HHS Issues Final Rule on HIPAA and Firearm Background Check Reporting

On January 6, as part of President Obama’s executive action to combat gun violence, HHS promulgated a final regulation modifying the HIPAA Privacy Rule to allow certain HIPAA covered entities to disclose limited information to the National Instant Criminal Background Check System (NICS).

Background:  The NICS, maintained by the Federal Bureau of Investigation (FBI), is the national database used to conduct background checks on persons who may be disqualified from receiving firearms based on federal or state law.  Federal law identifies several categories of potential disqualifiers, known as “prohibitors” including a federal mental health prohibitor.  By statute, the federal mental health prohibitor applies to individuals who have been committed to a mental institution or adjudicated as a mental defective.  The Department of Justice has promulgated regulations that defines these categories to include the following individuals:

  • individuals committed to a mental institution for reasons such as mental illness or drug use;

  • individuals found incompetent to stand trial or not guilty by reason of insanity, or

  • individuals who have been otherwise determined by a court, board, commission, or other lawful authority to be a danger to themselves or others or to lack the mental capacity to contract or manage their own affairs as a result of marked subnormal intelligence or mental illness, incompetency, condition, or disease.

However, there is currently no federal law that requires state agencies to report data to the NICS, including the identity of individuals who are subject to the mental health prohibitor.  HHS believes that HIPAA poses a potential barrier to such reporting. Under current law, HIPAA only permits covered entities (e.g., state mental health agencies) to disclose such information to the NICS in limited circumstances: when the entity is a “hybrid” entity under HIPAA (and the Privacy Rule does not apply to these functions) or when state law otherwise requires disclosure, and thus disclosure is permitted under HIPAA’s “required by law” category.

Final Rule:  HHS finalized its proposed rule without any substantive changes. Under the final rule, a new section 164.512(k)(7) of the HIPAA Privacy Rule expressly permits certain covered entities to disclose information relevant to the federal mental health prohibitor to the NICS.

The permitted disclosure applies only to those covered entities that function as repositories of information relevant to the federal mental health prohibitor on behalf of a State or are responsible for ordering the involuntary commitments or the adjudications that would make someone subject to the prohibitor.  Thus, most treating providers may not disclose protected health information about their own patients to the NICS, unless otherwise permitted by the HIPAA Privacy Rule.  HHS also clarifies that individuals who seek voluntary treatment are not subject to the prohibitor.

The rule limits disclosure only to the NICS or an entity designated by the State to report data to the NICS.  And only that information that is “needed for purposes of reporting to the NICS” may be disclosed, though HHS gives States the flexibility to determine which data elements are “needed” to create a NICS record (consistent with requirements of the FBI, which maintains the NICS).  At present, the required data elements for the NICS are: name; date of birth; sex; and codes identifying the relevant prohibitor, the submitting state agency, and the supporting record.  The NICS also allows disclosure of certain optional data elements (e.g., social security number and identifying characteristics).  HHS notes that applicable covered entities may disclose such optional data elements “to the extent necessary to exclude false matches.”

HHS declined many commenters’ suggestion to expand the rule to permit the disclosure of information about individuals who are subject to state-only mental health prohibitors. HHS fears that expanding the scope of the permitted disclosure would disrupt the careful balance between public safety and encouraging patients to seek mental health care.

Finally, in the preamble, HHS defended its statutory authority to make this change, despite the fact that Congress did not address HIPAA in recent legislation to strengthen the NICS.  HHS explained that the “HIPAA statute confers broad authority on the Department to specify the permitted uses and disclosures of PHI by HIPAA covered entities.”

© 2015 Covington & Burling LLP

LinkedIn, the Fair Credit Reporting Act, and the Real-World Implications of Online Activity

With the ever-increasing amount of information available on social media, employers should remember to exercise caution when utilizing social media as a part of their Human Resources/ Recruitment related activities. We live in a digital-age, and how people choose to define themselves is often readily showcased on social networking sites. Whether – and how – employers choose to interact with the online presence of their workforce will continue to develop as the relevant legal standards try to catch up.

A recent federal court filing in the Northern District of California against LinkedIn Corp. provides yet another example of the growing interaction between online personas and real-world employment law implications. There, in Sweet, et al v. LinkedIn Corp., the plaintiffs sought to expand the application of the Fair Credit Reporting Act (“FCRA”) by alleging that LinkedIn’s practice of providing “reference reports” to members that subscribe to LinkedIn’s program for a fee, brought LinkedIn within the coverage of the FCRA as a Credit Reporting Agency (“CRA”). Briefly, the FCRA (and relevant state statutes like it) imposes specific requirements on an employer when working with “any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports.” In other words, there are rules – such as providing requisite disclosures and obtaining prior authorization – that apply when an employer engages a CRA to perform background checks, reference checks and related inquiries.

In the lawsuit, the plaintiffs alleged that LinkedIn was a CRA – and that these various rules should apply – because LinkedIn collected and distributed consumer information to third parties and the resulting reference reports “bear on a consumer’s character, general reputation, mode of living, or personal characteristics, and/or other factors listed in 15 U.S.C. § 1681a(d).” Further, according to the complaint, LinkedIn violated the FCRA because it should have provided FCRA compliant disclosure and followed the reporting obligations applicable to CRAs.

LinkedIn, which is touted as the “world’s largest professional network,” does not portray itself as a CRA and moved to dismiss the complaint. LinkedIn argued that the plaintiffs’ interpretation of the statute was too broad and, moreover, was inconsistent with the facts. A federal judge agreed and dismissed the complaint (although the plaintiffs have the opportunity to file another complaint). The Court ruled that these reference searches could not be considered “consumer reports” under the law – and LinkedIn was not acting as a CRA – because, in part, the plaintiffs had voluntarily provided their information to LinkedIn with the intention of it being published online. (The FCRA excludes from the definition of a consumer report a report that contains “information solely as to transactions or experiences between the consumer and the person making the report.”) The Court also noted that the allegations suggested that LinkedIn “gathers the information about the employment histories of the subjects of the Reference Searches not to make consumer reports but to ‘carry out consumers’ information-sharing objectives.’”

The LinkedIn case should still serve as a reminder of several important and interrelated trends. First, as it concerns the FCRA, the statute is broadly worded to cover “any written, oral or other communication of any information by a consumer reporting agency . . .” and the equally expansive definition of a CRA can apply in numerous situations that extend beyond the traditional notion of a consumer reporting agency. If applicable, the requirements of the FCRA must be followed. Second, employers need to continue to be mindful of the fact that their online activity can have real-world employment law implications. Third, as the law governing traditional employment law continues to evolve in response to online developments, the challenges to that activity will evolve as well.

Authored by: Ian Gabriel Nanos and Maxine Adams of Epstein Becker & Green, P.C.

©2015 Epstein Becker & Green, P.C. All rights reserved.

Background Checks Headline in 2014

Proskauer Law firm

In 2014, background checks were a hot topic in state and local legislatures.  Before this year, only 8 jurisdictions in the country had passed laws preventing private employers from asking job candidates about their criminal histories on an employment application (i.e., “banning the box”).  This year alone, however, 9 jurisdictions enacted ban-the-box laws covering private employers—Baltimore, Columbia (MO), Illinois, Montgomery County (MD), New Jersey, Prince George’s County (MD), Rochester (NY), San Francisco, and Washington D.C.  Louisville, Indianapolis, and Syracuse also banned the box for private employers with city contracts, while Delaware and Madison (WI) “encouraged” the same.

Man Sitting Alone in a Row of Empty Chairs

Several of these so-called “ban the box” laws also restricted the types of arrests or convictions about which employers may inquire or consider when hiring.  For example, the new San Francisco law bans inquiries about convictions that are more than seven (7) years old; the new Washington D.C. law prohibits questions about arrests and criminal accusations that are not pending or did not result in conviction; and New Jersey’s new law bars queries about expunged records.  Some of the new laws, such as those in San Francisco, Washington D.C., and Montgomery and Prince George’s Counties also imposed certain notice obligations on employers.

In addition to this state and local legislative activity, the U.S. Equal Employment Opportunity Commission (“EEOC”) continued to scrutinize employer background check procedures, though without much success.  In EEOC v. Kaplan Higher Education Corp., 748 F.3d 749 (6th Cir. 2014), the Sixth Circuit affirmed an award of summary judgment against the EEOC in its suit alleging that Kaplan’s use of credit checks disparately impacted African-American applicants in violation of Title VII of the Civil Rights Act of 1964.

Despite setbacks in litigation, the agency issued guidance on the use of background checks in hiring and personnel decisions. The brochure—Background Checks: What Employers Need to Know—advises employers on their existing legal obligations under federal nondiscrimination laws and the Fair Credit Reporting Act (“FCRA”) when obtaining, using, and disposing of background information.  The Federal Trade Commission also issued two brochures—Background Checks: What Job Applicants and Employees Should Know & Tips for Job Applicants and Employees—that walk applicants and employees through their rights under FCRA.

Though the primary focus on background checks this year concerned credit and criminal history, there were other noteworthy developments. The governors of California and New Jersey vetoed bills that would have greatly limited employers from considering an applicant’s unemployment status in hiring decisions.  And, Louisiana, New Hampshire, Oklahoma, Rhode Island, Tennessee, and Wisconsin prohibited employers from requesting or requiring prospective and current employees to provide their passwords to their personal social media accounts.

If trends are any guide, we expect more developments in 2015.  Stay tuned.

ARTICLE BY

OF

EEOC & FTC Issue Joint Background Check Guidance

Jackson Lewis Logo

The U.S. Equal Employment Opportunity Commission (EEOC) and the Federal Trade Commission (FTC) issued joint informal guidance concerning the legal pitfalls employers may face when consulting background checks into a worker’s criminal record, financial history, medical history or use of social media.  The FTC enforces the Fair Credit Reporting Act, the law that protects the privacy and accuracy of the information in credit reports. The EEOC enforces laws against employment discrimination.

The two short guides, Background Checks: What Employers Need to Know andBackground Checks: What Job Applicants and Employees Should Know, explain the rights and responsibilities of both employers and employees.

The agency press releases state that the FTC and the EEOC want employers to know that they need written permission from job applicants before getting background reports about them from a company in the business of compiling background information. Employers also should know that it’s illegal to discriminate based on a person’s race, national origin, sex, religion, disability, or age (40 or older) when requesting or using background information for employment.

Additionally, the agencies want job applicants to know that it’s not illegal for potential employers to ask someone about their background as long as the employer does not unlawfully discriminate. Job applicants also should know that if they’ve been turned down for a job or denied a promotion based on information in a background report, they have a right to review the report for accuracy.

According to EEOC Legal Counsel Peggy Mastroianni, “The No. 1 goal here is to ensure that people on both sides of the desk understand their rights and responsibilities.”

Article by:

Jason C. Gavejian

Of:

Jackson Lewis P.C.

Beware of Online Applications and Background Check Authorizations

Posted in the National Law Review on December 15, 2011 an article by Luis E. AvilaNancy L. FarnamRichard D. FriesJeffrey T. Gray, Jr.Richard A. Hooker and David E. Khorey of Varnum LLP regarding class actions against employers’ conducting background checks:  

 

Varnum LLP

An increasing number of employers have been recipients of proposed class actions alleging that the way they conduct background checks on prospective employees violates the Fair Credit Reporting Act 15 U.S.C. §1681 (“FCRA”).

A recent example is a claim filed in Virginia, which focuses on the employer’s online job application. The process asks potential employees whether they are willing to allow the company to obtain a consumer report or criminal background check on them. Applicants must then click a button labeled either “Accept” or “Decline.” The claim alleges that for purposes of the FCRA, an electronic disclosure is not one made “in writing” and that an electronic signature (Accept/Decline) does not satisfy the requirements of the act.

As it relates to employers conducting background checks on prospective employees, the FCRA requires that a person may not procure a consumer report for employment purposes with respect to any consumer, unless (1) a clear and conspicuous disclosure has been made in writing to the applicant at any time before the report is procured, in a document that consists solely of the disclosure that a consumer report may be obtained for employment purposes; and (2) the consumer has authorized in writing the procurement of the report by that person.

Electronic disclosures of this sort have traditionally been viewed as falling under the Electronic Signatures in Global and National Commerce Act (“E-Sign”). However, this claim challenges this understanding of E-Sign by alleging that the law does not apply to job applicants, but instead only to consumers, which it defines as an individual who obtains products or services.

Under the FCRA, employers may be liable to each class member for up to $1,000.00 or actual damages, plus punitive damages and attorneys’ fees and costs. So far this year, two companies have agreed to multimillion-dollar settlements in similar cases.

We strongly recommend that employers review their online job application process to ensure that it does not run afoul of the FCRA and obtain competent labor counsel to address any concerns

© 2011 Varnum LLP