Workplace Privacy, Data Management & Security Report

Plaintiff in Privacy Suit over LinkedIn Account Gets Zero Damages

V. John Ella — Fri, 26 Apr 2013 06:36:48 -0800

Our colleague John A. Snyder writes on our non-compete blog about the case of Eagle v. Morgan, No. 11-403 (E. D. Pa. March 12, 2013) in which the plaintiff sued her former employer for misappropriating her LinkedIn account and was awarded zero damages.

HIPAA Preempts Less Protective State Law Concerning Medical Records of Deceased Nursing Home Residents, Eleventh Circuit Rules

Joseph Lazzarotti — Tue, 16 Apr 2013 05:39:23 -0800

Written by Lillian Moon

In addition to requirements to safeguard increasingly vast amounts of patient data, healthcare providers also need to be mindful of when that data can be used and disclosed. One key challenge in that area is understanding whether state or federal law applies. The U.S. Eleventh Circuit Court of Appeals (which covers Florida, Georgia, and Alabama), held that the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) preempted a Florida law, Section 400.145, that allowed for the release of medical records of deceased residents of nursing homes to specified individuals without prior authorization. Opis Management Resources, LLC et al. v. Secretary Florida Agency for Health Care Administration.

The plaintiffs, comprised of several nursing home facilities, filed suit in federal district court challenging the Florida Agency for Health Care Administration’s (“AHCA”) citations to the facilities for their refusal to disclose deceased residents’ medical records to surviving spouses, family members, and attorneys-in-fact who were not personal representatives under the relevant HIPAA provisions. The nursing homes asked a federal district court judge to declare that Florida Statute § 400.145 was preempted by HIPAA. The district (trial) court granted summary judgment in favor of the nursing facilities finding that the Florida law provided nursing home residents less protection than required under HIPAA.

On appeal, the Eleventh Circuit affirmed the district court’s grant of summary judgment concluding that Section 400.145

impedes the accomplishment and execution of the full purposes and objectives of HIPAA and the Privacy Rule in keeping an individual’s protected health information confidential.

As the court explained, HIPAA includes a preemption clause providing that HIPAA supersedes any contrary state law provision, including any state law which “stands as an obstacle to the accomplishment and execution of [HIPAA’s] full purposes and objectives.” In other words, if a state law provides for less stringent protection than that already provided by HIPAA, it is preempted or superseded by HIPAA. HIPAA, however, does not preempt state laws providing more stringent protections.

Since 2000, the federal Department of Health and Human Services has issued extensive regulations, known as the Privacy Rule, that establish procedures by which protected health information (“PHI”) may be used or disclosed by a covered entity or business associate. Under the most recent set of regulations issued in January, HIPAA protection of PHI for deceased individuals remains in effect for a period of fifty (50) years after the individual’s death. The Privacy Rule further provides that PHI may be disclosed to a personal representative (one who under applicable state law is an executor, administrator or other individual with the authority to act on behalf of a deceased person or the individual’s estate). Additionally, a covered entity may disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity. In such a case, PHI of the deceased can be released to the extent it is relevant to such person’s involvement in the care or payment for the care.

Section 400.145, Florida Statutes, provides in pertinent part that “[u]nless expressly prohibited by a legally competent resident, any nursing home licensed pursuant to this part shall furnish to the spouse, guardian, surrogate, proxy, or attorney in fact . . . of a current resident, . . . or of a former resident, . . . a copy of that resident’s records which are in the possession of the facility.” The court found that although the statute lists a number of individuals to whom records could be disclosed, it “does not empower or require an individual to act on behalf of a deceased resident,” and, therefore, does not identify any of those individuals to qualify as personal representatives under HIPAA. Therefore, the statute provides a much broader class of individuals than under HIPAA to whom the deceased’s PHI may be disclosed without authorization. Additionally, the Florida statute does not contain the same limitations or restrictions as the Privacy Rule with regard to releasing PHI of a deceased individual to those involved in the individual’s care or who paid for it and only to the extent the information is relevant to the person’s involvement or payment. Accordingly, the court found HIPAA provided more stringent protections of PHI than the Florida statute and held HIPAA preempts Section 400.145.

California Considers Broader and Tougher Data Disclosure Requirements for Use of Customer Personal Information

Jason C. Gavejian — Fri, 12 Apr 2013 11:03:41 -0800

By: Lillian Chaves Moon

In the face of increasing incidences of and rising public concern regarding identity theft, the California Legislature is considering a bill with new personal information data disclosure requirements for California businesses and a broad definition of what constitutes personal information.

California Assembly Bill 1291, would require businesses who have customer personal information and have disclosed such information to provide each such customer with notice of the names and contact information of all third parties who received personal information from the business and provide a designated request address at which to receive requests from customers as provided for under the bill. Additionally, the business must make available, free of charge, access to or copies of all of the customer’s personal information that the business holds. Also, if the business has any online privacy policies, each privacy policy must also include a statement of the customer’s rights as provided in the legislation and a designated request address.

Personal information broadly includes, but is not limited to, any of the following: (1) identity information such as real name, alias, nickname, and user name; (2) address information, including but not limited to, postal address, e-mail, internet protocol address; (3) telephone number; (4) account name; (5) social security number or other government-issued identification number, such as a driver’s license number, identification card number, and passport number; (6) birthdate or age; (7) physical characteristic information such as height and weight; (8) sexual information, including but not limited to, sexual orientation, sex, gender status, gender identity, and gender expression; (9) race or ethnicity; (10) religious affiliation or activity; (11) political affiliation or activity; (12) professional or employment-related information; (13) educational information; (14) medical information; (15) financial information; (16) commercial information; (17) location information; (18) internet or mobile activity information; (19) content including text, photographs, audio or video recordings, or other material generated by or provided by the customer; and (20) any of the above information as it relates to the customer’s children.

Customer is defined as an individual who is a resident of California and provides personal information to a business “in the course of purchasing, viewing, accessing, renting, leasing, or otherwise using real or personal property, or any interest therein, or obtaining a product or service from the business including advertising or any other content.” Customers also include individuals for whom the business obtained personal information from another business. Accordingly, the bill would cover individuals who are not traditionally thought of as customers and may also include a business’ employees.

All businesses, including employers, with operations in California or with California customers must stay abreast of these developments and, given the breadth of personal information implicated, no such business can be exempt from the requirements. In preparation for the passing of this or a similar bill, it is important to determine how customer personal information is disclosed and set forth a compliance plan to meet the pending disclosure and access requirements.

California Appellate Court Expands Common Law Right of Privacy

V. John Ella — Thu, 11 Apr 2013 15:19:52 -0800

The Fourth District Court of Appeal for the State of California expanded the tort of "public disclosure of private facts" under that state's common law right to privacy in a case involving a claim by an employee against her supervisor and employer. Ignat v. Yum! Brands, Inc. et al, No. G046434, (Cal. Ct. App. March 18, 2013). The plaintiff in that case suffered from bi-polar disorder and occasionally missed work due to the side effects of medication adjustments. After returning from such an absence, the plaintiff alleged that her supervisor had informed everyone in her department about her medical condition and that, as a result, she was "shunned" and a co-worker asked if she was going to "go postal." The plaintiff filed suit alleging a single cause of action for invasion of privacy by public disclosure of private facts. The trial court dismissed her claim on summary judgment because the disclosure of her condition was not in writing, relying on California case law from the early 1930's.

On appeal, the court reversed the dismissal, concluding that "limiting liability for public disclosure of private facts to those recorded in writing is contrary to the tort's purpose, which has been since its inception to allow a person to control the kind of information about himself made available to the public - in essence to define his public persona." The court went on to note that, "[w]hile this restriction may have made sense in the 1890's - when no one dreamed of talk radio or confessional television - it certainly makes no sense now."

The court also clarified that the common law tort of invasion of privacy was not based on the guarantee of privacy which was added to the California Constitution in 1972 and noted that the two legal theories (common law and the State Constitution) provide "separate, albeit related ways to ensure privacy."

Different states have interpreted the common law right of privacy in the workplace in different ways. In Minnesota, for example, a district court rejected a lawsuit by an employee who claimed that her employer violated her right to privacy when it informed approximately 12 to 15 individuals that she suffered from multiple sclerosis. That court determined that because the disclosure was not "accessible to the public at large," it did not qualify as public in nature for purposes of maintaining an invasion of privacy claim. Johnson v. Cambell Mithun, 401 F. Supp.2d 964 (Minn. 2005).

If an employee is out on medical leave or requires an accommodation, employers may be asked what information, if any, can be disclosed to co-workers and supervisors about that employee's medical condition, and the reason for her leave or accommodation. HIPAA is probably not implicated in such situations because most employers are not covered entities in this context. Both the Americans with Disabilities Act (ADA) and the Family Medical Leave Act (FMLA), however, require employers to maintain confidentiality of medical information. See 29 C.F.R. Section 1630.14(c) (relating to ADA) and 29 C.F.R. Section 825.500 (relating to FMLA).

Employees asserting a common law claim for invasion of privacy against their employer based on the disclosure of medical information have not often been successful, but Ignat suggests the tide may be changing. The best practice is to reveal as little as possible to those with a need to know.

Deletion of Facebook Page = Spoliation

Jason C. Gavejian — Thu, 11 Apr 2013 11:19:57 -0800

A New Jersey District Court has sanctioned a personal injury plaintiff for spoliation following the plaintiff’s deletion of his Facebook account which defendants were trying to access.

The defendant’s discovery requests asked for documents or records of “wall posts, comments, status updates or personal information posted or made by plaintiff on Facebook and/or any social media website from 2008 through the present.” Later, the defendant sent forms for plaintiff to execute which would authorize Facebook and other sites to release plaintiff’s information. The plaintiff executed all the authorizations except the one for Facebook.

Plaintiff’s failure to execute the Facebook authorization was raised before the Court and the Court ordered plaintiff to execute the authorization. Plaintiff agreed to enable access by changing his password to a certain word. Thereafter, defense counsel accessed the account to confirm the password change and printed some of the accounts content.

The following day, Facebook notified plaintiff of the account access from an unknown IP address in New Jersey. Plaintiff notified his counsel who contacted defense counsel to confirm that the records would be sought from Facebook headquarters. Defense counsel responded, explaining the account was accessed to confirm the password change but would not be accessed again as the authorization was sent to Facebook.

Facebook responded to the authorization advising that the Stored Communications Act barred it from disclosing the data but suggested having plaintiff download the content himself. Counsel for the parties agreed that plaintiff would do so and turn over a copy, along with a certification that he had made no changes since he was first ordered to execute the authorization. However, plaintiff’s counsel later advised defendants that plaintiff had deactivated the account and could not reactivate it. The plaintiff claimed he deactivated the account because of the notification he received that unknown people were accessing his account without his permission.

The defendants moved for sanctions claiming that the deletion was intentional as postings contained in the deleted account would have helped refute plaintiff’s damages claim. Defendants based this assertion on content printed from the account prior to deactivation. The Court rejected plaintiff’s argument that the information contained in the account was not intentionally suppressed and found that even if plaintiff did not intend to deprive defendants of the data, he intentionally deleted the account and thereby failed to preserve relevant evidence.

This case, as well as the case discussed here, provide valuable authority for accessing social media content in litigation.

New Mexico Joins Other States That Have Passed Social Media Privacy Laws

Joseph Lazzarotti — Wed, 10 Apr 2013 03:20:28 -0800

Shortly after Utah inked its own law, New Mexico Governor Susana Martinez signed S371 into law on April 5, 2013. Similar to the provisions in other states (such as, California, Illinois, Maryland and Michigan), S371 makes it illegal for employers to request or require applicants to provide a password, or demand access in any manner, to an applicant's social media account or profile. Unlike some of the laws in other states, the New Mexico statute appears to apply only to prospective employees, but not current employees.

Additionally, S371 makes clear that certain activities by employers are not affected by the law, namely:

having electronic communication policies in the workplace addressing internet use, social networking activity and email,
monitoring use of the employer’s information systems and networks,
using information that is publicly available on the Internet, although as noted in prior posts there may be other risks to employers engaging in these activities, such as under the Genetic Information Nondiscrimination Act.

Utah Enacts "Internet Employment Privacy Act"

Joseph Lazzarotti — Mon, 08 Apr 2013 02:59:12 -0800

Following a handful of other states (such as, California, Illinois, Maryland and Michigan), a new Utah labor law places limits on employers' ability to access the "personal Internet accounts" of employees and applicants. Gov. Gary R. Herbert signed the state's "Internet Employment Privacy Act" (IEPA) on March 26, 2013, together with the "Internet Postsecondary Institution Privacy Act" applying similar restrictions on postsecondary institutions with respect to their students and prospective students.

The IEPA prohibits an employer from asking an employee or applicant to disclose the username and password that allows access to his or her "personal Internet account," as well as taking adverse action against the individual for failing to do so. There are some qualifications and exceptions, however.

First, "personal Internet accounts" are defined to mean online accounts that are used by an
employee or applicant "exclusively for personal communications unrelated to any business
purpose of the employer." In fact, the statute specifically excludes accounts that are "created, maintained, used, or accessed by an employee or applicant for business related communications or for a business purpose of the employer." Of course, employees frequently use their personal online accounts for business purposes, so it is unclear how widespread the protections under this new law will be.

Consider that most employees' LinkedIn or Facebook accounts likely include some business contacts for their current employer, setting up the argument that the account is maintained or used for a business purpose of the employer. Perhaps the practical effect of the law will be to provide greater protection for applicants who seem less likely to have online personal accounts created, maintained, used or accessed for a business purpose of the employer.

Second, the IEPA sets out some specific exceptions, such as:

Employers may request or require employees to provide their usernames and passwords to enable the employer to access company-issued (or paid for, in whole or in part) smartphones and other devices, as well as online accounts provided by the employer.
Employers may discipline employees for making unauthorized transfers of proprietary or confidential company information or financial data to the employee's personal Internet account.
Employers also may conduct and require employees to cooperate with certain investigations (such as concerning compliance or work-related employee misconduct) when there is specific information about related activity on the employee's personal Internet account.
Perhaps to address the concerns of those employers who have adopted "BYOD" programs, the law does not prohibit the "monitoring, reviewing, accessing, or blocking electronic data stored on an electronic communications device supplied by, or paid for in whole or in part by, the employer, or stored on an employer's network, in accordance with state and federal law."
Employers also are not prohibited under the law from viewing, accessing, or using information that is publicly available on the Internet, although there may be other risks to employers engaging in these activities, such as under the Genetic Information Nondiscrimination Act.

Employees and applicants may sue employers for violating this law, but damages are limited to $500 per violation.

This development only highlights the increasing regulation of employee (and applicant) privacy in cyberspace, particularly for multi-state employers where the laws vary significantly. Employers need to keep on top of these developments, and ensure their managers and supervisors have been trained so they know their limitations in attracting, managing and disciplining employees.

New Tennessee Law Requires Destruction of Certain PHI Following Medical Malpractice Litigation

Joseph Lazzarotti — Sun, 31 Mar 2013 22:40:39 -0800

In 2012, medical malpractice defendants and their defense attorneys earned the right to petition the court for a qualified protective order that would allow them to interview plaintiffs' health care providers without the presence of the claimants or their attorneys. At that time, one of the conditions for the order was that it limit the disclosure of any protected health information to the litigation before the court.

That law was amended on March 20, 2013, when Tennessee Gov. Bill Haslam signed S.B. 273. The new law requires the defendants to return or destroy the protected health information obtained under such an order, including all copies, when the litigation ends. This new requirement, similar to the requirement that exists under HIPAA, applies to litigations that begin on and after July 1, 2013. Defendants in these cases - health care providers - will need to be sure they keep track of all this health information they obtain under these orders, including all electronic versions, to ensure they are returned or destroyed as required under the new law.

Utah Requires Statement About Disclosures in HIPAA Notice of Privacy Practices

Joseph Lazzarotti — Sun, 31 Mar 2013 22:03:58 -0800

In response to a massive data breach in 2012 involving over 700,000 people, Utah's Governor Gary R. Herbert signed a new law (S.B. 20) to ensure Utah residents will be notified of the possibility that their individually identifiable health information may be shared with the eligibility databases for Medicaid and the Children's Health Insurance Program (CHIP). The law becomes effective July 1, 2013.

To notify residents, the law requires health care providers in the state to include this information in their notices of privacy practices (NPP) that they are required to provide under the HIPAA Privacy Rule. HIPAA-covered health care providers should already be updating their NPPs following the final HIPAA regulations issued in January, although S.B. 20 may require Utah providers to act more quickly in updating their NPPs than is required under the HIPAA final regulations, which has September 23, 2013 compliance date. S.B. 20 also requires Medicare and CHIP to check that the notices are in place, and to deny providers access to their eligibility databases if the notices are not in place. The law also gives the state's Department of Health the authority to develop model language for the NPP.

Because of the seriousness of the breach, S.B. 20 also lays the groundwork to assemble a group that will be charged with establishing best practices for data security. Utah providers will need to monitor this development closely, particularly if the "best practices" create standards that are more stringent than those under the HIPAA privacy and security regulations.

We have to disclose patient records in response to a subpoena/attorney letter, right?

Joseph Lazzarotti — Sun, 31 Mar 2013 21:35:18 -0800

One of the more common issues faced by healthcare practices (and businesses generally) is how to respond to subpoenas or other requests for medical records of patients and employees. Those who receive these requests often feel compelled to respond in a timely fashion, particularly when it is an attorney subpoena or letter. Unfortunately, responses are made before fully considering critical legal and professional risks.

Consider the following examples:

A New Jersey physician was forced to defend his access to family medical records without consent or authorization before the New Jersey Board of Medical Examiners resulting in defense costs and ultimately continuing education requirements for the physician;
An Illinois hospital incurred significant legal fees to defend its disclosure of medical records in connection with the plaintiff’s divorce action.
Ohio's Cleveland Clinic could not convince a federal district court to dismiss a patient's claim for invasion of privacy following the clinic’s disclosure of medical records to a grand jury in response to a subpoena. The court found the state's patient-physician privilege more protective than HIPAA. Turk v. Oiler, No. 09-CV-381 (N.D. Ohio Feb. 1, 2010).
An Alabama patient's claim that his physician impermissibly disclosed his medical records to his employer survived a motion for summary judgment because the physician made the disclosure without having received a written request, as required under state law.
In Wisconsin, a pharmacist was sued after disclosing an employee's prescription history to his employer. The pharmacist's ignorance of the states privacy laws and the employee's attorneys false pretenses to obtain the information were not a sufficient defense. The court found the release was knowing and willful and held the pharmacist must be familiar with the technical requirements for releasing patient data.
A Court held another New Jersey doctor liable when he released a patient's records to opposing counsel pursuant to an improper subpoena, even though the subpoena's defects were of a technical nature. Again, the Court required the doctor to know the laws regarding patient privacy, specifically noting it was the doctor's burden to consult with legal counsel to ensure the release is proper. Crescenzo v. Crane, 350 N.J. Super. 531 (App. Div. 2002), cert. den. 174 N.J. 364 (2002).

Responding to these requests often is a delicate balance between avoiding being hauled into court for non-compliance with the subpoena/request and violating patient rights, such as by responding to a subpoena that may be improper or invalid, or otherwise failing to take into account applicable federal and state requirements before releasing the records.

Some of the most common issues which must be considered are:

What type of information is contained within the records requested?
What statutory, regulatory or common law protections apply to some or all of the information requested, such as the patient-physician privilege?
Is the authorization valid?
Whether responding to the subpoena is appropriate without patient authorization or providing the patient an opportunity to object to the disclosure?
Is a court order, including an order with specific findings, needed for some or all of the responsive information?
Is the requesting party authorized to be acting for the individual/patient/employee?
What safeguards should be taken to ensure the disclosure is made in a secure manner?
Must the business keep a record/account for the disclosure?

As more and more individuals, entities and attorneys seek medical information, including through discovery in litigation, these issues will only become more prevalent. Most healthcare practices look to HIPAA as the governing law that determines the proper use and disclosure of patient data, but state laws and professional obligations also must also be considered. Under HIPAA, a covered entity generally may not use or disclose an individual’s protected health information without a written authorization or providing the individual the opportunity to agree or object. There are, however, a number of thorny exceptions, such as for requests made in the course of judicial or administrative proceedings, or disclosures to law enforcement.

Nevertheless, HIPAA generally provides that these exceptions can be trumped by more stringent state laws that prohibit uses or disclosures of PHI without certain additional protections. In fact, courts routinely look to not only generally applicable state statutory requirements, but also protections under the "common law." This fact has been highlighted in decisions from courts throughout the country, as well as decisions by state boards of medical examiners, including those summarized above. In addition to fines and penalties which can be extensive, the cost of litigation to defend these suits can run into the tens of thousands of dollars, all for “simply” responding to what appears to be a lawfully issued subpoena or request.

Medical offices, clinics and practices, in particular, need to have a comprehensive, easy to understand plan that addresses what to do when staff receive requests for patient records. The plan should anticipate the kinds of requests that are likely to be received and the acceptable responses, including approved form documents to be used, as well as a means for documenting the request, verification steps taken and the response. Of course, the plan should alert the user to situations where additional guidance might be advisable to ensure the disclosure itself is proper, as well as the method of disclosure.

New York's Highest Court To Say Whether Medical Practice Can Be Sued For Wrongful Texts By Non-Physician Employee

Joseph Lazzarotti — Sun, 31 Mar 2013 20:32:55 -0800

In this case (Doe v Guthrie Clinic, Ltd, March 25, 2013), the Second Circuit Court of Appeals (covering New York, Connecticut and Vermont) is asking New York's highest court to determine whether the common law permits a medical corporation to be sued for a breach of the fiduciary duty of confidentiality concerning patient medical records when a non-physician employee makes an unauthorized disclosure of those records. The position the New York Court of Appeals takes will be watched closely by health care providers across the Empire State as the requirements for securing patient data continue to tighten with, among other things, the final HIPAA regulations being issued under HITECH this past January.

Here, Doe (patient) sued Guthrie Clinic because one of the clinic's nurses (and sister-in-law of Doe's girlfriend) texted Doe's girlfriend about Doe's treatment for a sexually transmitted disease (STD). All of the patient's claims, including a claim for common law breach of fiduciary duty to maintain the confidentiality of personal health information, were dismissed by the lower court. Doe appealed the dismissal to the Second Circuit.

The federal appellate court reversed the dismissal of the fiduciary breach claim, noting that New York courts have not addressed this situation. That is, there are no decisions in New York that specifically address whether a medical practice could be liable under a breach of fiduciary duty theory when its non-physician employee wrongfully discloses confidential medical information. Employers in New York generally are liable for the foreseeable actions of their employees which are within the scope of employment, but usually not when those actions are driven by personal reasons of the employee.

Under the facts in this case, New York's high court may find no cause of action exists, leaving patients/plaintiffs with one less avenue to sue. The risks and exposures remain, however, for health care providers who will incur significant costs defending these actions in court and addressing complaints before state and federal agencies. Strong policies and employee training will not prevent patient claims and complaints, but they will help to put providers in a better position to defend their actions.

Protecting Trade Secrets with a Mobile Workforce

V. John Ella — Thu, 21 Mar 2013 11:03:08 -0800

With all of the recent discussion about working from home, Cliff Atlas, Co-Chair of the Jackson Lewis Non-competes and Protection against Unfair Competition Practice Group, has posted an article about Protecting Trade Secrets with a Mobile Workforce and Telecommuters. Check it out.

President Obama Issues Executive Order On Cybersecurity

Joseph Lazzarotti — Thu, 14 Feb 2013 05:55:35 -0800

Unwilling to wait for Congress to act, President Obama signed an executive order on Feb. 12, 2013, the same date that he delivered the State of the Union address. The executive order directs certain federal agencies to develop voluntary standards for achieving cybersecurity, an effort to be led, in part, by the National Institute of Standards and Technology, a component of the Commerce Department.

Citing national security concerns, the President's order seeks cooperation and collaboration with the private sector. It is unclear at this point how far the "voluntary" standards will reach, or how much the President can force compliance absent Congressional action. However, once in place, companies may feel compelled to comply in order to remain competitive and to ensure a stronger defensible position in litigation involving lapses in security of critical data.

NHS Wants Patient Records

Joseph Lazzarotti — Mon, 04 Feb 2013 05:46:07 -0800

The National Health Service, which represents a significant part of the United Kingdom's government-run health system, is looking to go paperless. In the process, as part of its "Everyone Counts" initiative, it has plans to require doctors to turn over to NHS significant amounts of patient data. (Read more about NHS' plan). For example, NHS providers would be required to turn over a patient's NHS number, date of birth, gender, post code, ethnicity code and date of death, among other data elements including diagnosis code, smoking status, alcohol use and so on.

Just as concerns in the U.S. led to the HIPAA privacy and security regulations, the Guardian is reporting privacy advocates in the UK are concerned about this collection of personal health information by the government. And there are reasons for concern - it has been reported that for the 12-month period ending July 2012, NHS had 16 breaches that exposed 1.8 million health records. It remains to be seen how secure this information will be.

Maryland Attorney General Gansler Forms Internet Privacy Unit

Joseph Lazzarotti — Wed, 30 Jan 2013 14:49:23 -0800

Linking his announcement to National Privacy Day, January 28, 2013, Maryland Attorney General Douglas F. Gansler informed the public that his office has formed an Internet Privacy Unit. (See similar step taken by Connecticut AG)

The stated purpose of the Unit is to protect the privacy of online users. The Unit will be charged with "monitor[ing] companies to ensure they are in compliance with state and federal consumer protection laws." In addition, the Unit will "examine weaknesses in online privacy policies" and help to create awareness about privacy rights. Of course, the Unit also will pursue enforcement actions to ensure consumer protection.

As in other states, such as Massachusetts and California, Maryland has a Personal Information Protection Act. The Act provides, in part:

To protect personal information from unauthorized access, use, modification, or disclosure, a business that owns or licenses personal information of an individual residing in the State shall implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information owned or licensed and the nature and size of the business and its operations.

Md. Code Ann. Comm. Section 14-3503. The Attorney General's Office has published some guidance about the data breach provisions of the law.

Maryland businesses and businesses which maintain personal information about Maryland residents should review their online privacy statements, as well as the policies and procedures for safeguarding personal information. In his press release, Attorney General Gansler acknowledged "the emergence and evolution of the Digital Age has created new and significant privacy risks for both consumers and businesses." Businesses need to be prepared to address these risks and defend against enforcement activities.

A Summary of the Final HIPAA Rule

Joseph Lazzarotti — Tue, 29 Jan 2013 14:09:44 -0800

As we continue to examine the final HIPAA privacy and security regulations, as amended by the HITECH Act and the Genetic Information Nondiscrimination Act, we pulled together a summary of some of the key points. We fully expect additional sub-regulatory guidance to be provided by OCR, such as frequently asked questions and sample business associate agreement provisions.

Top 13 for 2013 - Happy Privacy Day

Joseph Lazzarotti — Mon, 28 Jan 2013 06:45:49 -0800

Prepared by Jason Gavejian and Joseph Lazzarotti

In honor of National Data Privacy Day, we have laid out 13 key issues affecting businesses in 2013. While the list is by no means exhaustive, it does provide critical areas businesses will need to consider in 2013.

BYOD. As advancements in technology continue at a breakneck pace, many businesses are confronted with the idea of implementing a Bring Your Own Device (“BYOD”) program. Under these programs, employees are permitted to connect their own personal devices to the company’s networks and systems to complete job tasks either in the office or working remotely. While BYOD programs have advantages, they also have associated risks. Developing a thorough implementation strategy with appropriate policies is critical.
Bans On Requesting Social Media Passwords. As we have previously discussed fourteen states introduced legislation in 2012 which would prohibit employers from requiring current, or prospective, employees to disclose a user name or password for a personal social media account. Six states have passed and/or enacted such legislation and it is anticipated that other states will pass similar measures in 2013.
Final HIPAA Regulations. On January 17, 2012, the Office for Civil Rights released final privacy and security regulations under the Health Insurance Portability and Accountability Act. In addition to incorporating the HITECH Act which, among other things, expands the application of the rules to business associates, the final rules also apply the rules to subcontractors and remove the risk of harm trigger for data breaches affecting unsecured protected health information.
Disaster Recovery Plans. Hurricane Sandy caused extensive damage on the east coast in 2012, greatly affecting not only personal residences, but many businesses up and down the coast. Unfortunately, protecting information and technology assets from natural disasters and other emergencies is often an afterthought. However, developing a comprehensive disaster recovery plan now can avoid the significant expense, and often irretrievable loss of data, associated with natural disasters.
Develop a Plan for Responding to a Breach Notification. All state and federal data breach notification requirements currently in effect require notice be provided as soon as possible. Delays in notification viewed as unreasonable could trigger an inquiry by the state’s Attorney General, or in the case of HIPAA protected health information, the Office of Civil Rights. This is true even when the number of individuals affected is relatively small.
Investigating Social Media. As the use of social media continues to grow throughout the world, it is only natural that social media content is being sought to aid in litigation. While public content may generally be utilized without issue, if private content is accessed improperly, serious repercussions can follow. This is especially true for attorneys and their staff who attempt to aid their clients by accessing social media content.
International Data Protection. More and more company information is being stored in electronic format and shared with various corporate divisions through company intranets or email. While U.S. law requires some safeguarding of this information, international protections on personal information can be much more stringent. When the transfer of data across international borders is possible, or actively occurring, companies should be advised on the potential risks and requirements associated with same.
Develop a Written Information Security Program. Even if adopting a written information security program (WISP) to protect personal information is not an express statutory or regulatory mandate in your state, having one is critical to addressing information risk. Not only will a WISP better position a company when defending claims related to a data breach, but it will help the company manage and safeguard critical information, and may even help the company avoid whistleblower claims from employees. For some companies, a WISP can be a competitive advantage. Of course, in states like Massachusetts, Maryland, Oregon, Texas, Connecticut and others, a WISP in one form or another is required.
Risk Assessment. Many businesses remain unaware of how much personal and confidential information they maintain, who has access to it, how it is used and disclosed, how it is safeguarded, and so on. Getting a handle on a business' critical information assets must be the first step, and is perhaps the most important step to tackling information risk. You simply can’t adequately safeguard something you are not aware exists. And failing to conduct a risk assessment may subject the business to penalties under federal and/or state law.
Insurance. Like many other risks, information risk can be addressed in part through insurance. More carriers are developing products dealing with personal information risk, and specifically data breach response. This kind of coverage should be a part of any CIO, privacy officer or risk manager’s toolkit for safeguarding information.
Training. A necessary component of any WISP and a required element under most federal and state laws mandating data security is training. In addition to meeting compliance requirements, training employees and supervisors also will aid in defending any potential breach of privacy claim that may be asserted against the company.
Carefully Integrate New Technologies. As businesses look for new technologies to increase productivity, cut costs, and gain a competitive advantage, how those technologies address information risk must be a factor in the decision to adopt.
Watch for New Legislation. Today, managing data and ensuring its privacy, security and integrity is critical for businesses and individuals, and is increasingly becoming the subject of broad, complex regulation. As no national law requiring the protection of personal information has yet to be passed in the U.S., companies are left to navigate the constantly evolving web of growing state legislation. Companies therefore need to stay tuned in order to continue to remain compliant and competitive in this regard.

Final HIPAA Regulations: "Business Associates" Include Subcontractors, Data Storage Companies (Cloud Providers?)

Joseph Lazzarotti — Sat, 19 Jan 2013 20:38:13 -0800

Under the HITECH Act, business associates are subject to the HIPAA privacy and security rules (the "HIPAA Rules") virtually to the same extent as covered entities. In addition to implementing this change for business associates ("BAs"), and providing additional guidance concerning what entities are business associates, the final HIPAA regulations issued last week also treat certain subcontractors of BAs as BAs directly subject to the HIPAA Rules. As a result of some of these changes, covered entities and BAs need to re-examine the relationships with their subcontractors to ensure they obtain the appropriate satisfactory assurances concerning the "protected health information" (PHI) they make available to those subcontractors.

Below are some of the key points from the final regulations concerning BAs and subcontractors:

Subcontractors. The final HIPAA regulations provide that subcontractors that create, receive, maintain, or transmit PHI on behalf of a BA are business associates. This is a significant expansion of the application of the HIPAA Rules; it makes subcontractors directly liable under the HIPAA Rules.

As a result of this change, just as covered entities need to ensure that they obtain satisfactory assurances concerning compliance with the HIPAA Rules (usually in the form of a business associate agreement, BAA) from their BAs, BAs must do the same with regard to certain subcontractors. This must continue no matter how far “down the chain” the PHI flows.

Business Associate Agreement Not Necessary to Establish Status as Business Associate. The final HIPAA regulations confirm that persons and entities that meet the definition of a BA have that status regardless of whether a "business associate agreement" is in place.

Data Storage Companies. Entities that maintain PHI (digital or hard copy) on behalf of a covered entity are BAs, "even if [they] do not actually view the [PHI]." This provision may create significant compliance issues for cloud service providers, as well as hard copy document storage companies, that have access to the records of their clients but may never look at them.

Certain Groups Not Considered Business Associates.
- Researchers generally are not considered BAs when performing research functions.
- Banking institutions generally are not considered BAs with respect to certain payment processing activities (e.g., cashing a check or conducting a funds transfer)
- Malpractice insurers generally are not considered BAs when providing services related to the insurance, but may be BAs when providing risk management and similar services to covered entities.

Transition rule for compliance. A transition rule under the final HIPAA regulations permits covered entities and BAs to continue to operate under certain existing contracts for up to one year beyond the compliance date (September 23, 2013) of the final regulations. A qualifying business associate agreement will be deemed compliant until the earlier of (i) the date such agreement is renewed or modified on or after September 23, 2013, or (ii) September 22, 2014. This rule only applies to the language in the agreements, the parties must operate as required under the HIPAA Rules in accordance with the applicable compliance dates.

Covered entities and business associates may want to act more quickly to identify and contract with those individuals and entities from whom they must obtain satisfactory assurances under HIPAA.

Final HIPAA/HITECH Privacy and Security Regulations Released

Joseph Lazzarotti — Thu, 17 Jan 2013 15:26:42 -0800

The Office for Civil Rights released on January 17, 2013, final privacy and security regulations (563 pages) under the Health Insurance Portability and Accountability Act. The rules address four key issues:

Reflecting the changes made by the Health Information for Economic and Clinical Health Act (HITECH);
Revisions to the HIPAA enforcement rule;
Updates to the previously issued data breach regulations; and
Incorporating the changes made by the Genetic Information Nondiscrimination Act.

In general, covered entities and business associates will need to comply by September 23, 2013. We expect to be reporting on some of the key changes shortly.

ACCESS SUMMARY HERE

Manti Te'o Story Highlights Reliability of Social Media

Jason C. Gavejian — Thu, 17 Jan 2013 08:03:16 -0800

Unless you have been living under a rock from the past 24 hours, you are familiar with the story of Notre Dame linebacker, and Heisman Trophy runner up, Manti Te’o.

As first reported by Deadspin.com it appears that the story of Manti Te’o’s “girlfriend” and her apparent death at the hands of leukemia were an elaborate hoax. Deadspin’s article seems to imply that Manti Te’o was somehow involved in this hoax, while CNN.com reports that both Te’o and Notre Dame have insisted that he was simply a victim.

Lennay Kekua, the name of the “girlfriend,” is apparently only known through several social media accounts maintained in that name. However, Deadspin reports that it was able to locate the woman whose picture was utilized as the profile picture for Kekua. According to that woman, the picture used was her public Facebook profile shot. Similarly, she informed Deadspin that other pictures reporting to be “Kekua,” were actual taken from several of her social media accounts.

While the details of this story continue to unfold, the story highlights one of the biggest risks of information obtained through social media; reliability. As evidenced by the Te’o story, it is not difficult for someone to obtain a photograph of an individual and begin social media interactions in either that person’s name, or utilizing that person’s likeness. Although this story illustrates one way such a “hoax” could occur, it is easily conceivable that a “fake” social media account could be utilized to post discriminatory, hurtful, or insensitive comments in the name of another. While we have previously highlighted some of the issues surrounding an employer’s search of social media for employees or prospective employees, in this instance, “fake” comments could easily cost an individual a job, or a prospective job. While the individual may lose out on employment, it is also possible that the employer is losing an excellent employee due to false information.