Search right to access

As more companies move to the cloud, regulatory compliance remains a critical issue. For cloud service providers to the healthcare industry, it looks like the requirement to comply with the HIPAA privacy and security rules as business associates will be confirmed when long-awaited final regulations are issued, based on a report by Marianne Kolbasuk McGee with Healthcare Information Security. According to Ms. McGee’s report, Joy Pritts, chief privacy officer in the Office of the National Coordinator for Health IT, a unit of the Department of Health and Human Services, addressed this issue during a Jan. 7 panel discussion on cloud computing hosted by Patient Privacy Rights.

Cloud service providers would prefer to take the position that they are conduits to protected health information, and therefore not business associates, similar to the US Postal Service, and certain private couriers and their electronic equivalents. See HIPAA FAQ.  A conduit transports information but does not access it other than on a random or infrequent basis as necessary for the performance of the transportation service or as required by law. However, HHS has already noted that "a software company that hosts the software containing patient information on its own server or accesses patient information when troubleshooting the software function, is a business associate of a covered entity." See HIPAA FAQ

According to Ms. Pritts’ remarks in the report cited above, it appears that the modifications made to HIPAA under the Health Information Technology for Economic and Clinical Health (the HITECH Act), along with anticipated regulatory guidance, will remove any doubt that cloud service providers servicing HIPAA covered entities are "business associates." This would require, among other things, that covered entities enter into business associate agreements with their cloud providers, and that standard confidentiality clauses likely will be insufficient. Of course, covered entities, practitioners and others are looking forward to these long awaited regulations to help clarify this and other issues.

Bringing work home is nothing new, but for one Oregon Health & Science University Hospital (OHSU) employee, it resulted in a significant data breach when a flash drive was stolen from the employee’s house containing protected health and other personal information on over 14,000 patients and OHSU employees, as reported by a health information privacy watchdog.

Based on a statement OHSU put out concerning the breach, it appears the organization had taken steps to safeguard the information:

OHSU has several measures in place to protect patient information, including encryption software for computers, password protections and secure programs for managing patient information and tracking usage. The university also provides extensive training to all employees who have access to patient data. In addition, the university has enacted several layers of policy to help protect this information.

However, it remains to be seen whether those safeguards will stand up to scrutiny should the Office of Civil Rights investigate the situation and review with 20/20 hindsight OHSU’s policies and procedures. When developing policies and procedures, covered entities under HIPAA, business associates and any other entity charged with protecting personal information should be thinking about not only whether their safeguards are reasonable and "compliant," but whether they will stand up to the applicable regulatory agency’s scrutiny following a data breach.    

Before addressing the privacy of employee social media activity as in Maryland and Illinois, Delaware has become the first state to prohibit public or nonpublic academic institutions from requesting or requiring current students or applicants to "disclose any password or other related account information in order to gain access to the student’s or applicant’s social networking site profile or account by way of an electronic communication device." The law, called the "Higher Education Privacy Act" was signed into law on July 20 by Gov. Jack Markell and becomes effective upon enactment.

 

Continue Reading Delaware’s Higher Education Privacy Act Becomes Law

The Washington Post reported on Governor Pat Quinn’s signing of HB 3782 on August 1, 2012, at the Illinois Institute of Technology, making Illinois the second state following Maryland to prohibit employers from asking employees or applicants for their Facebook and other social media passwords. The law becomes effective January 1, 2013.

As we reported, HB 3782 amends the State’s Right to Privacy in the Workplace Act to make it illegal for employers to ask potential and current employees for their social media passwords:

It shall be unlawful for any employer to request or require any employee or prospective employee to provide any password or other related account information in order to gain access to the employee’s or prospective employee’s account or profile on a social networking website or to demand access in any manner to an employee’s or prospective employee’s account or profile on a social networking website.

However, the law would not limit an employer’s right to:

  • have policies to regulate employees’ use of the employer’s electronic equipment, Internet use, social networking site use, and electronic mail use; or
  • monitor the employee’s use of the employer’s electronic equipment and the employer’s electronic mail.

The law also would not prohibit employers from reviewing information about employees or applicants that is in the public domain, so long as the employer complies with other applicable law. Of course, even information in the public domain can have traps for the unwary employer, such as learning about an applicant’s family medical history on his or her Facebook site which would raise issues under the Genetic Information Nondiscrimination Act.

As we previously discussed, the Office of Civil Rights (“OCR”) continues to push forward with the HIPAA audits required by the HITECH Act.  To this end, the OCR recently posted the protocol which is used to conduct the HIPAA audits on its website. 

The HITECH Act requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards.  To implement this mandate, OCR piloted a program to perform audits of covered entities to assess privacy and security compliance.   This HIPAA audit program analyzes processes, controls, and policies of selected covered entities (e.g., health plans, health care clearinghouses, and certain health care providers) as well as the requirements to be assessed through these performance audits. The audit protocol is organized around “modules,” as follows:

  • The first audit protocol covers Privacy Rule requirements for (1) notice of privacy practices for Protected Health Information (“PHI”), (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
  • The second protocol covers Security Rule requirements for administrative, physical, and technical safeguards.
  • The third protocol covers requirements for the Breach Notification Rule.

Notably, the combination of these multiple requirements may vary based on the type of covered entity selected for review.  Healthcare providers, health plans, and business associates, all who could be affected by the HIPAA audits, need to not only be aware of the OCR’s audit activities, but also HHS’s efforts to increase enforcement of HIPAA.   

The vote by the Illinois Senate, 55-0, in favor of HB 3782 may put Illinois ahead of California and other states to follow Maryland in making it illegal for Illinois employers to ask employees or applicants for their Facebook and other social media passwords. The bill awaits signature by Governor Pat Quinn, which was overwhelmingly approved by the House in March.

HB 3782 would amend the State’s Right to Privacy in the Workplace Act to make it illegal for employers to ask potential and current employees for their social media passwords:

It shall be unlawful for any employer to request or require any employee or prospective employee to provide any password or other related account information in order to gain access to the employee’s or prospective employee’s account or profile on a social networking website or to demand access in any manner to an employee’s or prospective employee’s account or profile on a social networking website.

However, the law would not limit an employer’s right to: 

  • have policies to regulate employees’ use of the employer’s electronic equipment, Internet use, social networking site use, and electronic mail use; or
  • monitor the employee’s use of the employer’s electronic equipment and the employer’s electronic mail.

The law also would not prohibit employers from reviewing information about employees or applicants that is in the public domain, so long as the employer complies with other applicable law. Of course, even information in the public domain can have traps for the unwary employer, such as learning about an applicant’s family medical history on his or her Facebook site which would raise issues under the Genetic Information Nondiscrimination Act.

In this space we have frequently discussed social media issues ranging from legal considerations in policy development, to employers’ legal and practical risks attendant to reviewing job applicants’ social media presence, to legislative reactions to employers’ requiring disclosure of passwords as part of their background check process.   Two further reactions to the password disclosure issue are worthy of note.
First, Connecticut Senator Richard Blumenthal has stated he will introduce federal legislation similar to that currently under consideration in the Illinois and Maryland legislatures.   Arguing that employers’ mandating disclosure of user names and passwords “is a huge invasion of privacy,” State Assemblyman John Burzichelli has indicated that he will introduce similar legislation prohibiting the practice in the New Jersey legislature.
Second, in a statement issued this past Friday by Erin Egan, Chief Privacy Officer, Policy, Facebook responded to “a distressing increase in reports of employers or others seeking to gain inappropriate access to people’s Facebook profiles or private information [which] …undermines the privacy expectations and the security of both the user and the user’s friends [and]…also potentially exposes the employer who seeks this access to unanticipated legal liability.”  Facebook advised that it is now a violation of its Statement of Rights of Responsibilities to share or solicit a Facebook password since users “shouldn’t be forced to share [their] private information and communications just to get a job” and friends of users shouldn’t have to worry that [their] private information or communications will be revealed to someone [they] don’t know and didn’t intend to share with just because [their friend] is looking for a job.”
Employers must stay abreast of these developments as they continue to refine all policies and procedures pertaining to employee social media usage.

 

According to a Ponemon Institute study*, data breaches occurring in the hands of third-party vendors amounted to 39 percent of breaches in 2010.  Whether it be cloud service providers, benefits brokers, medical billing services, debt collection companies, consultants, accountants, law firms, staffing services, shredding/data destruction services, cleaning service providers and other businesses, most companies utilize third party vendors to provide an array of services. Those services often involve letting the vendor access, store and/or process personal information, which creates additional risk and legal obligations for the company using the vendor, such as the service provider contract requirement in Massachusetts.

Massachusetts deadline. A number of states have passed laws requiring companies that put personal information in the hands of third party service providers must obtain the written agreement of the third party to safeguard this information. The Massachusetts data security regulations that went into effect March 1, 2010, gave businesses until March 1, 2012 to update contracts with service providers that were entered into no later than March 1, 2010. However, next month that grace period expires. Thus, beginning March 1, 2012, a contract to safeguard personal information must be in place with all service providers who handle personal information concerning a Massachusetts resident on behalf of the company.   

Other mandates. Requirements to ensure third party vendors are safeguarding personal information is not limited to Massachusetts. Examples include:

  • States such as California, Maryland, Nevada, Oregon, and Texas have had for some time a contract requirement similar to the Massachusetts rule.
  • The privacy and security regulations under HIPAA have a more expansive requirement for “business associates” and “subcontractors.” Businesses subject to HIPAA are anxiously awaiting final regulations under HITECH which will be specifically addressing business associate agreement requirements, among other things.
  • The Payment Card Industry (PCI) standards require similar agreements.
  • Law firms in many states are subject to specific state ethical mandates to have written assurances from vendors handling client data (these mandates are not limited to personal information, but seem to apply to all client information). For example, lawyers in states such as ME, MO, NJ, NY, OR, VT, WI are required to make sure that contractors maintain appropriate safeguards through a “legally enforceable obligation.”   

What to do next? Vendor management should be part of an overall strategy to safeguard company and personal information. It is important to add that while personal information typically is the focus of this risk because of the breach reporting obligations across the country, confidential and proprietary company data is, of course, also at risk in the hands of vendors.

Companies should develop a list of all of their vendors and require all that have access to sensitive personal or company information to agree to amend the services agreement to include a requirement that the vendor have in place appropriate data privacy and security safeguards. Careful negotiations and drafting is critical to ensure legal compliance and protection/indemnity in the event of a data breach. In addition, some business might want to maintain a right to audit operations and require certain specific safeguards, depending on the volume and sensitivity of the information at issue. Companies also have developed comprehensive questionnaires and assessments for their vendors to complete to obtain a more complete picture of the vendors’ data security protocols.

Whatever the approach, companies should at a minimum obtain written assurances from their vendors concerning the safeguarding of personal information.  
 

 

*Ponemon Institute, LLC. 2010 Annual Study: U.S. Cost of a Data Breach, March 2011.

A number of courts throughout the nation are grappling with disputes between employers and departing employees over the ownership of social media accounts. These employers are attempting to seek ownership over company Twitter and LinkedIn profiles claiming, among other things, that these contain “trade secrets.” Employees dispute these contentions by pointing out that there is nothing “secret” about social media profiles and that employers have no inherent property interests in Twitter and LinkedIn accounts.

For example, in Phonedog v. Kravitz, No. 3:11-cv-03475 (MEJ) (N.D. Cal., Nov. 8, 2011), a federal court in California denied a motion to dismiss where the employer sought damages for each Twitter follower that a departing employee took with him. The employee was given use of and maintained a Twitter account for the employer’s business during his employment. When he left, he changed the Twitter account handle and continued to use the account. Phonedog and its former employee do not have a written agreement pertaining to ownership of the disputed Twitter account. The company alleged several claims against the departing employee, including misappropriation of trade secrets, conversion, and tortious interference with prospective advantage.

Another such pending dispute is Eagle v. Morgan, No. 2:11-cv-04303 (RB) (E.D. Pa., Dec. 22, 2011). A federal court in Pennsylvania denied a motion to dismiss in a dispute over an employee’s LinkedIn account. The disputed LinkedIn account was used for company business and developed by company personnel. As in Phonedog, the parties do not have a written agreement as to ownership of the disputed LinkedIn account. Both the company and the employee brought claims against one another over use of this LinkedIn account.

The above cases are headed into prolonged discovery and extensive litigation. These disputes may have been avoidable had the parties entered into a clear written agreement at or near the inception of the employment relationship. Such an agreement was upheld in Ardis Health, LLC v. Nankivell, No. 1:11-cv-05013 (NRB) (S.D.N.Y., Oct. 19, 2011). A federal court in New York granted a preliminary injunction and required an employee to turn over access to social media sites to her employer pursuant to the obligations under the written Non-Disclosure and Rights to Work Product Agreement between the parties.

All employers who profit from their employees’ use of social media should be aware of and carefully analyze these issues. In many cases, a properly drafted agreement delineating the property interests of employee work product will save employers from time-consuming and expensive litigation over ownership of social media accounts.

Today, the Office for Civil Rights formally announced it is implementing the audit requirement under the American Recovery and Reinvestment Act of 2009, in Section 13411 of the HITECH Act. The agency confirmed that it is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance, and that the pilot phase will begin November 2011 and conclude by December 2012.

A new page on OCR’s website answers some helpful questions for covered entities and business associates… 

Continue Reading OCR Announces HIPAA Audit Program