Search right to access

On September 25, a four-year old boy from New Jersey died of Enterovirus D-68, reports myfoxphilly.com. Increasingly, there are reports about potential Ebola cases in the U.S.

Naturally, the spread of infectious disease raises concern for everyone, particularly for healthcare workers who want to do their jobs, and also protect their families. There are already indications that these concerns may have led to impermissible “snooping” by healthcare employees. Covered entities therefore need to take this increased risk seriously and remind members of their workforces that they may not access patient records for an impermissible purpose. Healthcare workers also should be reminded that impermissible snooping also can lead to termination, fines, and in some cases criminal prosecution.

 

For some “covered entities” that may not yet maintain as robust a program for creating HIPAA privacy and security awareness, this would be a good opportunity to communicate some of the basic safeguards required under HIPAA, including when and under what circumstances they can share patient information with family, friends, public health agencies, and the media. All covered entities should also remember to documents these efforts, as it is required under HIPAA and will help them to substantiate their compliance efforts.

Healthcare providers also must remember that HIPAA is not the only game in town. They have to also consider more stringent state laws that may apply in these situations. Additionally, for healthcare providers in different settings, such as universities in an educational setting, the Family Educational Rights and Privacy Act (FERPA) may have additional protections for treatment records pertaining to students.

No one knows where the next victim of Enterovirus D-68 or Ebola will show up for care. First and foremost, that provider needs to be prepared to treat that person. But the provider also needs to be sure privacy and security safeguards are in place to avoid a breach of the patient’s privacy and a compliance exposure.

On January 1, 2015, Delaware employers who dispose of records which contain the unencrypted personal identifying information of employees must take steps to ensure the privacy of such information.  The bill, H.B. 294, was recently signed by Delaware’s Governor Jack Markell.

The new law defines personal identifying information as an employee’s first name or first initial and last name in combination with one of the following data elements that relate to the employee, when either the name or the data elements are not encrypted:

  • the employee’s signature;
  • full date of birth;
  • social security number;
  • passport number;
  • driver’s license or state identification number;
  • insurance policy number;
  • financial services account number;
  • bank account number;
  • credit card number;
  • debit card number;
  • any other financial information; or
  • confidential health care information.

Under the law, employers are required to take reasonable steps to destroy or arrange for the destruction of an employee’s personal identifying information when in a “tangible medium,” or that is stored in an electronic or other medium and is retrievable.   Destruction is to be by shredding, erasing, or otherwise modifying the personal identifying information to make it entirely “unreadable or indecipherable” through any means.  Importantly, the law permits a private right of action for any employee who incurs actual damages due to the reckless or intentional violation of this statute.

Delaware also enacted a companion bill, H.B. 295, in July which imposed the same requirements for the proper destruction of personal data on Delaware businesses disposing records containing consumers’ personal identifying information.

Both of these statutes are aimed at addressing one of the more common ways in which a business may experience a data breach, namely the improper disposal of records.  Notably, both of this measures include broader definitions of personal identifying information than Delaware’s data breach notification statute which only includes the following data elements:  Social Security number; driver’s license number or Delaware Identification Card number; or account number, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial account.

Upon enactment, Delaware joins the list of 30 other states which in some way regulate the disposal of personal information.

In order to be a “protected computer” within the meaning of the federal Computer Fraud and Abuse Act (the “CFAA”), the computer must be used in interstate commerce at the time of the allegedly unauthorized access of the computer, the U.S. District Court for the District of Massachusetts held.  Pine Env. Servs., LLC v. Charlene Carson and Palms Env. and Survey, LLC, No. 1:14-cv-12830-IT (D. Mass. August 20, 2014).

Defendant Charlene Carson was employed by Plaintiff.  When she resigned her employment to join a competitor, she did not return her company-owned laptop.  Approximately two months after leaving her employment, Carson’s roommate observed her in their apartment working on the laptop.  The roommate left the room and when he returned found a note from Carson asking that he return the laptop to Plaintiff.

After Carson’s roommate returned the laptop, Plaintiff performed a forensic analysis of the laptop and learned that a software program called CCleaner was installed on the laptop and was used after Carson’s last day of employment with Plaintiff to destroy data and files, the internet browsing history, and event log entries on the laptop.  Plaintiff brought several state law claims against Carson and her new employer as well as a CFAA claim.  The CFAA protects computers that are used in or affect interstate commerce or communication from unauthorized use or access.

The CFAA provides a private right of action in certain situations where there is a loss of at least $5,000 when someone (1) knowingly and with intent to defraud, accesses a protected computer or exceeds authorized access and by such means furthers the intended fraud and obtains anything of value; or (2) knowingly causes the transmission of a program, information, code, or command, and as a result intentionally causes damage without authorization to a protected computer; or (3) intentionally accesses a protected computer without authorization and as a result causes damage and loss.  Plaintiff asserted the laptop was a protected computer because the company was engaged in providing rental equipment to other businesses throughout the country, Plaintiff’s principal place of business was in a different state from the one in which Carson lived and worked, and the laptop was used in interstate commerce and communication.

The court dismissed the CFAA claim because the laptop was only being used in interstate commerce when Carson was employed by Plaintiff.  Carson’s use of the laptop during her employment was authorized.  The unauthorized use of the laptop happened after the end of Carson’s employment with Plaintiff and thus occurred at a time when the laptop was not being used in interstate commerce.  The court found that the fact that the laptop formerly was used in interstate commerce did not make the later deletion of files from the laptop an action that was “interstate” in nature.

This decision highlights the importance of requiring employees to return all company-owned devices immediately upon their separation from employment.

 

The National Labor Relations Board has found that another employer (a non-union employer) violated its employees’ protected concerted activity rights under the National Labor Relations Act (NLRA) when it disciplined and fired them for certain social media activity. Our Labor Group provides an extensive analysis of this decision in Triple Play Sports Bar and Grille, 361 NLRB No. 31 (2014).

The analysis of the issues in Triple Play, you will see, is quite fact intensive and requires some thought in applying the applicable legal principles – and that is just addressing the NLRA issues. When companies are faced with adverse social media activity or campaigns, whether it be by employees, customers, bloggers, etc., they frequently are unprepared to take the appropriate steps to investigate, or to weigh the legal, business and other risks in deciding what actions, if any, to take. The situation in Triple Play, and other activity in social media, provide good reason for companies to be better prepared and to have a plan. Many companies may already have a crisis management plan or a communications policy, but those plans and policies need to reflect the nuances of social media and other factors, such as who is engaging in the activity and what information is being communicated.

Here are some basic questions/issues that should be considered in any plan, which are by no means exhaustive:

  • Should we have resources proactively monitoring social media activity and communications that potentially affect the company, and what limitations should there be on that monitoring?
  • Who in the company should receive initial reports of a potential problem?
  • Who should be involved in the investigation? Do we need third-party forensic expertise?
  • Do we have insurance coverage for the particular incident?
  • How will the persons involved in the activity – employees, customers, bloggers, etc. – affect the process from a legal, business or other perspective?
  • How did we learn about, get access to the activity – was it permissible under the Stored Communications Act (SCA), the Electronic Communications Privacy Act (ECPA), state laws concerning social media passwords?
  • Is the information being communicated accurately?
  • Are we acting consistent with our own privacy and other policies in connection with the investigation?
  • Is the activity/communication protected – protections may exist under First Amendment, the NLRA, whistleblowing, or other sources?
  • Do we need to respond? How have we responded in the past to similar situations? Will a response only make things worse? If a response is warranted, what should it be?
  • What can we learn from this incident in order to avoid incidents like this in the future?

A little planning can go a long way toward minimizing mistakes and getting better results when companies face urgent situations that require immediate action.

On August 5, 2014, Missouri voters approved Amendment 9 to the Missouri Constitution making Missouri the first state in the nation to offer explicit constitutional protection to electronic communications and data from unreasonable serches and seizures.

The official ballot title asked:  “Shall the Missouri Constitution be amended so that the people shall be secure in their electronic communications and data from unreasonable searches and seizures as they are now likewise secure in their persons, homes, papers and effects?”

The fair ballot language specified:  “A ‘yes’ vote will amend the Missouri Constitution to specify that electronic data and communications have the same protections from unreasonable searches and seizures as persons, papers, homes, and effects.  A ‘no vote will not amend the Missouri Constitution regarding protections for electronic communications and data.”

The measure, which was approved by nearly 75% of voters amended Section 15 of Article I of the Missouri Constitution to read:

That the people shall be secure in their persons, papers, homes, effects, and electronic communications and data, from unreasonable searches and seizures; and no warrant to search any place, or seize any person or thing, or access electronic data or communication, shall issue without describing the place to be searched, or the person or thing to be seized, or the data or communications to be accessed, as nearly as may be; nor without probable cause, supported by written oath or affirmation.

Missouri’s vote comes on the heels of the June 2014 U.S. Supreme Court’s ruling, as covered by CNN, that law enforcement must obtain a warrant to search cell phones seized during arrest.

Given the ruling of the Court, and this first measure by Missouri, it is anticipated that other similar constitutional protections will be extended to electronic communications and data.  Importantly, entities which operate as government contractors and/or entities which may be considered state actors due to their funding, should be aware of these developements to determine what if any potential impact exists for their business.

An Office for Civil Rights (OCR) report issued this month reveals some interesting details about data breach activity under HIPAA, as well as some helpful reminders and recommendations for covered entities and business associates. Section 13402(i) of the HITECH Act requires the Secretary of Health and Human Services to submit a report to various Senate and House Committees containing the number and nature of breaches reported to the Secretary, and the actions taken in response to those breaches. The most recent report covers calendar years 2011 and 2012.

After summarizing the breach notification rules, the report confirms that OCR opens compliance reviews to investigate all reported breaches affecting 500 or more individuals, and it may do so even for reported breaches affecting fewer than 500 individuals. The Department reports that as of the date of the report it has entered into seven resolution agreements/corrective action plans totaling more than $8 million in settlements resulting from breach incidents reported to OCR.

The report provides a detailed analysis of breach activity between the years 2009 through 2012, which includes identifying the general causes of the breaches, the types of entities affected by the breaches, and the location of the protected health information (PHI) when breached. It also provides examples of the kinds of steps taken by covered entities and business associates that experienced data breaches to mitigate the potential consequences of the breaches and prevent future breaches:

  • Revising policies and procedures;
  • Improving physical security by installing new security systems or by relocating equipment or records to a more secure area;
  • Training or retraining workforce members who handle PHI;
  • Providing free credit monitoring to customers;
  • Adopting encryption technologies;
  • Imposing sanctions on workforce members who violated policies and procedures;
  • Changing passwords;
  • Performing a new risk assessment; and
  • Revising business associate agreements.

What is perhaps most helpful in this report is the “Lessons Learned” section that describes areas to which covered entities and business associates should pay particular attention in their compliance efforts to help avoid common types of breaches. We’ve summarized these below:

  • Risk Assessment. Perform and document a thorough risk assessment and address vulnerabilities identified. Pay particular attention to mobile devices – digital copiers, USB drives, laptop computers, mobile phones – and ePHI transmitted across networks.
  • Evaluate Changes In Operations, Office Moves/Renovations and Mergers/Acquisitions. The risk assessment process is not a one-time activity. As the business changes, moves and expands, covered entities and business associates need to evaluate how these changes affected their data privacy and security program.
  • Portable Electronic Devices. The risks here are obvious and significant attention needs to be given to the kinds of safeguards that are appropriate, including encryption.
  • Proper Disposal. Have a plan for disposing PHI that is no longer needed, including on electronic devices and equipment that store PHI, as well as PHI maintained by vendors.
  • Physical Access Controls. Focusing on IT and PHI in electronic format should not be at the exclusion of traditional physical safeguards, such as controls on access to facilities and workstations that maintain PHI, which benefit PHI in all forms.
  • Training. This is critical to making sure that employees and other workforce members not only understand the applicable safeguards, but also to create a sense of awareness and a culture of privacy and security within the organization.

You’ve just finished your email, electronic communications, social media and/or BYOD policies for employees assuming, among other things, that you did not have to permit employees to use company-provided communication systems for nonwork-related purposes, such as to fulfill certain union-related purposes or other “protected concerted activities” under for Section 7 of the National Labor Relations Act. You might have been safe to assume that because since 2007, as our Labor Group reports, under the Register Guard decision, the National Labor Relations Board took the position that “employees have no statutory right to use the[ir] Employer’s e-mail system for Section 7 purposes.” The Board is considering changing that position, however, and is inviting input on whether to do so. You will have to act fast if you want to influence this decision, our Government Affairs Group points out, as the deadline for doing so is June 16, 2014.

Over the past few years, more employers have begun to develop policies to address employee electronic communications. There are, of course, many issues an organization must consider when crafting such policies, regardless of whether those policies are directed at company-provided email, the movement to “bring your own device” or “BYOD,” activity in social media, or managing employees’ expectation of privacy when using company-provided systems. By no means an exhaustive list, these issues include cost, productivity, safeguarding personal/company confidential information, protecting trade secrets, avoiding impermissible endorsement of company products and services, eliminating harassment and discrimination on company systems, managing email volume, and record keeping and destruction.

Adding to this array of legal, compliance, technical, employee relations and other issues affecting e-communications by employees, the right of employees to use company-provided systems to advance a union’s purposes, among other types of protected concerted activity, could further complicate an increasingly challenging task for employers. For instance, many employers monitor company email for a variety of purposes, such as, protecting sensitive data from improper disclosure, customer service, compliance requirements, managing productivity, and protecting against discrimination. If the NLRB gets its way, employers will need to be much more careful in how it monitors its own systems, and perhaps decide whether and to what extent they should continue to monitor and how management responds to certain monitored communications that violate company policies.

One might ask whether this intrusion into company-owned equipment is even necessary given the ubiquity of personal devices and widespread internet and social media access. Consider one of the areas the Board seeks input on:

Do employee personal electronic devices (e.g., phones, tablets), social media accounts, and/or personal email accounts affect the proper balance to be struck between employers’ rights and employees’ Section 7 rights to communicate about work-related matters? If so, how?

Some may believe that a balance exists at this point seeing the wide spread adoption of communications technologies, together with the significant and expected growth of BYOD programs in more workplaces. We’ll just have to wait and see.

Kentucky Gov. Steve Beshear signed H.R. 232 on April 10, 2014, making the Commonwealth the 47th state to enact a data breach notification law. The law also limits how cloud service providers can use student data. A breach notification law in New Mexico may follow shortly.

Data Breach Notification Mandate

The Kentucky law follows the same general structure of many of the breach notification laws in the other states:

  • A breach of the security of the system happens when there is unauthorized acquisition of unencrypted and unredacted computerized data that compromises the security, confidentiality, or integrity of personally identifiable information maintained by the information holder as part of a database regarding multiple individuals that actually causes, or leads the information holder to reasonably believe has caused or will cause, identity theft or fraud against any resident of Kentucky. The law does not refer to “access” only acquisition, and appears to have a risk of harm trigger.
  • The good faith acquisition of personally identifiable information by an employee or agent of the information holder for the purposes of the information holder is not a breach if the personally identifiable information is not used or subject to further unauthorized disclosure.
  • “Personally identifiable information” means an individual’s first name or first initial and last name in combination with the individual’s (i) Social Security number, (ii) Driver’s license number; or (iii) Account number, credit or debit card number, in combination with any required security code, access code, or password permit access to an individual’s financial account.
  • The notification required under the law must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
  • Notice may be provided in writing and can be provided electronically if the E-Sign Act requirements are met. For larger breaches, the law also contains substitute notice provisions similar to those in other states.
  • If notification is required to more than 1,000 Kentuckians at one time under this law, all nationwide consumer reporting agencies and credit bureaus also must be notified of the timing, distribution and content of the notices. However, the law does not require the Kentucky Attorney General to be notified of the incident, as is the case in a number of other states such as California, Maryland, Massachusetts, New Hampshire, and New York.
  • The law excludes persons and entities that are subject to Title V of the Gramm-Leach-Bliley Act of 1999 and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Of course, covered entities, business associates and certain vendors have their own breach notification requirements.

Protections for Student Data In the Cloud

The law is designed to protect student data at educational institutions, public or private, including any administrative units, that serve students in kindergarten through grade twelve when stored in the “cloud”. We may see more of these kinds of laws, particularly in light of the Fordham Law School study on the topic. For purposes of this law, “student data” means

any information or material, in any medium or format, that concerns a student and is created or provided by the student in the course of the student’s use of cloud computing services, or by an agent or employee of the educational institution in connection with the cloud computing services. Student data includes the student’s name, email address, email messages, postal address, phone number, and any documents, photos, or unique identifiers relating to the student.

Cloud providers serving these institutions in Kentucky need to be aware of this law not only so they can take steps to comply, but because it requires the providers to certify in their services contracts with the educational institutions that the providers will comply with this new law.

Specifically, the law prohibits cloud computing service providers from “processing student data for any purpose other than providing, improving, developing, or maintaining the integrity of its cloud computing services, unless the provider receives express permission from the student’s parent.” Processing is defined pretty broadly, it means to “use, access, collect, manipulate, scan, modify, analyze, transform, disclose, store, transmit, aggregate, or dispose of student data.”

While the provider may assist an educational institution with certain research permitted under the Family Educational Rights and Privacy Act of 1974, also known as “FERPA,” it may not use the data to “advertise or facilitate advertising or to create or correct an individual or household profile for any advertisement purpose.” Finally, the provider may not sell, disclose, or otherwise process student data for any commercial purpose.

 

The 11th Circuit Court of Appeals has rejected the appeal of a former City of Daytona Beach Fire Inspector who argued that the City improperly used her “personal health information” to defend itself against her lawsuit for interference under the Family Medical Leave Act. In Bailey v. City of Daytona Beach Shores, the City of Daytona Beach fired its Fire Inspector, Christine Bailey, after it learned she made claims under the City’s self-funded health plan for reimbursement of the cost of prescription narcotics without informing the City of the use of such drugs, in violation of the City’s drug-free workplace policy while she was on FMLA leave. In response, Bailey sued the City for FMLA interference and retaliation. During the underlying lawsuit, she moved to strike the City’s use of her personal health information on grounds that it would violate the Health Insurance Portability and Accountable Act (“HIPAA”) by the disclosure of her HIPAA-protected personal health information.

Health plans, like the one sponsored by the City, are “covered entities” under HIPAA and the use of protected health information from those plans for employment purposes is prohibited. Apparently, the Department of Health and Human Services notified the City that using the personal health information from the City’s plan for employment-related decisions would violate Bailey’s rights under HIPAA. We regularly advise employers who sponsor health plans, particularly self-funded plans, that individually identifiable health information they obtain in connection with plan administration services they provide for those plans cannot be used in the course of making employment decisions, absent the individual’s authorization or some other exception.

Affirming the trial court’s rejection of Bailey’s motion to strike, the 11th Circuit determined that while HIPAA prohibits the use and disclosure of personal health information in employment-related decisions, it does not bar a defendant in litigation from using the plaintiff’s personal health information to defend against that lawsuit. Thus, at least in the 11th Circuit, “fruit of the poisonous tree” can be used by employers to defend their employment decisions made based on fruit from their HIPAA-covered plans. The court further rejected Bailey’s FMLA interference and retaliation claims on grounds that the City proved it would have taken the same action, i.e., firing her for violations of the City’s drug policy, if she had not taken FMLA leave.

The 11th Circuit’s ruling may appear to be a victory for defendants in litigation who seek to use plaintiffs’ HIPAA-protected personal health information to defend themselves from plaintiff allegations that involve such information. However, the Court seems to gloss over the distinction made in the HIPAA regulations between functioning as a covered entity-health plan and functioning as an employer. The employee was suing the employer in this case, not the plan, and the employer, functioning as an employer, simply should not have had access to this information. The effects of this decision may be problematic for employers that do not read this decision and HIPAA carefully. Specifically, some employers may be encouraged to tap into health plan claims records more freely, not for plan administration purposes, but for employment purposes, believing that information can be used to defend their employment decisions in subsequent litigation.

Of course, while there may not be a private right of action under HIPAA, using protected health information in that way could expose the health plans, and in effect the employers, to investigations by the Office for Civil Rights. The 11th Circuit focused on the use of personal health information in litigation only, but whether such information is used in litigation or not does not remedy any underlying HIPAA violation. HIPAA would bar an employer from reviewing a prescription claim submitted to its health plan for the purposes of making an employment decision, irrespective of any litigation involving the disclosure or use. It remains to be seen whether a claimant who successfully files a HIPAA charge with the Office of Civil Rights, would be able to obtain a different result by a court addressing that party’s personal health information in the litigation context, the Bailey case notwithstanding.