prospective employees’ Facebook and certain other social media accounts, the California State Assembly voted 73-0 in favor of A.B. 1844. The California bill would prohibit an employer from requiring: 

an employee or prospective employee to disclose a user name or account password to access a personal social media account that is exclusively used by the employee or prospective employee.

The state’s Senate will now need to consider the measure, where a related bill, S. 1349 (named "The Social Media Privacy Act"), would also protect students from having to disclose similar information to school officials. A hearing on S. 1349 is scheduled for May 21. Congress and a number of other states, including, Delaware, Illinois, Michigan, Minnesota, Missouri, New York, and South Carolina are considering similar measures.

Employers will need to monitor these developments carefully and consider how to advise and train their managers and human resources personnel about these new requirements.
 

Where no law or employer policy prohibits a worker from recording a conversation with his manager, an employer’s termination of that worker for recording the conversation unlawfully infringed on the worker’s rights under the National Labor Relations Act, the federal appeals court in Washington D.C. has ruled.

According to the U.S. Court of Appeals for the District of Columbia Circuit, in Stephens Media LLC v. NLRB, when the employer denied what the employee believed was his right guaranteed under the Supreme Court’s Weingarten decision to have a witness at a meeting with a supervisor, he conferred with co-workers and decided to secretly record the meeting with his supervisor. The employee used a voice recorder belonging to one of his co-workers to surreptitiously record the meeting. After learning of the taping, the company terminated the employee who taped the meeting and suspended the employee who provided the recorder.

The National Labor Relations Board found these employees were engaged in protected concerted activity under the NLRA when they planned to record the meeting and that by disciplining the employees, the company violated their right to engage in such activity. According to the Board, taping the meeting to document what the employees perceived to be a potential violation of Weingarten qualified as protected activity.

In rejecting the employer’s arguments that this was not protected activity, the Board reasoned:

  1. under established Board precedent, there is no per se rule that the making of surreptitious recordings is unprotected activity;
  2. the company had no policy in effect prohibiting audio recordings; and
  3. the recording was not unlawful under state or local law. See HAW. REV. STAT. § 803-42(b)(4).

The federal appeals court agreed. An unanswered question is whether the presence of an employer policy would have resulted in a different outcome.