First Quarter 2011
In This Issue:
I. ONLINE AND CONSUMER PRIVACY
II. COMMUNICATIONS PRIVACY
A. FTC Pursues Text Message Spammers B. Classmates.com Class Action Settlement Proposal Rejected
III. BEHAVIORAL TRACKING
IV. DATA BREACH AND DATA SECURITY
V. WORKPLACE PRIVACY
VI. FINANCIAL PRIVACY
VII. HEALTHCARE PRIVACY
A. First Fines Levied for HIPAA Privacy Violation B. OCR Settles Over Misuse of Patients’ Information C. Policy Requiring Doctor’s Note Ok’d By Sixth Circuit
I. Online and Consumer Privacy
A. Washington State Publicity Law Doesn’t Extend to Celebrities Who Die Elsewhere
Because Jimi Hendrix died intestate in New York State, his rights of publicity died with him. According to a Washington state court, the Washington Personality Rights Act, which purports to create a national right of publicity is unconstitutional. Most courts, when looking at rights of publicity, apply the law of the state in which the deceased person resided to determine whether the right exists and whether it descends. Judge Thomas Zilly wrote that Washington state’s attempt to create a nationwide standard disregarded the laws of the other states which may have explicitly ruled that such a right does not exist, and therefore was unconstitutional under the due process, full faith and credit, and commerce clauses. The case arose when Experience Hendrix LLC, a company which holds certain Hendrix copyrights and trademarks, filed a trademark suit seeking to enjoin the sale of posters and novelty items by HendrixLicensing.com Ltd. The lawsuit as filed did not include a claim under Washington’s right of publicity law, but the judge determined that it should nonetheless rule on its constitutionality.
TIP: Because many states do recognize descendible rights of publicity, national advertisers must continue to be cognizant of those rights when developing advertising around deceased celebrities.
B. Court Finds That Illinois Constitution Guarantees a Right of Privacy
In a recent decision, the Illinois court found that the Illinois Constitution guarantees a right of privacy. While the federal Constitution does not contain a privacy clause, the Illinois Constitution does. In the case, the court found the conditional privacy right extended to personal bank records where the state obtained them without a subpoena or the defendant’s permission.
TIP: Companies should keep in mind that many states have a constitutional right to privacy which can give plaintiff’s a cause of action even in the absence of a specific law mandating how personal information should be treated.
C. Google Analytics Held to Violate German Law
The German regional data protection authority recently issued a statement that the use of Google Analytics and similar products by companies to track consumer visitors to websites violated German privacy laws. The German Data Protection Act (“DPA”) requires that websites using analytics software must notify users that they are being monitored, and if the collected data is being transferred outside of Germany or the European Union, the company must get consumer consent for such a transfer. According to the German DPA, companies using Google Analytics failed to notify consumers of the use of analytics and failed to obtain consent prior to transferring the data to Google in the United States. Furthermore, the German DPA found that the data processor agreements between companies and Google did not meet the country’s statutory requirements in that the agreements failed to specify mechanisms necessary to effectively control how Google could process consumer personal data. The German authority did not pursue any enforcement actions or fines against Google as a result of its investigation.
TIP: Companies collecting data in foreign countries should keep in mind the (often more stringent) requirements of the local jurisdictions where they operate.
II. COMMUNICATIONS PRIVACY
A. FTC Pursues Text Message Spammers
The FTC pursued its first text message spammer under both the FTC Act and the CAN-SPAM Act. The FTC complaint alleges that Phillip Flora sent text message spam purporting to offer loan modifications to U.S. consumers. According to the complaint, the consumers who received the text messages never agreed to be contacted by Flora, and many of those consumers have wireless plans that require them to pay a fixed fee for each text message received by their wireless handsets. Additionally, the complaint alleges that Flora collected the telephone numbers of those who responded to his unsolicited text messages, and sold the numbers to third parties as “debt settlement leads.” The FTC also alleged that Flora sent unsolicited commercial e-mail messages, which fail to include the ability for consumers to opt out from receiving future e-mails from Flora, and also fail to include a valid physical postal address of the sender.
TIP: This first action from the FTC demonstrates that the commission views texting as falling under its purview. Companies that send marketing text messages should take steps to ensure that they do so in compliance with applicable laws.
B. Classmates.com Class Action Settlement Proposal Rejected
A federal court in Washington recently denied approval of a class action settlement for a case brought against Classmates.com alleging privacy violations. In April 2010, the court gave preliminary approval to a class settlement over defendant’s marketing and electronic privacy practices. The litigation focused on Classmates’ targeting of unpaid users with e-mails encouraging them to upgrade to a paid membership. Classmates would suggest that one or more individuals of interest to a user had viewed that user’s online profile or signed their online “guestbook.” Only by upgrading to a paid membership could a user identify who has shown an interest in them. According to the plaintiffs, users are often disappointed to discover that, contrary to Classmates’ representations, no one of interest has shown an interest in them. Also at issue were allegations that Classmates embedded cookies in its e-mails that allowed users to bypass the secure login gateway to their accounts. If a user forwarded those e-mails to others, he or she would inadvertently give the e-mail recipients the same ability to bypass the gateway and thus gain access into the sender’s account. In an attempt to settle, the Plaintiffs offered a $2 coupon to use for purchasing a Classmates membership, or to pay class members a $3 cash payment in lieu of the $2 coupon. The court rejected this offer of settlement, asserting that the coupon would go unused, that any injunctive relief would not stop any of Classmates practices that led to this action, and that most members of the class were not offered the $3 cash payment.
TIP: This case is a reminder that when engaging in e-mail marketing campaigns, companies should think beyond CAN-SPAM requirements. If messages include features that could put users at risk if the messages are forwarded, liability might arise under deceptive trade practices allegations.
III. BEHAVIORAL TRACKING
A. FTC Reaches First Online Behavioral Advertising Settlement, Opt-Out to Last Five Years
The FTC announced yesterday that it has settled with Chitika, Inc., over the company’s online behavioral advertising techniques. Chitika serves as an intermediary between advertisers and third party companies on whose websites the advertisements appear. To place its clients’ advertisements, Chitika uses a relatively common online behavioral advertising practice of placing cookies on users’ computers and tracking the users’ behavior to serve targeted advertising. According to the complaint, from February 2008 to May 2010, the company told consumers that if they wanted to opt out of being tracked for the purposes described here, the needed only to select a button on the Chitika website that read “opt out.” Although the user would then see a message that read “you are opted out,” in fact – the FTC complaint alleged – the opt out only lasted for ten days, after which time new cookies were placed on users computers and the users were tracked again and again served with targeted ads. The FTC alleged that this practice was deceptive in violation of the FTC Act. In the settlement, Chitika agreed to delete all “identifiable user information” collected during the time that the opt-out did not function, and to provide consumers with an opt-out ability in each targeted ad that allows users to opt out for at least five years. Chitika has also agreed to notify consumers who previously tried to opt out that the opt-out was ineffective, and that they need to opt out again.
Of note, the settlement also included information about how to give notice of online behavioral advertising activities, both on the website and within a behaviorally served ad. In particular, Chitika agreed to put a statement on its home page that reads, “We collect information about your activities on certain websites to send you targeted advertisements. To opt out of Chitika’s targeted ads, click here.” When the user selects “here,” the user would be directed to an opt-out page where additional disclosures would be made. These additional disclosures include that by opting out, Chitika would not use that information to serve targeted ads, the status of the user’s opt-out (i.e., if the user is currently opted out or in), that opt out is specific to the user’s browser, and that the opt-out will need to be repeated if the user switches to another browser. In addition, Chitika agreed to place a link within any advertisement that reads, “Opt Out?” and that contains an interstitial (text that appears when a user’s cursor hovers over the link) that reads, “Opt out of Chitika’s targeted ads.” The “opt out?” link in the ad would take people to the mechanism described above.
TIP: This decision is the first from the FTC after its issuance of notice and choice principles for those who participate in online behavioral advertising. This decision underscores the FTC’s believe that lack of notice and consent in the OBA context is a deceptive practice. As such, if your company uses vendors to help serve targeted ads, or your website serves targeted ads, now is the time to make sure that you are taking the steps necessary to effectuate notice and choice, and to explore if you have not done so already the self regulatory program offered through aboutads.info.
B. Class Action Lawsuit Alleges Apps Secretly Sent Personal Information
A recently filed class action lawsuit alleges that Apple allowed downloaded applications to transmit individuals’ personal information without their consent. The plaintiffs base their arguments, in part, on the allegations that: (1) Apple claims to review each application before offering it to customers for downloads; (2) it offers “strong privacy protections” for customers; and (3) it has app privacy standards. The plaintiffs maintain that certain apps acquire the iPhone’s Unique Device Identifier, geographic location information, and various personally identifiable information and transmit that information to third-party advertising networks without user consent. In addition to Apple, the plaintiffs named a number of application developers as defendants and argue that the apps’ transmission of personal information constitutes a violation of the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, California’s Unfair Competition Law, and Unjust Enrichment.
TIP: This case is one in a series recently brought over companies tracking of consumers for advertising purposes. Companies should assess if they engage in tracking, and work with counsel to ensure suitable disclosures are being made. Use caution before making advertising claims regarding the strength of your privacy protections as such claims often become fodder for class action plaintiffs’ attorneys.
C. European Union Adopts Resolution on Online Behavioral Advertising
The European Union adopted a resolution calling for the regulation of online behavioral advertising techniques, especially highlighting the need for clear consumer notification and information to consumers next to advertisements served through online behavioral advertising. In particular, the resolution calls for the insertion of “the clearly readable words ’behavioural advertisement’ into relevant advertisements, as well as a window containing a basic explanation” of the practice of OBA. The resolution also stated concern over the use of behavioral advertising practices such as use of consumer e-mail content, social network information, geolocation and retargeted advertising, which “constitute attacks on consumers’ privacy.” The resolution called for clear, accessible, and comprehensive information for consumers on how their data is collected, processed, and used and urged advertisers to develop a standard opt-in format for use of information. Furthermore, the resolution noted that personal data should be kept only with explicit consumer consent. The resolution also called for the Commission to prohibit systematic, indiscriminate text messaging advertising to consumers without prior consent and require opt-outs for consumers to allow control over receiving future advertising.
TIP: The European Union appears to be heading towards creating heavier regulations on online behavioral advertising, including notice and consent provisions. Advertisers who share information for OBA purposes and ad networks that serve advertisements using OBA information should be aware of potential notice and consent requirements if serving advertisements in the EU.
IV. DATA BREACH AND DATA SECURITY
A. Firms Fined for Failure to Safeguard Customer Information
In February 2011, Lincoln Financial Securities Inc., and affiliate Lincoln Financial Advisors Corp., agreed to pay fines totalling $600,000 for failing to adequately protect confidential customer information. For extended periods of time, current and former employees with each firm were able to access customer accounts from shared login credentials from any Internet browser. The firms did not have policies or procedures for monitoring the distribution of the shared login credentials or to track when employees accessed the customer information. In addition, login credentials were not disabled when an employee left the firm. According to FINRA, “brokers who worked remotely were not required to install security application software on their own personal computers used to conduct the firms’ securities business.” The Securities and Exchange Commission and FINRA rules “require every broker-dealer to adopt written policies and procedures that address safeguards for the protection of customer records and information.” When assessing the sanctions, FINRA considered the firms’ efforts to contact customers whose information may have been exposed, and offered them free services.
TIP: Companies should ensure they have adequate security application software and should consider having procedures to monitor login credentials to protect confidential customer information.
B. Illinois Company Pays Fine for Improper Data Disposal of Confidential Customer Information
The Illinois insurance regulatory agency brought an enforcement action against global insurance company MetLife, Inc., for failing to properly safeguard sensitive customer information. MetLife agreed to pay $75,000 stemming from a January 2010 incident where confidential paper documents containing customer financial information were discarded in a dumpster outside of a former MetLife facility. Information included Social Security numbers, account balances, and birthdates. As part of the consent decree, MetLife must notify customers whose personal data may have been exposed and offer them a free year of credit fraud protection services.
TIP: Companies that handle sensitive customer information should ensure they have adequate safeguards and procedures in place for disposing of such information.
C. Three Credit Report Resellers Settle With the FTC Over Data Breaches
Three companies that engage in the business of reselling consumers’ credit reports recently agreed to settle charges brought by the FTC alleging that they did not take reasonable steps to protect consumers’ personal information, which failures allegedly resulted in computer hackers accessing the consumers’ personal data. The FTC’s complaints allege that the companies allowed third parties which lacked basic security measures (such as firewalls and antivirus software) to access the companies’ credit reports. The FTC further alleged that because these third parties lacked such security measures, this helped allow hackers to gain access to more than 1,800 credit reports. The FTC also alleged that the companies did not make reasonable efforts to protect against future breaches. The complaint alleged that the companies’ failure to adequately protect consumer information constituted a violation of the Fair Credit Reporting Act, the FTC Act, and the Gramm-Leach-Bliley Safeguards Rule. The consent order requires the companies to have comprehensive information security programs designed to protect consumers’ personal information, including information accessible to clients, submit to audits every other year for 20 years, and maintain procedures to limit the furnishing of credit reports to those with a permissible purpose.
TIP: Ensure that your data security measures account not only for the internal use and storage of consumer information, but also for the third parties who may be permitted access to your website, servers, or files. Take steps to check that third parties’ security measures won’t put your data at risk.
V. WORKPLACE PRIVACY
A. NASA Background Checks Upheld By Supreme Court
In a recent decision, the United States Supreme Court upheld the National Aeronautics and Space Administration’s (“NASA”‘) policy of conducting background checks of both its own employees and civilian employees of its government contractors, including questions about the individuals’ use of illegal drugs. California Institute of Technology (“Cal Tech”) hired the plaintiffs in this action before the president ordered the adoption of uniform identification standards for both federal civil servants and contractor employees. After the new policy requiring background checks was enacted, Cal Tech, which operated NASA’s Jet Propulsion Laboratory (“JPL”) through a contract with NASA, required every employee at the JPL to complete the background check process. CalTech would deny employees who failed to complete the process access to the JPL and fire them. The plaintiffs claimed that the policy violated their constitutional right to informational privacy because the background check sought information about their use of illegal drugs and other personal information. In an opinion authored by Justice Alito, the U.S. Supreme Court assumed without deciding that the Constitution protects a privacy right against the disclosure of personal matters, but that NASA’s policy did not violate such a right. The government’s interests as employer and proprietor of the JPL in managing its internal operations, combined with existing protections against disclosure of the information, satisfy any interests in avoiding the disclosure of private information. The Court noted that, as a practical matter, the government must have much more latitude in conducting background checks of employees, rather than on citizens at large. Because the challenged portions of the background check forms were “reasonable, employment-related inquiries that further the government’s interests in managing its internal operations” and were also “subject to substantial protections against disclosure to the public,” the Court held that “the government’s inquiries do not violate a constitutional right to informational privacy.”
TIP: Employers, particularly those with government contracts, should consider what obligations they may have to conduct background checks on employees. Additionally, employers must implement proper procedures to protect information obtained through background checks.
B. Employee’s E-mails To Her Attorney on Company Computer Not Privileged
In a recent case from the California Appellate Court, the court determined that an employee who sent e-mails to her attorney on a company-provided computer had waived any attorney-client privilege as to the e-mails. Plaintiff Gina Holmes filed a lawsuit against her former employer alleging sexual harassment, retaliation, wrongful termination in violation of public policy, violation of the right to privacy, and intentional infliction of emotional distress. The claims were largely based on her e-mails with her supervisor discussing her pregnancy that the supervisor later circulated to others within the company without her permission. The defendant moved for summary judgment, relying in part on certain e-mails Holmes sent to her attorney on the company’s computers. Holmes argued that the court should exclude the e-mails on the basis of the attorney-client privilege. On appeal, the appellate court focused on the company’s Internet and Intranet Usage policy that strictly prohibited the use of the computers for non-company business and reserved the company’s right to “inspect all files or messages [on the machines] at any time for any reason at its discretion.” As such, Holmes could have no reasonable expectation of privacy as to the e-mails. Considering the company’s policy, the Court held that “the e-mails sent via company computer . . . were akin to consulting her lawyer in the employer’s conference room, in a loud voice, with the door open, so that any reasonable person would expect that their discussion of her complaints . . . would be heard by” the employer.
TIP: Employers should carefully review electronic usage policies to ensure that they clearly state that employees do not have an expectation of privacy in their usage of employer equipment, including but not limited to personal e-mail sent or received on the employer’s computer system.
C. Employees Sue for Use of Their SSNs in IDs
In February 2011, employees at a large amusement park filed a putative class action alleging that the company violated California state law by encoding employees’ Social Security numbers on the employees’ worker identification cards in such a way that the information could be read using a common barcode scanner. The lawsuit could involve as many as 20,000 workers. Plaintiffs claim that the practice puts employees’ personal information at risk as the information encoded on the cards can be easily accessed by using a barcode scanner, including those found both on the Apple iPhone and Android operating systems. The lawsuit also alleges that the employer negligently maintains the identification cards of former employees and that the cards could be found “stacked on managerial desks where they can be easily stolen or misappropriated.” Employees use the identification cards throughout the day, including to clock in and out of breaks, order food, and gain access to restricted areas. The basis of the lawsuit is California Civil Code Section 1798.85, a law that bars companies from printing an individual’s Social Security number on any card required for that individual to access products or services. According to a company spokesperson, the company is aware of the issue and is in the process of modifying the company’s computer systems to address it.
TIP: Employers should consider the security of employee information stored on employee badges or other locations, particularly to the extent that technological developments have made the information more vulnerable.
D. Unsigned Update to Employee Handbook Found Unenforceable
Business Communications, Inc. (“BCI”) sued its former employee, Albert Banks, after the employee left BCI to work for a competitor, in part in attempt to recover costs BCI incurred in training Banks. To support its claim, BCI relied on an updated version of its employee handbook that it had sent to its employees via e-mail, which included a space for the employee’s signature, the employee’s name, the date, and a witness signature. The handbook provided that in the event an employee terminates his or her employment, he or she would be responsible for reimbursing the company for all relocation, training, and/or certification expenses incurred within the previous twelve months. However, Banks never signed the employee handbook and argued that because the handbook was unsigned, there was no agreement between the parties. The Mississippi Court of Appeals agreed, finding that “we cannot conceive why the form in the handbook would require a signature if such was not expected and necessary to advise the employee of his/her obligation to the company” and that the execution of the handbook in the space provided would represent the “meeting of the minds” of the parties. The court suggested that had the e-mail containing the updated employee handbook not include an empty signature line, it might have been found enforceable, but given the blank signature line, the document was not unenforceable.
TIP: If you include signature lines on documents sent to employees, ensure that the employees sign the documents. Without such a signature, the documents may be found to be unenforceable against those employees who did not sign the document.
E. Supreme Court Rules that Corporations Lack “Personal Privacy”
On March 1, 2011, the U.S. Supreme Court overruled the Third Circuit Court of Appeals, holding unanimously that the Freedom of Information Act (“FOIA”) exemption 7(C), which protects against unwarranted invasion of “personal privacy,” does not extend to corporations. After the FCC’s Enforcement Bureau began an investigation into a large mobile carrier’s pricing practices, a trade association representing some of the carrier’s competitors submitted a FOIA request seeking all pleadings and correspondence in the Bureau’s file relating to the investigation. FOIA requires federal agencies to make records and documents publicly available upon request, subject to several statutory exemptions. One of the exemptions, exemption 7(C), covers law enforcement records, the disclosure of which “could reasonably be expected to constitute an unwarranted invasion of personal privacy.” The carrier opposed the FOIA request, arguing that disclosure of the information in the file would constitute an unwarranted invasion of personal privacy under the 7(C) exemption. The FCC disagreed, finding that exemption 7(C) applied to the individuals identified in the company’s submissions, but not to the corporation itself. The company sought review in the Third Circuit Court of Appeals, which held that the exemption did extend to the “personal privacy” of corporations, reasoning that “personal” is the adjective form of the term “person,” which Congress has defined to include corporations. On Appeal, the U.S. Supreme Court reversed the Third Circuit Court of Appeals, holding that corporations do not have “personal privacy” for the purposes of exemption 7(C). The court based its holding on the fact that while “person” may be a defined term in the statute, “personal” is not, and when a statute does not define a term the court gives the term its ordinary meaning. Accordingly, as the term “personal” ordinarily refers to individuals and often is used to mean precisely the opposite of business-related, the Court found that it was unlikely that “personal” in exemption 7(C) was intended to refer to corporations. The Court also cited to an Attorney General memorandum that took the position that exemption 7(C) does not apply to corporations.
TIP: Although FOIA exemption 7(C) does not apply to corporations, corporations may rely on other exemptions to protect themselves from FOIA requests, such as exemption 4, which pertains to “trade secrets and commercial or financial information obtained from a person and privileged and confidential.”
VI. FINANCIAL PRIVACY
A. Class Action Over Use of Credit Checks Filed By Rejected Applicants
The University of Miami revoked its job offer to Loudy Appolon, an African-American, after it received a negative (but mistaken) credit history report about her. In November 2010, Appolon filed a putative class action lawsuit against the University alleging disparate impact race discrimination. After the University revoked the offer, Appolon corrected the errors in the report and attempted to contact the University to notify it of the errors, but the University did not reinstate the job offer. Appolon’s putative class action lawsuit alleges that the University’s use of credit reports has a disparate impact on African-American and Latino applicants based on her belief that these groups were more likely to suffer economic hardships that adversely affect credit ratings. The lawsuit comes in the wake of the EEOC’s public meeting in October 2010 to discuss the use of credit checks by employers, as well as several recently enacted state laws addressing the same issue, and may be the first of several lawsuits challenging the practice.
TIP: Employers should consider their use of credit history reports and whether such reports are probative or necessary, especially as the EEOC’s focus on this area may lead to a wave of lawsuits challenging the practices.
B. CA Retailers Cannot Collect Zip Code During Credit Card Transaction
The California Supreme Court recently ruled, in a long awaited decision, that requesting and recording a cardholder’s zip code, without more [more what?], violates the Song-Beverly Credit Card Act. The Act prohibits retailers from collecting personally identifiable information during a credit card transaction. In the case, the court reasoned that a cardholder’s zip code constitutes personally identifiable information within the meaning of the statute. The defendant took the customer’s name and zip code, which it recorded, and performed reverse searches through various databases to fill out the rest of the information. It then used the customers’ full mailing addresses to market products and sell that information to other businesses.
TIP: California retailers should use caution if considering collecting personally identifiable information in a retail environment, in particular if the collection is from a shopper who is making a credit card purchase. This case underscores how broad the definition of personal information can be. You should review your current practices to make sure that they do not run afoul of the Song Beverly Credit Card Act, or similar laws that exist in some other jurisdictions.
C. Federal Law Enacted re Post-Transaction, Data Pass and Negative Option Marketing
The Restore Online Shoppers’ Confidence Act was recently enacted, which sets forth specific requirements for certain Internet-based sales, including post-transaction sales by third parties, data-pass procedures, and negative option marketing. Under the Act, a post-transaction third-party seller is an entity that offers for sale goods or services to the consumer through an unaffiliated initial merchant with whom the consumer has initiated a transaction (a practice also known as “third party upselling”). A “negative option” feature is defined as an offer or agreement for the sale or provision of any goods or services, where the consumer must take an affirmative action to reject goods or services or to cancel the agreement.
Under the federal law, post-transaction third-party sellers are required to clearly and conspicuously disclose the following, prior to charging a consumer for any good or service: (1) the description of the goods or services; (2) that the seller is not affiliated with the initial merchant, which may require disclosure of the seller’s name in a manner that clearly differentiates the seller from the initial merchant; and (3) the cost. A post-transaction third-party seller must also obtain the consumer’s express informed consent prior to charging the consumer by requiring the consumer to perform an affirmative action, such as checking a consent box and by collecting either the consumer’s full account number that is to be charged or the consumer’s name and address. The new law also prohibits the initial merchants from disclosing a consumer’s billing information to a post-transaction third-party seller for use in the seller’s sale of goods and services over the Internet to the consumer.For entities offering plans with a negative option feature, such entities must: (1) clearly and conspicuously disclose all material terms of the transaction prior to obtaining the consumer’s billing information; (2) obtain the consumer’s express informed consent prior to charging the consumer for any goods or services; and (3) provide the consumer with a simple mechanism to stop recurring charges.
TIP: Companies that engage in post-transaction sales through unaffiliated third-party merchants on the Internet should review their sales procedures to ensure that they are no longer engaging in data pass and are adequately securing consumer consent. Entities that use a negative option feature in their offers should review their procedures to ensure that they are adequately disclosing all material terms, obtaining the proper consent, and making a simple cancellation method available to consumers.
VII. HEALTHCARE PRIVACY
A. First Fines Levied for HIPAA Privacy Violation
In February 2011, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”), which is charged with enforcement of HIPAA privacy and security regulations, announced its first imposition of a civil monetary penalty for a violation of the HIPAA privacy regulations against a covered entity. OCR found that Cignet Health of Mitchellville, Maryland, refused to provide 41 patients with copies of their medical records and, in addition, refused to cooperate with OCR’s efforts to investigate the complaint. The patients individually filed complaints with OCR, which initiated investigations. During the investigations, Cignet refused to provide records to OCR at its request and in response to a subpoena and otherwise failed to cooperate with the investigation. After OCR obtained a default judgment in federal court, Cignet produced the records but otherwise made no effort to resolve the complaints through informal process. The penalty for failure to produce the records to patients was $1.3 million and the penalty for failure to cooperate in the investigation was $3 million, for a total penalty of $4.3 million.
TIP: OCR is serious about enforcing patients’ rights under HIPAA. Unless a records request falls within a narrow group of exceptions, covered entities must provide individuals with access to their medical records. If there is a valid dispute over a patient’s complaint, OCR makes efforts to resolve disputes by informal means. A covered entity ignores the process at its peril.
B. OCR Settles Over Misuse of Patients’ Information
The Office for Civil Rights (“OCR”) announced in February 2011 a settlement with Massachusetts General Hospital and its physician practice organization Massachusetts General Physicians Organization Inc. (collectively, “MGH”) to settle potential violations of the HIPAA privacy regulations. An MGH employee who worked in the Physician Organization’s Infectious Disease practice took home documents that contained the name, date of birth, medical record number, health insurer and policy number, diagnosis and provider name for 66 patients and the practice’s daily office schedules for three days containing the names and medical record numbers of 192 patients. The documents included information about patients who had AIDS. While commuting to work on the subway, the employee removed the documents, which were not in an envelope and bound by a rubber band, from a bag and placed them on the seat next to her. She left behind the documents when she exited the subway. The documents were never recovered. Collectively, the documents contained the protected health information (“PHI”) of 192 individuals.
Without admitting liability, MGH paid a $1 million fine and, in addition, was required to enter into a three-year corrective action plan (“CAP”), which includes requirements to upgrade MGH’s HIPAA policies and procedures and employee training, restrictions on taking PHI offsite, and appointment of a monitor to evaluate MGH compliance with its policies and procedures and the CAP. MSG is required to make annual reports to the monitor and the monitor is required to make semi-annual reports to HHS.
TIP: This settlement points out the need for covered entities and business associates to evaluate their HIPAA policies and procedures and employee compliance and training to be sure that PHI is safeguarded.
C. Policy Requiring Doctor’s Note Ok’d By Sixth Circuit
The Sixth Circuit concluded that the Columbus Police Department’s policy requiring that employees returning from sick leave, injury leave, or restricted duty disclose the nature of their illness did not violate the employees’ rights under the federal Rehabilitation Act and the United States Constitution. Employees brought a class action suit based on the department’s policy that employees must, upon returning to work from sick leave, injury leave, and/or restricted duty, submit a doctor’s note to their immediate supervisor describing the “nature of the illness” and whether employee is able to return to regular duty. Plaintiffs argued that the department’s policy required employees to provide confidential medical information to their immediate supervisors, in violation of the legal requirement that supervisory personnel in the chain of command should not be given unfettered access to such information. The appellate court concluded that the statement regarding the nature of an employee’s illness is not an inquiry aimed at identifying a disability. The Sixth Circuit noted that the Rehabilitation Act, unlike the Americans with Disabilities Act (“ADA”), requires a showing that the employer discriminated against the employee “solely on the basis of disability” and the focus of the case should be “whether a medical inquiry is intended to reveal or necessitates revealing a disability . . . [not] whether the inquiry may merely tend to reveal a disability.” In any event, the appellate court found, the policy would be legal under the ADA as it is a workplace policy applicable to all employees, whether disabled or not.
TIP: While this case confirms that an employer may, in certain situations, inquire as to an employee’s medical condition or illness, employers should carefully consider what information they seek from employees, how that information is collected, and who will be privy to the information to avoid possible ADA and/or Rehabilitation Act issues.
If you have any questions about items that appeared in this bulletin, or would like to learn more about any of these topics, please contact one of the following attorneys:
| CHICAGO | LOS ANGELES | ||
|
Liisa M. Thomas |
(312) 558-8121 |
Steven D. Atlee (Litigation) |
(213) 615-1827 |
| Julie Bauer (Litigation) |
(312) 558-5973 | Anna S. Masters (Labor & Employment) |
(213) 615-1711 |
| Monique Bhargava (Advertising) |
(312) 558-3732 | ||
| Christine A. Edwards (Financial Services) |
(312) 558-5571 |
NEW YORK | |
Brian D. Fergemann |
(312) 558-8024 |
Virginia R. Richard (Intellectual Property) |
(212) 294-4639 |
| Delilah B. Flaum (Health Care, Litigation) |
(312) 558-8922 | ||
| Jason W. Gordon (Advertising) |
(312) 558-6145 |
PARIS | |
Brian L. Heidelberger |
(312) 558-5897 |
Sébastian Ducamp (Employment, Litigation) |
33 0(1) 53 64 82 08 |
Mary Hutchings Reed |
(312) 558-5721 |
Blaise Deltombe (Employment, Litigation) |
33 0(1) 53 64 82 31 |
| Michael Melbinger (Employee Benefits) |
(312) 558-7588 | Nathalie Hadjadj-Cazier (Intellectual Property) |
33 (0)1 53 64 81 50 |
Robert H. Newman |
(312) 558-8125 |
Gwendaline Sarrat (Intellectual Property) |
33 (0) 1 53 64 82 47 |
| Michael Philipp (Financial Services) |
(312) 558-5905 | ||
| Tim Rivelli
(Litigation) |
(312) 558-5817 | SAN FRANCISCO | |
| Sara Skinner (Advertising) |
(312) 558-7406 | David S. Bloch (Intellectual Property, Litigation) |
(415) 591-1452 |
Cardelle B. Spangler |
(312) 558-7541 |
Andrew P. Bridges (Intellectual Property) |
(415) 591-1482 |
Marc H. Trachtenberg |
(312) 558-7964 |
Kimberly E. Eckhart (Intellectual Property) |
(415) 591-6805 |
| Amanda C. Wiley (Labor & Employment, Litigation) |
(312) 558-8795 | Jennifer A. Golinveaux (Intellectual Property, Litigation) |
(415) 591-1056 |
|
|
Becky L. Troutman (Intellectual Property) |
(415) 591-1401 |
| LONDON | |||
| Zoë Ashcroft (Corporate, Financial) |
44 (0)20 7105 0025 | WASHINGTON, D.C. | |
| Marion K. Goldberg (Health Care) |
(202) 282-5788 | ||
| Anthony DiResta (Litigation) |
(202) 282-5782 |
Attorney Advertising Materials
These materials have been prepared by Winston & Strawn for informational purposes only, and are not intended as, nor should they be used as a substitute for, legal advice which turns on specific facts. Receipt of this information does not create an attorney-client relationship.
Along with this client bulletin, a library of all the Winston & Strawn LLP Client Bulletins published to date can be accessed by visiting the Publications section of Winston & Strawn's Web site (www.winston.com).
Copyright © 2011. Winston & Strawn LLP.