A new post on Covington’s eHealth blog discusses HIPAA-related provisions in the Twenty-First Century Cures Act, signed by President Obama on December 13.   These provisions direct HHS to consider HIPAA’s effects on mental health treatment and the availability of health data for research purposes.  Read the full post here.

Recently, HHS Office of Civil Rights (OCR) announced that it has entered into settlement agreements with two entities following enforcement actions, both arising from stolen laptops that were not encrypted in accordance with the Security Rule.

According to HHS, an unencrypted laptop was stolen from a physical therapy center in Springfield, Missouri.  The center was part of a larger health system, Concentra Health Services.  Through conducting required HIPAA risk analyses, Concentra had previously recognized that the lack of encryption on its devices posed a security risk.  However, HHS found that Concentra’s efforts to address this risk were “incomplete and inconsistent over time.”  Concentra has agreed to pay over $1.7 million to settle potential violations, as well as to submit a corrective action plan.  This significant monetary penalty suggests HHS will not look favorably upon violations of the Security Rule that the covered entity has documented but not taken reasonable efforts to correct.
Continue Reading Two HIPAA Settlements Follow Stolen Laptops

Employers occasionally find themselves in litigation with current or former employees.  Sometimes an employer-defendant will uncover communications between the plaintiff-employee and her personal attorney or spouse on an employer-owned email or computer system.

These communications might ordinarily be privileged, but inadvertent disclosure to a third party–in this case, the employer–could waive the privilege if the employee failed to take reasonable precautions to maintain confidentiality.  Many employers maintain policies informing employees that communications on work systems are not private and may be monitored.  Employers seeking to use otherwise-privileged communications in litigation have argued that any asserted employee privilege is misplaced or waived, because the employee had no reasonable expectation of privacy on company systems.

But courts have not always agreed.  The existence of a computer use policy only begins the analysis.  Employers might therefore seek a court’s permission before reviewing or using potentially-privileged communications.  The chances of a favorable ruling improve if some or all of the following occur:
Continue Reading How Email and Computer Use Policies Can Help (or Hurt) an Employer in Litigation

Many employers have been surprised by recent rulings that two common employment policies run afoul of the National Labor Relations Act (“NLRA”).  These rulings apply to policies covering all non-management employees, including employees who are not covered by a collective bargaining agreement.  Based on a legitimate interest in preserving proprietary business information, confidentiality, and privacy, many employers have adopted social media policies limiting what employees may post on Facebook or Twitter about their work, their employer, or their co-workers.  Based on privacy considerations, employer procedures for investigating sexual harassment and other complaints often place restrictions on what employees may reveal to their co-workers or others about the allegations.  According to recent decisions, however, both policies may violate Section 7 of the NLRA, which permits employees to engage in “concerted activity” for “mutual aid and protection.”
Continue Reading Social Media and Other Policies Struck Down By NLRB Even for Non-Union Employees

On 7 March 2013, the UK Information Commissioner’s Office (ICO) issued new guidance for employers on the use of personal devices for business purposes.  The guidance is largely informed by a survey commissioned by the ICO and carried out by the market research firm YouGov.  According to the survey, 47 percent of adults in the UK use personal smart mobile phones, laptops or tablets for work purposes, but less than 30 percent are given guidance on secure use and the risks relating to loss or theft.  However, even when an employee uses a personal device, an employer may still be liable in the UK for the loss of data relating to individuals that the employer is required to protect.

UK companies have in recent years been increasingly amenable to allowing employees to use personal devices for business purposes, a practice known as “bring your own device” to work, or BYOD.   The driving forces behind the trend for BYOD include cost considerations and a rise in flexible working practices.  The ICO guidance reminds employers that their responsibilities as data controllers apply equally in the context of BYOD.  In other words, employers remain liable for any data loss, theft, or damage to personal data that occurs, regardless of whether processing takes place in their secure corporate IT environment or on the personal devices of their employees. 
Continue Reading Safer “Bring Your Own Device” Policies: New Guidance from the UK Information Commission’s Office

The HIPAA / HITECH omnibus rule published in the Federal Register late last week includes a number of changes that will require action by employers, health plans, and business associates in the coming months.  The new requirements take effect on March 26, although group health plans and business associates have until September 23, 2013, to comply with most of the new requirements. 
Continue Reading New HIPAA / HITECH Rule Requires Health Plan Changes

In the coming year, we expect to see continued activity on the part of the agencies and Congress with respect to employee benefits and executive compensation.  The following is a preview of major guidance anticipated in 2013. 
Continue Reading 2013 Preview of Expected Developments in Employee Benefits and Executive Compensation

Many companies increasingly allow employees to access work networks on their personal mobile devices. Our colleagues at the InsidePrivacy blog recently described a case in which an employer was not entitled to access a former employee’s personal iPhone during discovery in an employment litigation — and what companies might do to avoid this situation. The