Privacy in an Age of Online Record-Keeping

As more and more employers store and share employee information electronically,HR professionals face a major question: What is the company’s liability as faras privacy goes? If a service provider leaks your company’s confidential employeeinformation, who gets sued? If a hacker gains access to the data, is it the company’sfault? It’s a worrisome are — particularly when it comes to medical records.Kerry Kearney, partner and head of the privacy task force for Reed Smith in Pittsburgh,offers some guidelines.

What are the protocols for electronically sharing private employee information– like medical records — with service providers?

There’s no national requirement, no uniform standard in terms of how far theemployer has to go with protecting employee medical information. That goes forwhether the sharing is in-house, or whether the information is shared with serviceproviders. However, there is a growing body of case law and state statutes sayingthat you need to provide confidentiality for information that’s not of a publicnature. And I don’t know a single employer that does not feel an obligationto protect the privacy of employee information. But it’s not a right set instone. It’s a common-law right. People recognize that private information shouldstay private.

What should employers consider when sharing information with service providerselectronically?

One thing employers could do to protect themselves is to enter into contractsthat require the service providers to accord privacy and security to employeeinformation that is transferred.

If the information gets leaked or mishandled on the service provider’s end,is there liability for the employer?

Sure. If the employer failed to enter into a contract whereby the service providerundertook to provide confidentiality, then the common-law cause of action couldseek money damages from the employer for being cavalier about the way it handledconfidential employee information. So you need to protect yourself by contract,and make sure the entity with whom you enter into a business relationship isa viable company. Because if that company gets sued and is no longer around,they’ll look to you for money.

How should a company store medical information electronically?

Employers aren’t allowed to use medical information much. If an employee comesto you seeking an accommodation because he or she has a medical condition, thenyou have an affirmative obligation to do what you can to help. That requiresa record of their medical problem. But most employers very carefully segregateout any health information about employees from anything to do with personnel.So personnel records normally wouldn’t have medical information, unless theemployee is claiming entitlement under ADA or FMLA, for example. Then you’dhave the information, but you should be very careful not to disseminate it morewidely than is absolutely necessary.

There’s been a lot of buzz about HIPAA’s new medical privacy regulations– what do employers need to know?

The first thing they need to know is that they are not covered entities forpurposes of the new HIPAA medical privacy regulations unless they have a self-insuredERISA plan. So if they’re self-insured for purposes of ERISA for employee health,then that department is covered by HIPAA, the Health Insurance Portability andAccountability Act of 1996. They would need to comply with the HIPAA privacystandards. They’ll be effective on April 13, 2003. But it doesn’t normally applyto employers. The bottom line for most employers in regard to HIPAA is thatthey won’t be allowed to use employee claims information to buy insurance coverage.

Where does the liability lie if the company computer gets hacked and theemployee information is accessed?

There has been no litigation in which any company has been found responsiblefor not operating a secure site that results in hacking. Your company does havean obligation to maintain a certain standard of security. To the extent youdo not, and you harm somebody with whom you have an obligation, a relationship,that person could claim you had acted tortiously.

But there’s no history of such litigation as yet?

The only verdict I can think of that’s close is Doe v. Medlantic HealthcareGroup Inc. A District of Columbia superior court awarded a plaintiff patient$250,000 for a hospital’s lack of adequate security measures in protecting patientmedical information online. The patient was HIV-positive and his records wereaccessed by a part-time unauthorized employee and then disclosed to coworkers.The court cited lack of security, including the inability of software used bythe hospital to trace and identify who had accessed the records.

So what does happen if the violation is internal — if an employee accessesthe information?

Ideally you should have specific policies in place that address the sanctions,and procedures for enforcing compliance up to termination. In addition to that,if you want to avoid getting in trouble yourself, you have to be able to showyou had in place state-of-the-art procedures to avoid employee malfeasance.We talk about hackers, but the majority of computerized losses that companiessuffer are from employees rather than outsiders. There has historically beena recognition that you’re most vulnerable from those who really know you. Inthis case, that’s obviously your employees. They’re the ones who know whereyour vulnerabilities are.

What should a company do security-wise to avoid liability?

How you go about providing security is not set in stone anywhere, but you wantto be thinking about your physical safeguards. Do you have password-protectedcomputers? Do you regulate access to the data systems? Is there a person incharge of security? Are there firewalls in place? Do you have chain-of-trustagreements with anybody who exchanges data? Do you have internal audit procedures?Do you train employees so they know what their obligations are? Do you havetraining on security management? Are there discipline or termination proceduresfor employees who violate your security regulations? And of course, everybodyshould have an employee e-mail policy. And not just for employees dealing withsensitive information — every employee. It should emphasize that the employerowns the e-mails, and they will be monitored.

How much legal protection does all that provide?

If you are going to be sued by third parties who claim your procedures werelax, even if you don’t avoid liability, you’ll reduce the damages if you proveyou did everything you could. You had good procedures in place, and this particularperson was so determined, he or she had to go through several levels of securityto get this information and do the dirty deed.