Tag: Employment Law

Photocopiers – A Recurring Data Security Risk

DrinkerBiddle

In a case that illustrates the data privacy risks associated with modern copiers, the United States Department of Health and Human Resources (HHS) has announced a $1,215,780 settlement with Affinity Health Plan, Inc. (Affinity), arising from an investigation of potential violations of the HIPAA Privacy and Security Rules.

This matter started when Affinity was advised by CBS Evening News that CBS had purchased a photocopier previously leased by Affinity.  CBS explained that the copier’s hard drive contained confidential medical information relating to Affinity patients.  As a result, on August 15, 2010, Affinity self-reported a breach with the HHS’ Office for Civil Rights (OCR).  Affinity estimated that the medical records of approximately 344,000 persons may have been affected by this breach.  Moreover, Affinity apparently had returned multiple photocopiers to office equipment vendors in the past without erasing the data contained upon the internal hard drives of those returned copiers.

After investigating this matter, OCR determined that Affinity had failed to incorporate photocopier hard drives into its definition of electronic protected health information (ePHI) in its risk assessments as required by the Security Rule.  Affinity also failed to implement appropriate policies and procedures to scrub internal hard drives when returning photocopiers to its office equipment vendors.  As a result, OCR determined that Affinity also violated the Privacy Rule.

In discussing this issue, Leon Rodriguez, Director of OCR, stated that, “This settlement illustrates an important reminder about equipment designed to retain electronic information: Make sure that all personal information is wiped from hardware before it is recycled, thrown away or sent back to a leasing agent…HIPAA covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have appropriate safeguards in place to protect this information.”

In addition to the agreed upon settlement payment of $1,215,780, the settlement also requires the implementation of a Corrective Action Plan (CAP).  The CAP requires Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the plan that remain in the possession of the leasing agent, and take protective measures to safeguard all ePHI going forward.

Points to Consider

Affinity’s case demonstrates the risks presented by the modern copier – they are specialized computers that will store data and retain itindefinitely.  Thus, they pose a security risk for any company that processes and/or possesses personally identifiable information or proprietary information, such as trade secrets, research and development records, marketing plans and financial information.  Clearly, this risk applies to businesses regardless of specific business sector.

Therefore, when acquiring a copier, consider all options available to protect the data processed on that machine, typically through encryption or overwriting.  Encryption will scramble the data that remains stored on the copier’s hard drive.  Overwriting (or wiping) will make reconstructing the data initially on the drive very difficult.

Finally, anticipate the copier’s return to the vendor or other disposition.  Make sure that arrangements are made prior to the copier’s departure to effect the hard drive’s removal and secure disposition so as to make any data on it unusable to third parties.  Often vendors will provide such a service as will IT consultants.

Note that protecting sensitive information is a company’s ongoing responsibility.  Make sure that copiers are considered as part of any comprehensive data security or privacy policy (as are PCs, laptops, smart phones, flash drives and other electronic devices) to avoid an avoidable, but costly and embarrassing, data breach.

For additional information from the FTC on safeguarding sensitive data stored on the hard drives of digital copiers, click here.

Article By:

 of

Family and Medical Leave Act (FMLA) Protected Leave Now Available To Same-Sex Spouses

DrinkerBiddle

United States Secretary of Labor, Thomas Perez, recently issued an internal memorandum to department staff outlining the Department of Labor’s plan to issue guidance documents which will, among other things,  make protected leave available to same-sex couples under Family and Medical Leave Act (“FMLA”).  This action comes as the Department prepares to implement the Supreme Court’s recent decision in U.S. v. Windsor, which struck down the provisions of the Defense of Marriage Act (“DOMA”) that denied federal benefits to legally married same-sex spouses.  Calling it a “historic step toward equality for all American families,” Secretary Perez noted that the Department of Labor will coordinate with other federal agencies to make these changes “as swiftly and smoothly as possible.”

Secretary Perez stated that guidance documents would be updated to remove references to DOMA and to “affirm the availability of spousal leave based on same-sex marriages under the FMLA.  This change is of great consequence to same-sex spouses who previously were unable to access the job-protected leave provided under the FMLA.  Now, eligible same-sex spouses will be able to take FMLA leave for certain specified family and medical reasons, including caring for a spouse with a serious health condition, and generally will be returned to their original position or another position with equivalent pay, benefits and status.  The new interpretation reflected in the Department’s updated guidance documents will be effective immediately.

In the Department’s official blog, Modern Families and Worker Protections, Laura Fortman, the principal deputy administrator of the Wage and Hour Division, announced on August 13, 2013 that revisions had already been made to various FMLA guidance documents to reflect the changes necessitated by U.S. v. Windsor.  Fortman clarified that the “changes are not regulatory, and they do not fundamentally change the FMLA.”  They merely expand the universe of employees who are eligible for FMLA benefits by including legally married same- sex couples.  The updated documents can be viewed at these links:

Although Secretary Perez did not specifically address the question, the updated guidance documents indicate that the Department only intends to expand FMLA benefits to same-sex spouses in the 13 states and the District of Columbia that have recognized same-sex marriage.  As an example, Fact Sheet#28F,Qualifying Reasons for Leave Under the Family and Medical Leave Act, defines “spouse” for purposes of FMLA leave as  “a husband or wife as defined or recognized under state law for purposes of marriage in the state where the employee resides, including “common law” marriage and same-sex marriage.”   In contrast, the Office of Personnel Management announced on its website that benefits will be extended to Federal employees and annuitants who have “legally married a spouse of the same sex, regardless of the employee’s or annuitant’s state of residency.”

As initial steps to implementing these changes, employers should inform or train human resources personnel regarding the availability of FMLA leave to eligible employees under the specified definition of spouse; review internal procedures and leave documentation to ensure compliance, and finally, review employee handbooks and policies to include provisions for same-sex couples where appropriate.

New Rules on Use of Child Models in New York

 

Katten Muchin

Historically, the laws in New York State regulating the employment did not include child models. However, the New York State Senate and Assembly has recently voted to pass legislation to ensure that child models will now be afforded the same protections as “child actors, dancers and musicians” working in New York. Such legislation, once signed into law, is expected to have a significant impact on the fashion industry.

Specifically, the new legislation will provide that companies employing models under the age of 18 will be required to obtain certificates of eligibility, to provide chaperones and tutors and to limit their work hours. In addition, the new legislation sets forth several new protections for child models, including: (1) if the model is under the age of 16, a “responsible person” must be designated to monitor the activity and safety for each model at the work place; (2) an employer must provide a nurse with paediatric experience (only applicable to infants); (3) employers must provide teachers and a dedicated space for instruction (generally, provided that the employment takes place on a school day and the child performer is not otherwise receiving educational instruction due to his or her employment schedule); (4) employers must provide safety-based instruction and information to performers, parents/guardians and responsible person(s); and (5) a trust must be established by a child performer’s parent or guardian and an employer must transfer at least 15% of the child’s gross earnings into the trust.

Further, child models will now also need to obtain work permits which would require not only the written consent of a parent or guardian, but also evidence that the model is maintaining the standards of academic performance from their enrolled school. The new requirements will be in addition to work hour regulations for child performers (which differ based on age, whether school is in session, and whether the performance is live or recorded) and limitations on the times along with the total number of hours that a child model can work.

Additionally, the employer must provide for meal and certain rest periods. Although the legislation does not specifically mention “fit models”, the spirit of the legislation is to ensure that child models have the same protections as other child performers. Therefore, it would be prudent for fashion companies to treat fit models in the same manner as runway and print models.

Once implemented, these regulations will be overseen by the Department of Labor which possesses far greater resources to enforce regulations than the Department of Education (which was the agency previously overseeing the regulations pertaining to the employment and education of child models in New York). Accordingly, companies employing young fashion models should be aware of, and anticipate planning for, the implementation of new legislation in New York (and any similar legislation in the jurisdictions in which they are based).

Article By:

 of

Complying with the Affordable Care Act’s Exchange Notice Requirement

Mintz Logo

The Patient Protection and Affordable Care Act (the “Act”) amends the Fair Labor Standards Act (“FLSA”) to require employers of all sizes to provide their employees a notice of the availability of coverage through public health insurance exchanges by March 1, 2013.1 In January of this year, the U.S. Department of Labor, the agency charged with administering the FLSA, announced a delay in the effective date of the notice to the “late summer or fall of 2013.”2 In Technical Release No. 2013-02 (entitled, “Guidance on the Notice to Employees of Coverage Options under Fair Labor Standards Act §18B and Updated Model Election Notice under the Consolidated Omnibus Budget Reconciliation Act of 1985”),3 the Labor Department provided details about the FLSA exchange notice requirement. The effective date of the requirement is now October 1, 2013 for current employees or within 14 days of an employee’s start date for employees hired after that date.

Background

The FLSA exchange notice must include a description of the existence of, and services provided by, public exchanges. That Act further requires that the notice:

  • Explain how the employee may be eligible for a premium tax credit or a cost-sharing reduction if the employer’s plan does not meet certain requirements;
  • Inform employees that if they purchase a qualified health plan through the exchange, then they may lose any employer contribution toward the cost of employer-provided coverage, and that all or a portion of the employer contribution to employer-provided coverage may be excludable for federal income tax purposes;
  • Include contact information for customer service resources within the exchange, and an explanation of appeal rights;
  • Meet certain accessibility and readability requirements; and
  • Be in writing.

The Department has provided two model notices — one for employers who offer a health plan4 to some or all employees and another for employers who do not.5 The model notice for employers who offer a health plan includes two parts. Part A (entitled “General Information”) tracks the requirement of the statute. Part B (entitled, “Information About Health Coverage Offered by Your Employer”) solicits information about the employer’s group health plan coverage that is intended to assist employees who apply for subsidized coverage under a group health plan product offered through the exchange. Part B includes an optional section that asks the employer to disclose whether the health care coverage offered meets the minimum value standard and whether the cost of coverage is intended to be affordable. While not required, employers may decide to complete this part of the notice in order to avoid having to respond to inquiries from exchanges seeking to process an individual’s application.

The notice requirement applies to all employers who are subject to the FLSA. In general, the FLSA applies to employers that employ one or more employees who are engaged in, or produce goods for, interstate commerce. For most firms, a test of not less than $500,000 in annual dollar volume of business applies. The FLSA also specifically covers the following entities, regardless of dollar volume of business: hospitals; institutions primarily engaged in the care of the sick, the aged, mentally ill, or disabled who reside on the premises; schools for children who are mentally or physically disabled or gifted; preschools, elementary and secondary schools, and institutions of higher education; and federal, state and local government agencies. (For an explanation of the reach of the FLSA, please see http://www.dol.gov/compliance/guide/minwage.htm.)

Timing and Delivery of Notice

Under the heading “Timing and Delivery of Notice,” Technical Release No. 2013-02 provides as follows:

Employers are required to provide the notice to each new employee at the time of hiring beginning October 1, 2013. For 2014, the Department will consider a notice to be provided at the time of hiring if the notice is provided within 14 days of an employee’s start date. With respect to employees who are current employees before October 1, 2013, employers are required to provide the notice not later than October 1, 2013. The notice is required to be provided automatically, free of charge.

The notice must be provided in writing in a manner calculated to be understood by the average employee. It may be provided by first-class mail. Alternatively, it may be provided electronically if the requirements of the Department of Labor’s electronic disclosure safe harbor at 29 CFR 2520.104b-1(c) are met.

(Emphasis added).

The reference to “employees” means all employees, full-time and part-time, but there is no need to provide notices to dependents. Nor does the notice have to be provided to former employees or other individuals who are not employees but may be eligible for coverage (e.g., under COBRA).

The question of who, exactly, is an employee is an important one. The Act’s exchange notice requirement amends the FLSA. Thus, while the Internal Revenue Code and ERISA look to the “common law” standard, applicable court precedent interpreting the FLSA’s use of the term “employee” relies on the broader, “economic realities” test. Accordingly, an individual is an “employee” for FLSA purposes if he or she is economically dependent on the business for which he or she performs personal services. Thus, individuals properly classified as independent contractors for tax purposes may nevertheless be employees (to whom notice must be provided) for FLSA purposes.

Delivery can be in hand or by first class mail. Delivery may also be made electronically under the Department of Labor’s “electronic disclosure safe harbor at 29 CFR 2520.104b-1(c).” The regulations at 29 CFR 2520.104b-1 provide a safe harbor under which electronic delivery is permitted to employees who have the ability to effectively access documents furnished in electronic form at any location where the employee is reasonably expected to perform duties as an employee and with respect to whom access to the employer’s or plan sponsor’s electronic information system is an integral part of those duties. Under the safe harbor, other individuals may also opt into electronic delivery.

Enforcement

The Act does not appear to impose any separate penalty for ignoring the exchange notice requirement. The FLSA authorizes administrative actions, civil suits and criminal prosecutions for violations of pre-existing FLSA sections, but not, it seems, for this requirement. This does not mean, of course, that noncompliance is a good idea or even a viable option. The lack of penalties does not translate into a lack of consequences. Plan sponsors still have a fiduciary obligation to be forthcoming with plan participants and beneficiaries. (This situation is similar to the rules governing the distribution of summary plan descriptions — while not technically required, there are many good reasons to comply.)

Article By:

of

U.S. Department of Labor (DOL) Clarifies Family and Medical Leave Act (FMLA) Leave Entitlement for Same-Sex Spouses

Morgan Lewis logo

In the wake of the Supreme Court’s Windsor decision, employers should review and, if necessary, revise their FMLA policies and procedures to ensure compliance.

The U.S. Department of Labor (DOL) recently clarified that same-sex spouses are now covered by the Family and Medical Leave Act (FMLA) to the extent that an employee’s marriage is recognized in the state in which the employee resides. This clarification, which follows the U.S. Supreme Court’s decision in United States v. Windsor,[1] is consistent with the existing FMLA regulatory language defining a “spouse” for purposes of FMLA coverage.

The DOL did not issue any new formal, stand-alone guidance but instead revised several existing FMLA guidance documents to remove references to the Defense of Marriage Act (DOMA). It also affirmatively stated in a newly released Field Operations Handbook section on the FMLA that “[s]pouse means a husband or wife as defined or recognized under state law for purposes of marriage in the State where the employee resides, including common law marriage and same sex marriage.

Moving forward, FMLA spousal leave will only be available to employees who reside in a state that recognizes same-sex marriage, given that the existing FMLA regulatory language tied spousal coverage to the place of residence prior to the Windsor decision. However, the U.S. Office of Personnel Management (OPM), which has jurisdiction over FMLA rights for federal employees, recently issued post-Windsor guidance that extends FMLA leave rights to the spouses of federal employees without regard to states of residence.[2] OPM’s approach could eventually be followed by DOL for private sector employees and those employees otherwise covered by DOL rules but likely would require regulatory changes that would involve a notice and comment period.

It is worth noting that, while DOL’s clarification reflects a general increase in federal FMLA leave rights available to same-sex couples, in some circumstances, the availability of FMLA leave rights could mean a decrease in a given employee’s overall leave entitlement. For example, same-sex spouses residing in states recognizing same-sex marriage will now be subject to the FMLA’s restrictions on the combined amount of leave that spouses working for the same employer can use in certain circumstances. Similarly, an employee might have been entitled pre-Windsor to leave pursuant to state (but not federal) law to care for a same-sex spouse, which meant that the employee’s state and federal leave entitlements could not be exhausted concurrently.

Conclusion

In light of DOL’s updated guidance, employers should make sure that their FMLA policies allow spousal leave for employees in a same-sex marriage that is lawful in the state in which the employee resides. Employers, however, will need to think carefully about how they will administer such policies to avoid both employee relations issues and sexual orientation discrimination claims. For example, if an employer does not request documentation from an employee in an opposite-sex marriage as to whether the employee’s marriage is recognized in the state in which he or she resides, issues may arise if this information was requested of an employee in a same-sex marriage. While some employers may choose simply to grant FMLA leave to all employees regardless of domicile, employers need to be aware that such time may not be recognized as statutory FMLA leave. Employers should also pay close attention to future developments in this area as more states consider recognizing same-sex marriages.

[1]United States v. Windsor, 133 S. Ct. 2675 (2013).

[2]See U.S. Office of Personnel Admin., Benefits Administration Letter No. 13-203, Coverage of Same-Sex Spouses (July 17, 2013).

Article By:

First Post-Supreme Court Defense of Marriage Act (DOMA) Case Rules in Favor of Same-Sex Spouse

SchiffHardin-logo_4c_LLP_www

In one of the first post-Supreme Court DOMA cases, the Eastern District of Pennsylvania, applying Illinois state law, held that the surviving same-sex spouse of a deceased participant in an employer sponsored pension plan was entitled to the spousal death benefit offered under the plan. See Cozen O’Connor, P.C. v. Tobits, Civil Action No. 11-0045; 2013 WL 3878688 (E.D. Pa., July 29, 2013).

This case is significant because it is the first case after the Supreme Court’s June 26, 2013 decision in United States v. Windsor, 133 S. Ct. 2675 (2013) to grapple with choice of law in determining whether a marriage is valid for purposes of obtaining spousal benefits under an ERISA-covered plan. While Windsor ruled that Section 3 of DOMA defining marriage only as between persons of the opposite sex unconstitutional for purposes of applying federal law, it did not address or invalidate Section 2, which permits states to decline to recognize same-sex marriages performed in other states.

Case Background

In 2006, Sarah Farley and Jean Tobits were married in Canada. Shortly after they were married, Ms. Farley was diagnosed with cancer, and she died in 2010. At the time of her death, Ms. Farley was employed by the law firm of Cozen O’Connor and a participant in the firm’s profit sharing plan (the Plan). The Plan provided that a participant’s surviving spouse would receive a death benefit if the participant died before the participant’s retirement date. If the participant was not married or the participant’s spouse waived his or her right to the death benefit, the participant’s designated beneficiary would be entitled to the death benefits. The Plan defined “Spouse” as “the person to whom the Participant has been married throughout the one-year period ending on the earlier of (1) the Participant’s annuity starting date or (2) the date of the Participant’s death.”

Ms. Farley’s parents and Ms. Tobits both claimed a right to the Plan’s death benefits. Ms. Farley’s parents claimed that they had been designated as the beneficiaries, but it was undisputed that Ms. Tobits had not waived her rights to the death benefits. Cozen O’Connor filed an interpleader action in the Eastern District of Pennsylvania asking the court to determine who was entitled to the benefits. Therefore, the case focused on whether Ms. Tobits qualified as a “Spouse” under the Plan and thus was entitled to the death benefits.

The Court’s Ruling

The court noted that Windsor “makes clear that where a state has recognized a marriage as valid, the United States Constitution requires that the federal laws and regulations of this country acknowledge that marriage” irrespective of whether the marriage is between a same-sex couple or a heterosexual couple. With Windsor’s emphasis on states’ rights to define marriage, lower courts are left with the complicated task of deciding which state law applies when determining whether a same-sex spouse is entitled to benefits under federal law in those instances, as in Cozen, where multiple jurisdictions with different laws on same-sex marriage are implicated.

Apparently, because Cozen O’Connor is headquartered in Pennsylvania, the Plan is administered there, and the Plan’s choice of law provision references Pennsylvania law, the Farleys asked the court to apply Pennsylvania state law to determine the validity of the marriage. Pennsylvania’s mini-DOMA statute expressly defines marriage as between a man and a woman. The court concluded that ERISA preempted Pennsylvania law. It reasoned that if courts were required to look at the state in which the plans were drafted, plan administrators might be encouraged to forum shop for states with mini-DOMA laws to avoid paying benefits to same-sex couples. The court thought this kind of forum shopping would upset ERISA’s principle of maintaining national uniformity among benefit plans. Without further analysis, the court concluded Pennsylvania state law was not an option for determining Ms. Tobits’ status as a spouse within the meaning of the Plan.

Instead, the court applied Illinois law, the state where Ms. Farley and Ms. Tobits had jointly resided until Ms. Farley’s death. It was undisputed that Ms. Farley and Ms. Tobits had a valid Canadian marriage certificate. The court concluded that the marriage was valid in Illinois and that Ms. Tobits was Ms. Farley’s spouse within the Plan’s definition. Accordingly, the court held that Ms. Tobits was entitled to the Plan’s death benefit. Although not entirely clear, the court presumably came to this conclusion based on Illinois’ civil union statute (even though it was enacted after Ms. Farley’s death). The statute provides that (i) same-sex marriages and civil unions legally entered into in other jurisdictions will be recognized in Illinois as civil unions and (ii) persons entering into civil unions will be afforded the benefits recognized by Illinois law to spouses. See 750 Ill. Comp. Stat. An. 75/5 and 75/60 (West 2011).

Impact of Cozen on ERISA Benefit Plans

Cozen is the first ruling in the wake of Windsor to address which state law might apply when there are conflicting state laws as to whether a valid marriage is recognized for the purpose of being a “spouse,” and therefore whether the spouse is entitled to benefits under an ERISA-covered plan. In Cozen, Ms. Farley and Ms. Tobits were lawfully married in Canada, and the court ruled that Illinois’s civil union law recognizes lawful marriages performed in other jurisdictions. The court applied the law of the domicile state to support its holding that Ms. Tobits was a surviving spouse entitled to the Plan’s death benefit.

The Cozen decision may have little value outside of cases where a valid same-sex marriage is performed in one state (the “state of celebration”) and the state where the couple is domiciled recognizes same-sex marriages. In other situations, faced with a choice of law where the law of the state of domicile conflicts with the law of the state of celebration, the outcome could be different, because Section 2 of DOMA survives after the Windsor decision. Unless the federal government creates a uniform method of determining the choice of law question, ERISA cases raising benefit entitlement questions in the context of same-sex marriages are likely to continue to complicate plan administration, and ERISA’s goal of maintaining national uniformity in the administration of benefits will remain elusive.

Article By:

 of

Breach Notification Rules under Health Insurance Portability and Accountability Act (HIPAA) Omnibus Rule

DrinkerBiddle

This is the fourth in our series of bulletins on the Department of Health and Human Services’ (HHS) HIPAA Omnibus Final Rule. In our bulletins issued on February 28, 2013 and March 18, 2013, available here, we described the major provisions of this rule and explained how the provisions of the rule that strengthen the privacy and security of protected health information (PHI) impact employer sponsored group health plans, which are covered entities under the HIPAA privacy rules. In our bulletin issued on April 4, 2013, available here, we focused on changes that will need to be made to business associate agreements under the Omnibus Final Rule. In this bulletin, we discuss the modifications to the breach notification rules made by the Omnibus Final Rule and provide health plan sponsors with information regarding the actions they must take to meet their breach notification obligations in the event of a breach of unsecured PHI.

Key Considerations for Health Plan Sponsors

  • Health plan sponsors must be able to identify when a breach occurs and when breach notification is required.
  • Health plan sponsors should review their procedures for evaluating potential breaches and should revise those procedures to incorporate the new “risk assessment” required under the Omnibus Final Rule.
  • Health plan sponsors should review their procedures for notifying individuals, HHS, and the media (to the extent required) when a breach of unsecured PHI occurs.
  • Health plan sponsors should make training workforce members about the breach notification rules a priority. Workforce members should be prepared to respond to breaches and potential breaches of unsecured PHI. A breach is treated as discovered by the covered entity on the first day a breach is known, or, by exercising reasonable diligence would have been known, to the covered entity. This standard is met if even one workforce member knows of the breach or would know of it by exercising reasonable diligence, and even if the breach is not immediately reported to the privacy officer. Discovery of the breach starts the clock ticking on the notification obligation and deadlines, which are described below.
  • Health plan sponsors should review each existing business associate agreement to make sure that responsibility for breach notification is allocated between the business associate and the health plan in a manner that is appropriate based on the business associate’s role with respect to PHI and the plan sponsor’s preferences for communicating with employees.

Health plan sponsors will want to review and revise, as necessary, the following to comply with the new rules described below:

Compliance Checklist

 Business Associate Relationships and Agreements 
 Policies and Procedures 
 Security Assessment and Breach Notification Plan 
 Risk Analysis — Security 
 Plan Document and SPD 
 Notice of Privacy Practices 
 Individual Authorization for Use and Disclosure of PHI
 Workforce Training

What is a Breach?

Background

In general terms, a breach is any improper use or disclosure of PHI. While HIPAA requires mitigation of any harmful effects resulting from an improper use or disclosure of PHI, the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 added a notification requirement. HITECH requires covered entities to notify affected individuals, HHS and, in some cases, the media following a breach of unsecured PHI. HITECH defined “breach” as an acquisition, access, use, or disclosure of an individual’s PHI in violation of the HIPAA privacy rules, to the extent that the acquisition, access, use or disclosure compromised the security or privacy of the PHI. The HHS interim final regulations further specified that PHI was compromised if the improper use or disclosure posed a significant risk of financial, reputational, or other harm. The interim final regulations also contained four exceptions to the definition of breach, adding a regulatory exception to the three statutory exceptions.

General Definition of Breach under the Omnibus Final Rule

Under the Omnibus Final Rule, “breach” continues to be defined as an acquisition, access, use, or disclosure of PHI that both violates the HIPAA privacy rules and compromises the security or privacy of the PHI. However, the Omnibus Final Rule modifies the interim final regulations in two important ways:

  • The interim final regulatory exception for an unauthorized acquisition, access, use, or disclosure of PHI contained in a limited data set from which birth dates and zip codes have been removed is eliminated.
  • The risk of harm standard is eliminated and replaced with a presumption that any acquisition, access, use, or disclosure of PHI in violation of the HIPAA privacy rules constitutes a breach. However, a covered entity (such as a health plan) can overcome this presumption if it concludes following a risk assessment that there was a low risk that PHI was compromised (see “Presumption that a Breach Occurred” below).

Statutory Exceptions to “Breach”

HITECH provided three statutory exceptions to the definition of breach that are also set forth in the Omnibus Final Rule. If an improper acquisition, access, use, or disclosure of PHI falls within one of the following three exceptions, there is no breach of PHI:

  • The acquisition, access, or use is unintentional and is made in good faith by a person acting under a covered entity’s (or business associate’s) authority, as long as the person was acting within the scope of his or her authority and the acquisition, access, or use does not result in a further impermissible use or disclosure of the PHI.
  • The disclosure of PHI is inadvertent and is made by a person who is authorized to access PHI at a covered entity (or business associate), as long as the disclosure was made to another person within the same covered entity (or business associate) who is also authorized to access PHI, and there is no further impermissible use or disclosure of the PHI.
  • The disclosure of PHI is to an unauthorized person, but the covered entity (or business associate) has a good faith belief that the unauthorized person would not reasonably have been able to retain the PHI.

The interim final regulations added a fourth exception for impermissible uses or disclosures of PHI involving only PHI in a limited data set, which is PHI from which certain identifiers are removed, provided birth dates and zip codes are also removed. The Omnibus Final Rule eliminates this exception so an impermissible use or disclosure of PHI in a limited data set will be presumed to be a breach of PHI as described below.

Presumption that a Breach Occurred

Under the Omnibus Final Rule, a breach is presumed to have occurred any time there is an acquisition, access, use, or disclosure of PHI that violates the HIPAA privacy rules (subject to the statutory exceptions outlined above).

However, a covered entity may overcome this presumption by performing a risk assessment to demonstrate that there is a low probability that the PHI has been compromised. If the covered entity chooses to conduct a risk assessment, the assessment must take into account at least the following four factors:

  • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification.
  • The unauthorized person who used the PHI or to whom the disclosure was made.
  • Whether the PHI was actually acquired or viewed.
  • The extent to which the risk to the PHI has been mitigated.

The covered entity may consider additional factors as appropriate, depending on the facts and circumstances surrounding the improper use or disclosure. After performing its risk assessment, if the covered entity determines that there is a low probability that the PHI has been compromised, there is no breach and notice is not required. If the covered entity cannot reach this conclusion and if no statutory exception applies, then the covered entity must conclude that a breach has occurred.

The Omnibus Final Rule also makes clear that a covered entity may decide not to conduct a risk assessment and may instead treat every impermissible acquisition, access, use, or disclosure of PHI as a breach.

Drinker Biddle Note: Covered entities have the burden of proof to demonstrate either that an impermissible acquisition, access, use, or disclosure of PHI did not constitute a breach, or that all required notifications (as discussed below) were provided. Covered entities should review and update their internal HIPAA privacy and security policies to include procedures for performing risk assessments, as well as procedures for documenting all risk assessments and determinations regarding whether a breach has occurred and whether notification is required.

Providing Breach Notification

Covered entities are required to notify all affected individuals when a breach of unsecured PHI is discovered (unless an exception applies or it is demonstrated through a risk assessment that there is a low probability that the PHI has been or will be compromised). Notification to HHS is also required, but the time limits for providing this notification vary depending on the number of individuals affected by the breach. In addition, covered entities may be required to report the breach to local media outlets. The Omnibus Final Rule describes in detail the specific content that is required to be included in notifications to affected individuals, HHS, and the media.

Drinker Biddle Note: Although the Omnibus Final Rule defines when a “breach” has occurred, notification is required only when the breach involves unsecured PHI. PHI is considered “unsecured” when it has not been rendered unusable, unreadable, or indecipherable to unauthorized persons. HHS has issued extensive guidance on steps that can be taken to render PHI unusable, unreadable, and indecipherable.

Notification to Affected Individuals

Covered entities must notify affected individuals in writing without unreasonable delay, but in no event later than 60 calendar days, after discovery of a breach of unsecured PHI. The notice may be sent by mail or email (if the affected individual has consented to receive notices electronically). The Omnibus Final Rule also provides additional delivery methods that apply when an affected individual is deceased, and when a covered entity does not have up-to-date contact information for an affected individual.

Drinker Biddle Note: Again, a breach is deemed discovered on the first day such breach is known or by exercising reasonable diligence would have been known by any person who is a workforce member or agent of a covered entity or business associate.

Drinker Biddle Note: Please note that 60 days is an outer limit for providing the notice and is not a safe harbor. The operative standard is that the notice must be provided without unreasonable delay. Thus, based on the circumstances, a notice may be unreasonably delayed even though provided within the 60-day period.

Notification to HHS

Covered entities must notify HHS of breaches of unsecured PHI by electronically submitting a breach report form through the HHS website. If a breach of unsecured PHI affects 500 or more individuals, HHS must be notified at the same time that notice is provided to the affected individuals. For breaches of unsecured PHI that affect fewer than 500 individuals, the covered entity may keep a log of all such breaches that occur in a given year and submit a breach report form through the HHS website on annual basis, but not later than 60 days after the end of each calendar year.

Notification to the Media

When there is a breach of unsecured PHI involving more than 500 residents of a state or jurisdiction, a covered entity must notify prominent media outlets serving the state or jurisdiction. This media notification must be provided without unreasonable delay, and in no case later than 60 days after the breach is discovered.

State Law Requirements

Separate breach notification requirements may apply to a covered entity under state law. HIPAA’s breach notification laws preempt “contrary” state laws. “Contrary” in this context generally means that it is impossible to comply with both federal and state laws. As state breach notification laws are not typically contrary to the HIPAA breach notification rules, covered entities may have to comply with both laws.

Drinker Biddle Note: Covered entities should review applicable state breach notification laws and consider to what extent those laws should be incorporated into their HIPAA privacy policies and procedures.

Implications for Business Associate Agreements

If a covered entity’s business associate discovers that a breach of unsecured PHI has occurred, the Omnibus Final Rule requires the business associate to notify the covered entity without unreasonable delay, but in no event later than 60 days following the discovery of the breach. The notice must include, to the extent possible, the identification of each affected individual as well as any other information the covered entity is required to provide in its notice to individuals.

Although a covered entity is ultimately responsible for notifying affected individuals, HHS and the media (as applicable) when a breach of unsecured PHI occurs, the covered entity may want to delegate some or all of the notification responsibilities to its business associate. If a covered entity and its business associate agree that the business associate will be responsible for certain breach notification obligations, the scope of the arrangement should be clearly memorialized in the business associate agreement. In negotiating its business associate agreements, a covered entity should consider provisions such as:

  • Which party determines whether a breach occurred?
  • Who is responsible for sending required notices, and the related cost?
  • Indemnification in the event a business associate incorrectly determines that a breach did not occur, or a business associate otherwise fails to act appropriately.

Drinker Biddle Note: Covered entities that choose to delegate breach notification responsibilities to business associates should pay close attention to how such delegation provisions are drafted to minimize the possibility that the business associate will be considered an “agent” of the covered entity. Under the Omnibus Final Rule, when a business associate acts as an agent of the covered entity, the business associate’s discovery of a breach is imputed to the covered entity, and, therefore, a covered entity could be liable for civil monetary penalties related to the business associate’s act or omission. More information about issues related to drafting business associate agreements can be found in our bulletin issued on April 4, 2013, available here.

Compliance Deadline

Group health plans have until September 23, 2013 to comply with the new requirements of the Omnibus Final Rule. During the period before compliance is required, group health plans are still required to comply with the breach notification requirements of the HITECH Act and the interim final regulations.

Of course, the best course of action is to maintain adequate safeguards to prevent any breach. A recent settlement of HIPAA violations resulting in a $1.7 million payment to HHS is discussed in a separate publication, available here.

Article By:

of

Picture This: The National Labor Relations Board’s Division of Advice Wants to Sue Employer for Issuing Social Media Policy with Photo/Video Ban

Michael Best Logohe National Labor Relations Board’s Division of Advice (the Division) recently recommended that the Board issue a complaint against Giant Foods for implementing its social media policy without first bargaining with two unions, and for maintaining a social media policy that included unlawful provisions. Although the Division analyzed several social media policy provisions, its criticism of two provisions in particular—a ban on using photo and video of company premises, and restrictions on employees’ use of company logos and trademarks—makes it very difficult for employers to protect their brands while at the same time complying with federal labor laws.

Giant Foods’ social media policy forbade employees from using company logos, trademarks, or graphics without prior approval from the company. The policy also prohibited employees from using photographs or video of the “Company’s premises, processes, operations, or products” without prior approval as well.

The Division concluded that these provisions were unlawful under the National Labor Relations Act (NLRA) and that the National Labor Relations Board (the Board) should issue a complaint against Giant Foods for implementing them. As employers are becoming keenly aware, the NLRA safeguards employees’ right to engage in protected concerted activity. Such activity includes group discussions and some comments by individual employees that relate to their wages, hours, and other terms conditions of employment.

The Division concluded that banning employees from using company logos or trademarks was unlawful because: (1) employees should be allowed to use logos and trademarks in online communications, including electronic leaflets or pictures of picket signs with the employer’s logo; and (2) those labor-related interests did not raise the concerns that intellectual property laws were passed to protect, such as a business’ interest in guarding its trademarks from being used by competitors selling inferior products.

Additionally the Division concluded that restricting employees from using photo and video of company premises unlawfully prevented them from sharing information about participation in protected concerted activities, such as snapping a picture of a picket line.

Unfortunately, the Board’s expansive view will likely hamper companies’ ability to prevent damage to their brand and reputation.  Not allowing employers to ban the taking of videos and photos on their premises, or restricting the use of company logos/trademarks could lead to public relations nightmares such as the one Subway Foods recently endured after it was revealed that an employee posted a graphic picture on Instagram of his genitalia on a sub, with the tag line “I will be your sandwich artist today.”

Given the prevalence of cell phones with photo and video capabilities, and the ease of uploading photos and videos to the internet, a company that cannot control its employees’ use of those devices on their premises will be one bad employee decision away from public embarrassment.

What else can be gleaned from the Giant Foods Advice Memorandum? That the Board’s General Counsel will continue to prod employers to eliminate blanket bans on certain kinds of employee conduct from their social media policies and replace those bans with provisions that include specific examples of what employee conduct the policy prohibits. The Board and its General Counsel have previously found social media policies that restricted employee use of confidential information and complaints about an employer’s labor practices as unlawful; Giant Foods makes clear that the agency is also scrutinizing other kinds of policy provisions that potentially could infringe on an employee’s right to engage in protected concerted activities.

Accordingly, employers should review their policies with counsel so that they can tailor them to restrict employee conduct that will damage the company and its brand, but not be “reasonably” read to restrict employees’ rights to engage in protected concerted activities.

Continuing the Conversation Around Working Women

LMA_Southeastern_4C_logo

Anne-Marie Slaughter’s July 2012 Atlantic article, “Why Women Still Cant Have it All” stirred up the coals in the ever-simmering firestorm regarding working women. Further fueled by the March 2013 publication of Sheryl Sandberg’s book Lean In: Women, Work, and the Will to Lead, it seemed everyone had a word of criticism to offer.

The abundant criticism often missed the larger point – the conversation is important, and these two women should be applauded for spurring it.

Lean In contains illustrative stories about what holds women back in career and life, and offers encouragement for overcoming them. Sandberg, a Harvard graduate, mom of two, and wife to David Goldberg, CEO of SurveyMonkey, has had a storied career. The current COO of Facebook, she began her career as a research assistant to Lawrence Summers at the World Bank and later she served as a management consultant at McKinsey. She then became the chief of staff to Summers at the Treasury Department and spent six and a half years at Google, where she rose to the post of vice president of global online sales and operations. She also made it to the top of the notoriously male-dominated world of Silicon Valley, where the paucity of women among engineers, inventors andcomputer scientists is still clearly visible.

There is no doubt that Lean In offers a glimpse into the lives of the rich and famous that Sandberg affords (after all, Forbes lists her as the sixth most powerful woman). But, net worth and fame notwithstanding, there is valuable insight for women in the legal industry, where men still dominate at management and executive levels.

Take a chance

When Sandberg first received a job offer at Google in 2001, she questioned the title: Business Unit General Manager. There were no business units to manage and the company had less than 1000 employees at the time. Google CEO Eric Schmidt said, “If you’re offered a seat on a rocket ship, you don’t ask what seat. You just get on.” Sandberg went on to become Google’s vice president of Global Online Sales and Operations. Today, Google has over 30,000 employees.

Similarly, lawyers, and non-lawyer professionals in the industry, are often advised to decline a job opportunity if it means a step-down in title. These people may miss an opportunity to catapult their career by joining a growth organization simply because of a few words on a business card.

Don’t be afraid to negotiate

In 1970, American women made 59 cents for every dollar men earned. In 2010, women earned just 77 cents for every dollar men made. Sandberg’s solution: negotiate like a man. When she was talking to Mark Zuckerberg about joining Facebook, Sandberg says she was inclined to accept the first offer he made because she really wanted to work for Facebook. Both her husband and brother-in-law encouraged her to make a counter-offer, saying, “Damn it, Sheryl! Why are you going to make less than any man would make to do the same job?” Sandberg counter-offered.

She told Zuckerberg that he was hiring her to run his deal teams and this would be the only time they would ever be on opposite sides of the table. She laid out what she wanted, and got a more lucrative offer the next day.

Stop trying to please everyone

Herein lies an important female personality issue in the workplace. Most of us place significant value on being liked. During her first performance review, Sandberg notes Zuckerberg told her, “Your biggest problem is you worry way too much about everyone liking you all the time.” He said she would never make an impact unless she said something that at least one person disagreed with. “It’s going to hold you back,” he warned her.

Employees who concentrate on results and impact are more valuable than those who focus on fitting in and pleasing everyone.

View child care costs as an investment

Sandberg notes that over the past decade, child care costs have risen twice as fast as the median income of families with children. The cost for two children (an infant and a four-year-old) to go to a day care center is greater than the annual median rent payment in every state in the country. Rigid work schedules, lack of paid family leave, and expensive or undependable child care derail women’s best work efforts. Sandberg encourages women to compare child care costs to their future salary instead of their current one. Initial child care costs are an investment in a working mother’s career.

Include men in the conversation

Sandberg believes that the single most important career decision a woman makes is whether she will have a life partner and who that partner will be. A partner’s lack of participation in child care and domestic tasks are significant factors in some women’s decisions to leave the workforce or reduce their hours.

Because there are still significantly more men at the top of every industry, the proverbial good-old-boy network continues to flourish. And because there are already a reduced number of women in leadership roles, it is not possible for junior women to get enough support unless senior men mentor them.

The simple conclusion Sandberg strove for, clearly communicated and ultimately obtained, is that by turning the focus of the feminist movement toward personal choices, society has failed to encourage women to aspire to leadership. Thus the conversation needs to continue.

 

Kathryn Whitaker is Business Development Specialist at K&L Gates in Charleston, SC.

 

Ioana Good manages communications at Lowndes, Drosdick, Doster, Kantor & Reed, P.A. in Orlando, FL.

Article By:

Complete Your Non-Compete Agreement: Helpful Drafting Tips

McBrayer NEW logo 1-10-13

Perhaps you consider your non-compete agreement just one form in a stack of many? When it is time to use it there is not much to the process: you retrieve it from the HR office, briefly discuss it with the employee, and he willingly signs it. But such a practice is a perilous one because non-compete agreements are not meant to be “one-size-fits-all.” Rather, they should be thoughtfully tweaked to each specific employee and situation. By relying on boilerplate language and fill-in-the-blank forms, you are risking the chance that a court will find your agreement unenforceable.

Unfortunately, there are no bright-line rules that employers can abide by to ensure the legality of agreements, but there are some factors that you should consider when drafting these agreements that should assist employers in enforcing their agreements when the time comes to do so, including:

1) The nature of the industry

The higher the competition in the industry, the more likely a non-compete will be upheld. If the industry is such where an individual may gain sensitive or secretive data, strategies, or business models, then a strict non-compete makes much more sense. On the other hand, if succeeding in the industry primarily results from people relying on their own strengths (good service, knowledge, etc.), then there is less of a reason to restrict them from competing against their former employer because they will not be relying on what was gained at their previous employment. Compare the industry of a Silicon Valley technology start-up versus that of a general family physician; a non-compete agreement makes much more sense in the former rather than the latter. Lesson – explain clearly the reason why the agreement is necessary. 

2) The relevant characteristics of the employer

Is the business local or global? Are there a handful of employees or thousands? Does the employer dominate the industry or is competition fierce? As a general rule, the larger the employer’s geographical reach, the larger the geographical restriction can be. Yet, the geographic reach of the employer is just one of many considerations and must be viewed in light of the entire non-compete. For example, a court may uphold a one-year restriction of competing nationally, if the business is global. On the other hand, if the business is unique to one state (say, breeding racing thoroughbreds) then a five-year, state-wide restriction could be held unenforceable. Take time to understand your business and catalogue its characteristics. Lesson –limit the geographic and durational scope of the restriction as much as is reasonable – and explain the reasons for each.

There are some additional tips worth sharing; check back on Wednesday and I’ll discuss what else you can do to improve your non-compete agreements.