The Washington Post reported on Governor Pat Quinn’s signing of HB 3782 on August 1, 2012, at the Illinois Institute of Technology, making Illinois the second state following Maryland to prohibit employers from asking employees or applicants for their Facebook and other social media passwords. The law becomes effective January 1, 2013.

As we reported, HB 3782 amends the State’s Right to Privacy in the Workplace Act to make it illegal for employers to ask potential and current employees for their social media passwords:

It shall be unlawful for any employer to request or require any employee or prospective employee to provide any password or other related account information in order to gain access to the employee’s or prospective employee’s account or profile on a social networking website or to demand access in any manner to an employee’s or prospective employee’s account or profile on a social networking website.

However, the law would not limit an employer’s right to:

  • have policies to regulate employees’ use of the employer’s electronic equipment, Internet use, social networking site use, and electronic mail use; or
  • monitor the employee’s use of the employer’s electronic equipment and the employer’s electronic mail.

The law also would not prohibit employers from reviewing information about employees or applicants that is in the public domain, so long as the employer complies with other applicable law. Of course, even information in the public domain can have traps for the unwary employer, such as learning about an applicant’s family medical history on his or her Facebook site which would raise issues under the Genetic Information Nondiscrimination Act.

Recruiters are increasingly turning to social media to screen and recruit candidates. Jobvite’s 2012 Social Recruiting Survey found that 92% of respondents plan to use social media for recruiting.  Often, recruiters are viewing and considering information that should not be utilized in the hiring process.  LinkedIn is replete with information that should not be considered when searching for or selecting candidates.  Yet, the same survey found that LinkedIn is the most popular social networking site for recruiters. 

LinkedIn profiles likely contain photos of candidates and other information identifying a candidate’s race, ethnicity, age, disability, pregnancy, or religion.  Federal and state anti-discrimination laws prohibit companies from using such non-work-related information when hiring.  Additionally, the Equal Employment Opportunity Commission (EEOC) has issued regulations for the employment provisions of the Genetic Information Nondiscrimination Act (GINA) that prohibit acquisition of “genetic information” through social media.  

The EEOC also has made clear that it is focusing its litigation efforts on eliminating systemic discrimination, such as discriminatory barriers in recruitment and hiring. The EEOC’s Compliance Manual states that bias is not always conscious, and that actions infected by stereotyped thinking or other forms of less conscious bias are discriminatory.  It further states that it is discriminatory to use a screening procedure that has a significantly disparate impact.

Employers can separate recruiters who screen applicants through social media from individuals who are making the hiring decision.  This would require a recruiter to search applicants online, scrub prohibited information, and deliver scrubbed profiles to a decision maker. This may be difficult for employers to act on without careful attention to details and legal guidance to avoid significant risks.  The process relies heavily upon a recruiter’s knowledge of employment laws to scrub prohibited information. Avoiding the issue because of its burdensomeness is fast being scrubbed as an option for employers.

Companies also can utilize third parties to screen applicants through social media as long as they are aware of the pitfalls.  First, many employers make little or no effort to determine whether the third party recruiters have developed appropriate safeguards.  Second, the Federal Trade Commission (FTC) has stated that employers who rely upon third parties for social media information about candidates must comply with the Fair Credit Reporting Act (FCRA).  

FCRA requires that an employer notify an applicant when it takes adverse actions based upon a consumer report.  Employers also must provide the rejected applicant with notice of his or her right to view the data relied upon as well as give the individual the opportunity to dispute any inaccurate or incorrect information.  Employers failing to comply with FCRA can be subject to tremendous liability.  For example, Spokeo, Inc., a website that collects and sells detailed consumer information by compiling online data, recently agreed to pay $800,000 to settle FTC charges alleging that it violated FCRA in the employment screening context

The EEOC, OFCCP (Office of Federal Contract Compliance Programs), and FTC are beginning to scrutinize employers that use social media to screen applicants.  Unfortunately, LinkedIn and other social media sites do not yet maintain a “safe” site for recruiters.  Employers need to anticipate government inquiry and not await the knock on the door.  Recruiters should be restricted from considering prohibited information about applicants, whether they are working on company time or researching an applicant on their own time.  They need appropriate social media guidelines and policies that are compliant with a host of laws.  Further, they need to be properly trained. 

Ignoring this problem or simply outsourcing recruitment to a third party without careful consideration of these issues and a recruiter’s qualifications is a recipe for lawsuits.

An employee’s claim that he did not realize his employer could view posts he made to a co-worker’s Facebook wall did not support his claim that the employer intruded upon the employee’s seclusion, a Texas Court of Appeals held last week. Sumien v. Careflite (Tex. App. 2012).

In this case, the plaintiff and some of his emergency medical technician co-workers were commenting on Facebook about wanting to "slap" or otherwise constrain patients who are difficult to control while they are being transported. The company terminated Sumien and another technician following the company’s Compliance Officer learning of these posts and receiving complaints about the comments.

In addition to wrongful termination and other claims, the plaintiff alleged that the employer’s viewing these comments amounted to an impermissible "intrusion upon seclusion." To prove an intrusion upon seclusion claim, the former employee needed to show "(i) an intentional intrusion, physical or otherwise, upon another’s solitude, seclusion, or private affairs or concerns that (ii) would be highly offensive to a reasonable person." The court found that not knowing his employer could view his comments did nothing to support the employee’s claims that the employer intentionally intruded upon his seclusion, and denied the appeal.

In addition to providing some authority to defend intrusion upon seclusion claims in similar circumstances, this case also shows that employers need to think through whether and to what extent they need to be more involved in controlling and shaping employee activity on social media. This case involved complaints from other employees about the posts, but also could have involved patient complaints relating to disclosures of protected health information under HIPAA. The posts also could have been viewed by the company’s business partners or potential business partners in a negative light, adversely affecting the company’s reputation. A well-drafted policy, training and consistent enforcement generally are good steps to minimizing these risks.

When an electronic storage device potentially containing ePHI was stolen from the vehicle of an Alaska Department of Health and Social Services (DHSS) employee on October 12, 2009, DHSS reported the breach to the Office of Civil Rights (OCR) pursuant to the HIPAA breach notification rule. The breach reportedly affected 501 individuals. However, according to a resolution agreement, OCR’s subsequent investigation found significant violations of some of the most basic HIPAA rules. Without admitting liability, DHSS agreed to pay $1,700,000 and to comply with a three-year corrective action plan.

After four rounds of written responses from DHSS, and a two-day on-site visit, OCR found that  DHSS had not:

  1. completed a risk analysis;
  2. implemented sufficient risk management measures;
  3. completed security training for DHSS workforce members;
  4. implemented device and media controls; or
  5. addressed device and media encryption.

Data breaches continue to occur on a fairly regular basis, and the ubiquity of electronic storage devices, particularly those that are not encrypted, make these incidents even more likely. This and other cases should help covered entities to realize that enforcement agencies are acting on notices they receive under the applicable breach notification statutes or regulations to find compliance violations.

This kind of enforcement activity, as with this case, could turn out to be quite a lucrative practice for cash strapped federal and state agencies. It is no wonder that some states are amending their statutes to require Attorney General notification. Accordingly, because data breaches can and will occur, HIPAA covered entities and businesses subject to HIPAA and state data breach notification statutes should be doing more to be prepared for the audit that may follow the reporting of a data breach. That is, they should be doing more to safeguard personal information and PHI pursuant to the applicable standards.  

As we previously discussed, the Office of Civil Rights (“OCR”) continues to push forward with the HIPAA audits required by the HITECH Act.  To this end, the OCR recently posted the protocol which is used to conduct the HIPAA audits on its website. 

The HITECH Act requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards.  To implement this mandate, OCR piloted a program to perform audits of covered entities to assess privacy and security compliance.   This HIPAA audit program analyzes processes, controls, and policies of selected covered entities (e.g., health plans, health care clearinghouses, and certain health care providers) as well as the requirements to be assessed through these performance audits. The audit protocol is organized around “modules,” as follows:

  • The first audit protocol covers Privacy Rule requirements for (1) notice of privacy practices for Protected Health Information (“PHI”), (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
  • The second protocol covers Security Rule requirements for administrative, physical, and technical safeguards.
  • The third protocol covers requirements for the Breach Notification Rule.

Notably, the combination of these multiple requirements may vary based on the type of covered entity selected for review.  Healthcare providers, health plans, and business associates, all who could be affected by the HIPAA audits, need to not only be aware of the OCR’s audit activities, but also HHS’s efforts to increase enforcement of HIPAA.   

Accretive Health, Inc.’s legal issues continue to evolve as new allegations by Minnesota Attorney General Lori Swanson accuse Accretive of operating without a HIPAA-required business associate agreement (BAA) and then creating a back-dated agreement in response to litigation. 

As we previously reported, Accretive, a Chicago-based health care consulting company and debt collection agency, originally caught the attention of Attorney General Swanson when it was discovered that an unencrypted lap top computer with medical information of over 23,531 Minnesota patients was stolen on or about July 25, 2011.  This led to revelations suggesting that Accretive was engaged in improper collection activities in the emergency rooms of two Minneapolis-area hospitals, Fairview Health Systems and North Memorial Hospital, and engaging in bedside collection visits.  It was then disclosed that one or more officers of Fairview had family connections with employees of Accretive.  In January, Minnesota Attorney General Lori Swanson sued Accretive Health for violation of HIPAA, the HITECH Act, the Minnesota Health Records Act and various Minnesota consumer protection and debt collection statutes. Perhaps the strangest twist occurred in May when Chicago mayor Rahm Emanuel reportedly sent a letter to Swanson asking her to back off the litigation until he could arrange a meeting with Accretive’s CEO. Swanson declined the suggestion.

Swanson now seeks to file a second amended and supplemental complaint to add new factual allegations. Specifically, Swanson alleges that at the time she requested documents in October of 2011, Accretive did not have a business associate agreement in place with North Memorial. Following the request, she claims that Accretive created one and made it look as if it had been signed on March 21, 2011. 

The Attorney General acknowledges that it is the covered entity’s obligation to have a BAA in place before making protected health information available to a vendor, such as Accretive. However, the Attorney General argues that Accretive’s actions with respect to not having the BAA supports her claims that Accretive disregarded its HIPAA obligations. It would be surprising if a sophisticated health care provider like North Memorial had not had implemented such a basic required document with a business associate like Accretive, to say nothing of the alleged "deception" as characterized by Swanson. 

This case is a good example of the growing propensity for state Attorneys General to engage in HIPAA enforcement actions as we have discussed. Regardless of how the legal saga turns out, it is also a good reminder to have compliant business associate agreements in place as required by HIPAA.

On June 15, 2012, Connecticut Governor Dannel P. Malloy signed budget bills H.B. 6001 (pdf) and S.B. 501 into law which, among many other things, updated the state’s data breach notification law.

The key change – persons, including businesses, required to notify residents of the Nutmeg State of a security breach must also notify the State’s Attorney General within the same time frame. Adding a requirement to notify the AG makes Connecticut’s law similar to the laws in states such as Massachusetts, New Hampshire, New York, and Vermont

This change becomes effective October 1, 2012.

Effective July 1, 2012, Vermont joins California, Connecticut, Hawaii, Illinois, Maryland, Oregon, and Washington as jurisdictions that restrict an employer’s right to obtain and use credit information for making employment decisions.  Similar legislation is pending in many other jurisdictions. Click here for more information about the Vermont law. 

Recent amendments to Vermont’s Security Breach Notice Act (Act) will further complicate compliance for entities and practitioners handling data breaches, particularly those breaches affecting individuals residing in multiple states, where one of the states is Vermont. The amendments became effective May 8.

After reviewing these changes, businesses should reassess and modify, as necessary, their data incident response procedures. (Or, they should consider creating procedures to address these situations. Data security regulations in Massachusetts and HIPAA require such procedures be in place.)

For example, businesses should consider procedures and materials that facilitate quick action to comply, including draft notification letters, template scripts to respond to inquiries following a breach, and establishing relationships with computer forensic, crisis management and other firms.  Businesses that provide personally identifiable information to third party service providers (such as payroll companies, benefits brokers, accountants, and others) also should review their service contracts with those providers to ensure the businesses will be able to meet the time frames and other breach notification requirements.

What are the key changes?  (Click below for more analysis on each of these changes)

  • 45-Day Notice to Affected Individuals.
  • 14-Day Attorney General Notice.
  • WISP Exception to 14-Day Attorney General Notice.
  • Revised Definition of "Security Breach".   
  • Assistance in determining whether a security breach has occurred.

Continue Reading Vermont Strengthens Data Breach Notification Requirements

To date, State Attorneys General (State AGs) in at least four states (Connecticut, Indiana, Minnesota, Vermont) have exercised their authority to enforce the HIPAA privacy and security rules as granted by the Health Information Technology for Clinical and Economic Health (HITECH) Act (pdf), part of the American Recovery and Reinvestment Act of 2009 (ARRA). Following a nationwide live training campaign, the Office of Civil Rights (OCR) is continuing its efforts to train State AGs by making training materials available online

The training materials now available through the OCR website include videos and slides from in-person training sessions for State AGs that OCR conducted in 2011, as well as computer-based training modules that can be downloaded. Topics include:

  • General introduction to the HIPAA Privacy and Security Rules
  • Investigative techniques for identifying and prosecuting potential violations
  • A review of HIPAA and State Law
  • OCR’s role in enforcing the HIPAA Privacy and Security Rules
  • State AG roles and responsibilities under HIPAA and the HITECH Act
  • Resources for State AGs in pursuing alleged HIPAA violations
  • HIPAA Enforcement Support and Results

State AG interest in pursing these cases may be growing. For example, the Connecticut Attorney General’s website instructs residents on how to file complaints concerning HIPAA. This action by OCR also may indicate it is closer to issuing the long awaited final regulations under HITECH. Health care providers, health plan sponsors and administrators and business associates should be taking steps to ensure they are ready to survive a HIPAA audit, as well as an enforcement action by a State AG.