“Navigating the highway of employee privacy concerns”
InsideCounsel 10/23/14 By John L. Barlament
One of the hottest areas involving employee privacy law deals with social media. Recently employers have been asking for an employee's (or prospective employee's) user name and password to social media sites. Employers realize that these sites can provide a wealth of information about the employee or candidate. Often employers will label such a request as “optional,” but employees sometimes assert that they feel pressured to provide the information.
Employer access to such information is becoming increasingly difficult, primarily because of state law restrictions. In 2012 and 2013, 13 states passed legislation preventing employers and schools from requiring an employee or candidate to provide access to social media websites. This year, at least 28 other states considered or introduced such legislation.
These state laws typically prohibit an employer from requiring — or, often, from even requesting — an employee or an applicant to disclose any user name or password which would allow access to the person's personal online account; and penalizing an employee or applicant for failing to provide such information. However, the laws will allow an employer to monitor electronic data for legitimate employer purposes. For example, the laws sometimes codify an employer's right to monitor, review or access electronic data that travels through, or is stored on, a smart phone provided by the employer to the employee.
There have been fewer restrictions on employers from a federal law perspective. No federal law provides employees with a general right to privacy in this context. Attorneys frequently turn to other laws for relief. For example, a recent case claimed that a hospital manager's review of an employee's Facebook postings (which were critical of the hospital) violated the federal law known as the Electronic Communications Privacy Act (ECPA). The court ultimately rejected the argument.
The National Labor Relations Board also has issued guidance in this area. Recently the NLRB held that employees who posted complaints on Facebook were engaging in a protected activity under Section 7 of the National Labor Relations Act.
Benefit plan privacy concerns
Privacy issues are critical with respect to an employer's benefit plans. The main federal laws providing privacy protection in this area is the Health Insurance Portability and Accountability Act (HIPAA). New HIPAA regulations from 2013 can have a significant impact on employers and their health plans. Essentially, any "health plan" which is "self-funded" will have significant new responsibilities. Typical examples include a major medical plan, dental plan, vision plan, health flexible spending account (Health FSA), health reimbursement arrangement (HRA), employee assistance program (EAP), on-site medical clinics and wellness plans.
A "self-funded" health plan is one where the employer bears primary responsibility for the claims to be paid. A plan can be self-funded even if a "stop-loss" or "reinsurance" company will pay some of the claims. If an employer has only fully-insured health plans, the HIPAA compliance responsibility generally falls on the insurer, not the employer.
The new HIPAA regulations will require an employer to take several actions with respect to its self-funded health plans, including updating the written policies and procedures for those plans (or creating them, if they were not previously created); providing new rights to employees; and updating all of its business associate agreements.
In addition, employers should be concerned about the "HIPAA police" — the U.S. Department of Health and Human Services' Office for Civil Rights (OCR). OCR is responsible for enforcing much of HIPAA. (Note that state attorney generals also can, and have, enforced HIPAA directly.)
In 2011 and 2012, OCR conducted a relatively-small "Phase 1" series of audits. It appears that few employers were targeted in this series of audits. Instead, entities with greater amounts of health information, such as hospitals and insurance companies, were primarily targeted.
Now OCR is beginning its "Phase 2" series of audits. A much-larger number of entities will be considered for an audit. Many expect some employer-provided health plans to be targeted. These audits are expected to focus on the HIPAA Security Rules, which are rather technical. They require that an employer implement, or at least consider implementing, various security procedures for any "protected health information" held by the employer's health plan. Usually an employer's human resources department would work with its information technology department to develop, implement and test these security procedures. Employers which have protected health information, but which have not recently updated their HIPAA security policies and procedures, should revisit these policies and procedures.
Wellness plan concerns
Many employers have implemented wellness plans. These plans encourage employees to maintain a healthy lifestyle. They often include a health risk assessment, with a blood draw and 40 to 60 questions about the employee's health status. The information will often be sensitive, providing information about an employee's cholesterol level, blood sugar levels and other significant health history.
Wellness plans raise significant privacy concerns. Employers typically represent to employees that all the information they provide through the health risk assessment and blood draw will be kept confidential. Most employers hire a third-party vendor to conduct the assessment and have the vendor sign a HIPAA-compliant "business associate agreement."
However, the typical terms of a business associate agreement require the vendor to return to the employer all the protected health information it maintains upon termination of the agreement (for example, if the employer selects a new vendor). This type of term may conflict with the representations made to the employees. Employers should examine their business associate agreements and verify whether they contain such a term. If they do, the employer should examine an alternative (e.g., having the business associate agreement provide for the information to go to the new wellness vendor, not the employer or its health plan).
Wellness plans also can be subject to a federal law known as the Genetic Information Nondiscrimination Act (GINA). GINA has significant privacy provisions. For example, GINA generally makes it difficult for an employer to collect information about an employee's genetic information or information about a family member's health history. In our experience, the former issue is rare — it is very unusual for an employer to collect and analyze genetic information about an employee. (As a side note, that was the primary reason behind GINA. An employer was allegedly gathering blood samples of employees, then analyzing the blood for genetic concerns of its employees.)
The gathering of family health history has been more common. Health risk assessment questions sometimes ask about family health history. Those questions generally should be eliminated. In addition, wellness plans often provide a financial incentive for spouses to also participate. The gathering of the spouse's health information could be viewed as gathering family health history in violation of GINA. Some 2012 guidance from the Equal Employment Opportunity Commission confirmed that this is still an "open issue" and one where employers should be cautious.
International privacy concerns
International privacy issues are likely the most difficult for a company with an international workforce. This is because many countries, especially European Union (EU) countries, take a fundamentally different approach to employee privacy. These countries tend to assume that employees have a right to privacy, even in the workforce. For example, the EU has a data privacy "Directive". This Directive applies to the "processing" of all "personal information."
These terms are broadly defined and apply to an employer's use of even basic employee information, such as an employee's contact details at work, terms of employment and payroll information. This can make it difficult for EU-based operations to share even basic compensation information with U.S.-based operations, which makes it challenging verify that an employer's compensation or bonus program is consistent across countries.
Some options are available for employers. For example, it is generally possible for the US-based operations to, in essence, agree to follow the more-stringent EU laws. Note, though, that the framework which allows such sharing is currently being reviewed by the EU, so future changes are possible.
The EU is not alone in having stringent employee privacy laws. Many other countries have similar rules. One of the most recent changes is in Russia. In apparent reaction to revelations about US spying, Russia recently passed a law which requires that Russian citizens' personal information be stored in databases in Russia. It remains to be seen how this law will be enforced against employers. However, like the EU Directive, it could make it more difficult for international employees' personal information to be shared with US-based operations.