Employee Privacy

Jennifer A. Powell, Attorney
Eichelbaum Wardell Hansen Powell & Mehl, P.C.


MEDICAL PRIVACY

School districts seek and obtain medical information about its employees for various reasons. Several statutes impose duties on school districts as employers to maintain the confidentiality of medical information. This paper will provide an overview of the reasons for obtaining such information and the related statutes and corresponding duties.

I. Sources of Medical Information in School Districts

A. Official requests for leave of absence

1. Leave under the Family Medical Leave Act (“FMLA”)

a. If leave is requested for the employee’s own serious health condition, the request should be supported by a medical certification. See 29 C.F.R § 825.305.

b. The Department of Labor prototype is WH-380-E.

2. Temporary Disability Leave (“TDL”)

a. Requests for TDL should be supported by a note from a physician establishing inability to work, date leave is to begin, and anticipated date of return to work. Tex. Educ. Code Ann. § 21.409 (West).

Practice Pointer: Deny TDL if the return to work is open-ended.

b. Oftentimes the note will have more details about the condition, including diagnoses and limitation.

3. Leave pool/bank requests

District policy should require proof of catastrophic illness or injury.

4. Requests for extended periods of state or local leave requiring medical documentation per policy.

Practice Pointer: You should consider having your policy provide for requiring medical documentation after three days to get closer to tracking the FMLA, but note that a request for leave could trigger rights under the FMLA even for shorter periods. In other words, serious health conditions can exist in other circumstances. E.g., any in-patient hospital stay is a trigger regardless of the number of days of incapacity or days of worked missed. 29 C.F.R § 825.114. Therefore, HR employees need to be trained to recognize leave requests that fall within these parameters and actually kick the absences into FMLA and not just state or local leave.


B. “Calling in sick” or “calling out” to a supervisor even without an official request for a “leave of absence.” Oftentimes, employees will call their supervisors sporadically to report that they will be out sick for a day here and there. The employee may share basic information, like “I’m sick,” or they may be more specific, e.g., “I have another migraine,” or “I am having a fibromyalgia flareup.”

Practice Pointer: If the employee tries to provide actual medical information to the campus or department-level supervisor, train them to punt that immediately to whomever serves the Personnel/Human Resources function for the district. This is helpful for a couple of reasons, First, it is possible that the absences may qualify for FMLA protection as intermittent leave, which HR should be trained to spot. Second, those employees should also be trained in handling any of the medical information that is received.

C. Disability-related inquiries and medical examinations under the Americans with Disabilities Act, as amended (“ADA”)

https://www.eeoc.gov/policy/docs/guidance-inquiries.html

1. Pre-offer - The ADA prohibits all pre-offer disability-related inquiries and medical examinations, even if they are related to the job.

2. Post-offer - An employer may make disability-related inquiries and conduct medical examinations, regardless of whether they are related to the job, as long as it does so for all entering employees in the same job category.

3. During employment - An employer may make disability-related inquiries and conduct medical examinations under the following circumstances:

a. In response to requests for accommodation;

b. When job-related and consistent with business necessity.

Practice Pointer: Do not require employees to complete “Health Forms” like the one attached as Attachment A, asking them to identify health conditions and/or medications being taken. Train those who are accessing the information about confidentiality/need to know.

D. Drug testing

1. Keep in mind that there are 14th Amendment considerations once employed, which are beyond the scope of this paper.

2. The ADA itself states that “a test to determine the illegal use of drugs shall not be considered a medical examination” and that it should not “be construed to encourage, prohibit, or authorize the conducting of drug testing for the illegal use of drugs by job applicants or employees or making employment decisions based on such test results.” 42 U.S.C.A. § 12114 (West).

3. However, in the course of obtaining drug test results, district officials may come to possess information about medical conditions that certain drugs are used to treat.

E. Workers’ compensation claims

1. DWC-001 – First Report of Injury or Illness

2. DWC-73 – Work Status Report completed by healthcare provider

F. Superintendent contract

As recently as February 2017, we got a request from a superintendent to include the following language in his contract:

The Superintendent shall undergo an annual physical examination performed by a licensed physician of the Superintendent’s choice. Upon the Board’s request, the physician shall submit a confidential statement to the Board, certifying the Superintendent’s fitness to perform the Superintendent’s duties and copies of all such statements shall be contained in the Superintendent’s personnel file. The District shall pay all costs of the annual physical examination.

Practice Pointer: DO NOT DO THIS. Under the ADA, remember examinations must be job-related and consistent with business necessity. With respect to publicly held corporations, some have made the case that, because the CEO’s health affects the company’s value, such exams are job related and consistent with business necessity, but even that is uncertain. The referenced article about the CSX Corporation’s new policy of requiring CEO physicals makes the point: https://www.wsj.com/articles/csx-board-to-require-ceos-to-get-annual-physical-exam-1516724880. At any rate, it is not at all clear that school districts have the same arguments related to a superintendent. The better practice is to require an exam only if some concerns arise, following the ADA guidance.

G. Informal chatter/casual conversations

Practice Pointer: Train supervisors to not become overly familiar with employees such that it will lead to knowledge of medical information.

H. As a self-funded healthcare plan the district may have all manner of personal health information – discussed in more detail in the section on HIPAA, below.

II. Statutes or Other Sources of Confidentiality Requirements

A. Educator Code of Ethics

(2) Ethical Conduct Toward Professional Colleagues
(A) Standard 2.1. The educator shall not reveal confidential health or personnel information concerning colleagues unless disclosure serves lawful professional purposes or is required by law.

1. This is an oft-forgotten source of a duty of confidentiality, which reaches even informal chatter.

2. Because most districts’ DH (LOCAL) policies apply the Code to all district employees, you can and should hold accountable any employee at any level who breaches this duty. Your usual good documentation practices should control.

B. ADA

The confidentiality concerns under the ADA are multi-faceted.

1. Specific confidentiality requirements

a. The ADA has specific requirements related to obtaining and holding medical information obtained during employer-mandated examinations, which are set forth in 42 U.S.C.A. § 12112 (West) and further described in the regulations:

(1) Information obtained under paragraph[s] (b) [and c] of this section regarding the medical condition or history of the applicant [or employee] shall be collected and maintained on separate forms and in separate medical files and be treated as a confidential medical record, except that:
(i) Supervisors and managers may be informed regarding necessary restrictions on the work or duties of the employee and necessary accommodations;
(ii) First aid and safety personnel may be informed, when appropriate, if the disability might require emergency treatment; and
(iii) Government officials investigating compliance with this part shall be provided relevant information on request.

29 C.F.R. § 1630.14(b) and (c)(emphasis added).

The regulations also provide that the information obtained under paragraphs (b) and (c) shall not be used for any purpose inconsistent with this part. Id.

b. Practice Pointer: Note that the regulations do not provide for sharing information about the actual medical condition with supervisors. The sharing is limited to necessary restrictions and accommodations, so HR must be trained to not provide that information, and supervisors must be trained to not pry for it.

2. Examples of cases interpreting the confidentiality requirements under the ADA.

a. E.E.O.C. v. C.R. England, Inc., 644 F.3d 1028 (10th Cir. 2011). When a plaintiff voluntarily disclosed to his employer that he was HIV-positive, and not the result of any sort of examination or inquiry, the information was not protected by [42 U.S.C. § 12112 (d)], and the company's disclosure of this information did not violate that provision. Id. at 1048.

b. Blanco v. Bath Iron Works Corp., 802 F. Supp. 2d 215 (D. Me. 2011). An employee did not list his ADHD on his pre-employment screening test. At some point in his employment, he was transferred to a position that required a lot of multitasking. He asked for accommodation from his supervisor. He went to see the company’s physician to discuss accommodation. The doctor, having conducted his pre-employment screening and having access to the pre-employment history questionnaire, knew that the employee had left off ADHD. The doctor informed the employee that he would not get accommodation because the employee had not disclosed the condition on his medical history. The doctor then informed management, and management fired the employee for lying on the questionnaire. The employee sued for breach of confidentiality, and the court found as follows:

There is nothing in the Amended Complaint that would allow the Court to conclude that [the doctor] disclosed the contents of the medical questionnaire to the Defendants' management personnel in order to advise them of “necessary restrictions on the work or duties” for [the employee] or for “necessary accommodations.” To the contrary, she disclosed the information to management because in her view he had lied on the questionnaire, not to advise them of necessary restrictions or accommodations. The Court cannot squeeze these facts into § 12112(d)(3)(B)(i). As none of the exceptions applies and as a matter of direct statutory interpretation, the Court concludes that the Plaintiff has alleged sufficient facts to avoid dismissal as to whether Dr. Mazorra's disclosure violated the confidentiality provision of the ADA.

Id. at 222.

c. E.E.O.C. v. Ford Motor Credit Co., 531 F. Supp. 2d 930 (M.D. Tenn. 2008). The court found that, for the plaintiff to prevail in litigation, she must show a tangible injury. Id. at 943. The court further found that the cognizable injury may include shame, embarrassment and depression. Id. Moreover, the court ruled that compensatory damages were available to the plaintiff who had suffered humiliation when his HIV+ status was disclosed to coworkers. Id. And recently, one court found that an adverse employment action, in that case, a termination, could be the tangible injury relied upon for the purposes of an improper disclosure claim. McCarthy v. Brennan, 230 F. Supp. 3d 1049, 1067 (N.D. Cal. 2017).

d. E.E.O.C. v. Convergys Customer Mgmt. Grp., Inc., 491 F.3d 790 (8th Cir. 2007). The court stated: “A plaintiff may seek compensatory damages under the ADA for emotional distress.” Id. at 797.

e. Several courts have held that persons need not be disabled to state a claim for the unauthorized gathering or disclosure of confidential medical information under the ADA. See In re Nat'l Hockey League Players' Concussion Injury Litig., 120 F. Supp. 3d 942, 950 (D. Minn. 2015)(citing Cossette v. Minn. Power & Light, 188 F.3d 964, 970 (8th Cir.1999) (citing Fredenburg v. Contra Costa Cnty. Dep't of Health Servs., 172 F.3d 1176, 1181–82 (9th Cir.1999), Griffin v. Steeltek, Inc., 160 F.3d 591, 593–94 (10th Cir.1998)).

f. Practice Pointer: Train administrators not to seek medical or health information while managing employees. Also, if you employ non-nurses to be on your campuses make sure they know about the confidentiality provisions and that they should not be making such inquiries either. They likely have not been otherwise trained in that regard. This should avoid the ADA lawsuit that arose from the email attached as Attachment B.

3. Risk prevention under other aspects of the ADA

a. It is in a district’s best interest for its employees not to be aware of other employees’ medical conditions because an employer who lacks actual knowledge of an employee's disability cannot fire the employee “because of” that disability. Cordoba v. Dillard's, Inc., 419 F.3d 1169, 1185 (11th Cir. 2005).

b. Courts have typically required that the decision maker regarding the adverse action had to have knowledge of the disability before imposing liability; however, a recent Texas Supreme Court case has complicated matters:

In any event, the trial court's charge instructed the jury that, for purposes of establishing that DCS “knew of his disability,” DCS could act “through its officers and employees,” not just through its “decisionmakers.” DCS did not object to this instruction, so we must measure the sufficiency of the evidence in light of the jury instruction. Romero v. KPH Consol., Inc., 166 S.W.3d 212, 221 (Tex. 2005) (“The sufficiency of the evidence must be measured by the jury charge when, as here, there has been no objection to it.”). Consistent with the jury charge, the record contains legally sufficient evidence that the bus drivers, who were DCS employees—and thus DCS itself—knew of Green's urinary incontinence.

Green v. Dallas County Sch., 16-0214, 2017 WL 1968829, at *4 (Tex. May 12, 2017).

c. Practice pointer: Because drug testing is not an ADA examination, as discussed above, the test results themselves are not covered by the ADA confidentiality provisions above; however, keep in mind that in the course of reviewing positive test results, you may glean information about an employee’s medical conditions. This highlights the need to make sure you are not responsible for making the determination about whether results are consistent with employee’s prescribed medications. Rather, a Medical Review Officer (“MRO) should always be part of your drug testing process. A recent lawsuit filed by the EEOC brings home this point: https://www.eeoc.gov/eeoc/newsroom/release/9-15-16.cfm. In that case the owner of a casino withdrew a job offer after the candidate tested positive for hydrocodone. The candidate told the casino it was a prescription for a disability, but the employer did not consider any additional information. If they had, they would have been in possession of medical information that would be protected by ADA confidentiality provisions. However, there should have been a MRO involved that would get to the bottom of the situation and determine whether the positive result was justified.

C. FMLA

1. Regulatory Provisions Regarding Confidentiality

29 C.F.R. § 825.500 addresses recordkeeping requirements under the FMLA. In addition to specifying records that must be kept, it specifically addresses confidentiality:

(g) Records and documents relating to certifications, recertifications or medical histories of employees or employees' family members, created for purposes of FMLA, shall be maintained as confidential medical records in separate files/records from the usual personnel files. If the Genetic Information Nondiscrimination Act of 2008 (GINA) is applicable, records and documents created for purposes of FMLA containing family medical history or genetic information as defined in GINA shall be maintained in accordance with the confidentiality requirements of Title II of GINA (see 29 CFR 1635.9), which permit such information to be disclosed consistent with the requirements of FMLA. If the ADA, as amended, is also applicable, such records shall be maintained in conformance with ADA confidentiality requirements (see 29 CFR 1630.14(c)(1)), except that:

(1) Supervisors and managers may be informed regarding necessary restrictions on the work or duties of an employee and necessary accommodations;
(2) First aid and safety personnel may be informed (when appropriate) if the employee's physical or medical condition might require emergency treatment; and
(3) Government officials investigating compliance with FMLA (or other pertinent law) shall be provided relevant information upon request.

2. Cases Interpreting the FMLA Regulations

a. Holland v. Shinseki, 3:10-CV-0908-B, 2012 WL 162333 (N.D. Tex. Jan. 18, 2012).

i. The court stated: “It is not settled whether this provision [825.500(g) ] gives rise to a private right of action for disclosure ...” Id. , at *13 (citing Walker v. Gambrell, 647 F.Supp.2d 529, 539 n. 5 (D.Md.2009); see also Ekugwum v. City of Jackson, No. 3:09–CV–48–DPJ–JCS, 2010 WL 1490247 (S.D. Miss. April 13, 2010) (accepting the existence of a private cause of action without reaching the merits of the issue)); see also Allen v. Verizon Wireless, 3:12-CV-00482 JCH, 2015 WL 3868672, at *13 (D. Conn. June 23, 2015), on reconsideration, 3:12-CV-00482 JCH, 2015 WL 4751031 (D. Conn. Aug. 11, 2015) and aff'd, 667 Fed. Appx. 4 (2d Cir. 2016)(noting that, although there is no clear authority as to whether the FMLA creates a private right of action based on this requirement, at least one district court in the Second Circuit had found that such a right exists in the context of a motion to dismiss)(citing Mahran v. Benderson Development Company, LLC, 2011 WL 1467368 (W.D.N.Y. April 18, 2011)).

ii. The Holland court assumed the existence of a cause of action, though the court granted summary judgment for the employer because it found the employer met the exception for supervisors and mangers regarding necessary restrictions and accommodations. Id.

b. In Ekugwym, the court denied summary judgment for the employer based on the plaintiff’s affidavit stating that a city employee shared confidential information about her mental condition that she had provided in a sealed envelope in connection with requesting leave. 2010 WL 1490247.

c. In Walker, the court found an email that was sent about the plaintiff’s medical history was not protected by the FMLA confidentiality provision because it was not created for the purpose of documenting or maintaining a file on her FMLA leave, and the ADA confidentiality provisions did not apply because no employer-initiated examination or inquiry took place. 647 F.Supp.2d at 539 n. 5.

Practice Pointer: It is still not good practice to share such information, so you could discipline the author of such an email. Remember, if you want to point to something the employee is violating, you can always point to the Educator’s Code of Ethics.

D. GINA

1. Statutory Provisions

“Genetic information” is defined under GINA as information about (1) an individual's genetic tests; (2) the genetic tests of family members of an individual; or (3) the manifestation of a disease or disorder in family members of an individual. 42 U.S.C.A. § 2000ff(4) (West).

2. Regulatory provisions

29 C.F.R. § 1635.9 addresses the confidentiality and storage of genetic information as follows:

(a) Treatment of genetic information.
(1) A covered entity that possesses genetic information in writing about an employee or member must maintain such information on forms and in medical files (including where the information exists in electronic forms and files) that are separate from personnel files and treat such information as a confidential medical record.
(2) A covered entity may maintain genetic information about an employee or member in the same file in which it maintains confidential medical information subject to section 102(d)(3)(B) of the Americans with Disabilities Act, 42 U.S.C. 12112(d)(3)(B).
(3) Genetic information that a covered entity receives orally need not be reduced to writing, but may not be disclosed, except as permitted by this part.
(4) Genetic information that a covered entity acquires through sources that are commercially and publicly available, as provided by, and subject to the limitations in, 1635.8(b)(4) of this part, is not considered confidential genetic information, but may not be used to discriminate against an individual as described in §§ 1635.4, 1635.5, or 1635.6 of this part.
(5) Genetic information placed in personnel files prior to November 21, 2009 need not be removed and a covered entity will not be liable under this part for the mere existence of the information in the file. However, the prohibitions on use and disclosure of genetic information apply to all genetic information that meets the statutory definition, including genetic information requested, required, or purchased prior to November 21, 2009.

(b) Exceptions to limitations on disclosure. A covered entity that possesses any genetic information, regardless of how the entity obtained the information (except for genetic information acquired through commercially and publicly available sources), may not disclose it except:
(1) To the employee or member (or family member if the family member is receiving the genetic services) about whom the information pertains upon receipt of the employee's or member's written request;
(2) To an occupational or other health researcher if the research is conducted in compliance with the regulations and protections provided for under 45 CFR part 46;
(3) In response to an order of a court, except that the covered entity may disclose only the genetic information expressly authorized by such order; and if the court order was secured without the knowledge of the employee or member to whom the information refers, the covered entity shall inform the employee or member of the court order and any genetic information that was disclosed pursuant to such order;
(4) To government officials investigating compliance with this title if the information is relevant to the investigation;
(5) To the extent that such disclosure is made in support of an employee's compliance with the certification provisions of section 103 of the Family and Medical Leave Act of 1993 (29 U.S.C. 2613) or such requirements under State family and medical leave laws; or
(6) To a Federal, State, or local public health agency only with regard to information about the manifestation of a disease or disorder that concerns a contagious disease that presents an imminent hazard of death or life-threatening illness, provided that the individual whose family member is the subject of the disclosure is notified of such disclosure.

(c) Relationship to HIPAA Privacy Regulations. Pursuant to § 1635.11(d) of this part, nothing in this section shall be construed as applying to the use or disclosure of genetic information that is protected health information subject to the regulations issued pursuant to section 264(c) of the Health Insurance Portability and Accountability Act of 1996.

3. Cases under GINA

GINA is relatively new, so there are not many cases reported thereunder. Of note, in Hoffman v. Family Dollar Stores, Inc., 99 F. Supp. 3d 631, 637 (W.D.N.C. 2015), the court held that neither the plaintiff's HIV diagnosis, kidney failure, nor viral gastroenteritis, constitute genetic information about a manifested disease or disorder; therefore, there was no violation of GINA.

E. Worker’s Compensation

A review of the Labor Code provisions related to worker’s compensation claims did not reveal specific confidentiality provisions related to employers. Rather, the statutory confidentiality provisions relate to the responsibilities of the Division of Worker’s Compensation of the Texas Department of Insurance, see Tex. Labor Code Ann. § 402.083 (West), and to the State Office of Risk Management. See Tex. Labor Code Ann. § 412.0128 (West). The Attorney General has confirmed this. See Op. Tex. Att'y Gen. No. OR2017-29073 (2017). However, because districts will be creating medical files for ADA, FMLA, and GINA information, when worker’s compensation information is received, keep it in that type of file also.

F. Health Insurance Portability and Accountability Act, as amended

1. The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) contains privacy and security standards. The law required implementing guidance to be issued by the Department of Health and Human Services (“HHS”).

2. The Health Information Technology for Economic and Clinical Health Act (“HITECH”) was enacted in 2009 and expanded HIPAA’s privacy and security requirements. The law established notification rules for breaches of protected health information (“PHI”). HHS issued comprehensive final regulations in January 2013.

3. It is important to know that not all school districts are covered by HIPAA. See Attachment C, found at https://www.hhs.gov/hipaa/for-professionals/faq/513/does-hipaa-apply-to-an-elementary-school/index.html, which also addresses HIPAA as it relates to students and the interplay with FERPA.

4. HIPAA covered entities (“CEs”) are:

a. Health plans, which include the following:

i. Health insurance companies;
ii. Health maintenance organizations (“HMO”);
iii. Employer-sponsored group health plans; and
iv. Medicare, Medicaid, and other government health programs.

b. Health care clearinghouses

c. Health care providers who conduct certain health care transactions in electronic form (e.g., fund transfers)

5. Thus, employers, generally, are not CEs unless they are operating in one of these capacities. So, an employer that sponsors a group health plan will be a CE if the employer carries out administrative duties for the plan and those duties involve access to PHI. If an employer operates a health clinic available to employees, it would also be a CE.

Practice Pointer: The Centers for Medicare & Medicaid Services provides a Covered Entity Guidance interactive tool to help determine if you are a Covered Entity. It can be found at: https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/Downloads/CoveredEntitiesChart20160617.pdf

6. HIPAA applies to a CE's "business associate" (“BA”). A BA is an entity that performs certain functions that involve creating, receiving, maintaining, or transmitting PHI, on behalf of a CE, including:

a. Claims processing or administration (e.g., third-party administrators (TPAs) and pharmacy benefit managers);
b. Data analysis, processing, or administration;
c. Utilization review and quality assurance;
d. Billing, practice management, and repricing; and
e. Providing services to CEs involving PHI (e.g., legal, actuarial, accounting, accreditation, and consulting).

7. Subcontractors are also BAs in certain circumstances.

a. A subcontractor that creates, receives, maintains, or transmits PHI on a BA's behalf is a BA in its own right.
b. A subcontractor is a person to whom a BA delegates a function, activity, or service, other than in the person's capacity as part of the BA's workforce.
c. Subcontractor status extends to agents or other individuals acting on a BA's behalf.
d. This is the rule even if the BA has not entered into a BA agreement with the individual.
e. Under the 2013 final regulations, a CE need not enter into a contract with a subcontractor. However, CEs must obtain satisfactory assurances from their BAs that the BAs will appropriately protect PHI. In turn, the BAs must obtain satisfactory assurances regarding their subcontractors, regardless of how far “down the chain” the information flows.

8. Entities that are not BAs include:

a. Members of the CE's workforce;
b. A researcher performing research activities for a CE;
c. A financial institution that provides its normal banking functions to a CE; and
d. Delivery truck line employees, the US Postal Service, and the United Parcel Service.

9. A CE may disclose PHI to a BA if the CE obtains satisfactory assurances in writing (in a BA agreement) that the BA will:

a. Use the information only for the purposes for which the BA was engaged by the CE;
b. Safeguard the information from misuse; and
c. Help the CE comply with its obligations under the Privacy Rule.

10. The Privacy Rule outlines certain provisions that must be reflected in the BA agreement, which include:

a. Describing the permitted and required uses of PHI by the BA;
b. Providing that the BA will not use or further disclose PHI, other than as permitted or required by the BA agreement or as required by law; and
c. Requiring the BA to use appropriate safeguards to prevent a use or disclosure of PHI other than as provided for by the BA agreement.

11. The HIPAA Privacy Rule, in the employment context, gives employees rights over how their health information may be used or disclosed and protects the unauthorized disclosure of PHI. The Privacy Rule requires CEs to handle PHI very cautiously.

12. Information is considered to be PHI if it:

a. Relates to the physical or mental health condition of an individual, at any time, past, present or future;
b. Identifies or can be used to identify an individual (e.g., name, address, birth date, Social Security number, account number); and
c. Is in the possession of or has been created by CEs.

13. PHI may be included in:

a. Health care claims or encounter information.
b. Health care payment and remittance advice.
c. Coordination of benefits.
d. Health care claim status.
e. Enrollment or disenrollment in a health plan.
f. Eligibility for a health plan.
g. Health plan premium payments.
h. Referral certification and authorization.

14. The HIPAA Privacy Rule requires CEs to:

a. Notify individuals about their privacy rights and how their information can be used (see example for use by health plans, attached as Attachment D, available at https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/npp_fullpg_healthplan.pdf);
b. Adopt and implement privacy procedures;
c. Train employees so they understand the CE's privacy procedures;
d. Designate an individual to ensure that the CE's privacy procedures are adopted and followed (a similar requirement applies under the HIPAA Security Rule); and
e. Secure records involving health information.

15. A CE may not share employee PHI without written authorization unless it is shared in one of the following ways:

a. With the individual who is the subject of the PHI.
b. For treatment and care coordination.
c. To pay for employee health care services.
d. With individuals who are designated by employees and who are involved with the employee’s health care or paying for health care bills.
e. In public health situations.
f. For court and agency proceedings (e.g., workers’ compensation).
g. Based on agency requirements.
h. Based on law enforcement requests or compliance.
i. In emergencies.
j. In identification of deceased individuals.
k. In national security-related situations.

16. The Privacy Rule allows "incidental" uses and disclosures that result from uses or disclosures that are otherwise permitted under the Privacy Rule. An incidental use or disclosure is permitted if the CE:

a. Has applied reasonable safeguards
b. Has implemented the minimum necessary standard
c. Examples of reasonable safeguards include:
i. Locking file cabinets or record rooms
ii. Providing additional passwords on computers
iii. For hospital CEs, not using a patient’s name in a hallway

17. Employees have a right to:

a. Request a copy of their medical records (a reasonable fee for copying and mailing records may be assessed).
b. Restrict who can obtain their PHI.
c. Change incorrect information in their medical records.
d. Request a report of when and why PHI was used.
e. Choose communication methods.
f. File complaints.

18. CEs may not take retaliatory action against individuals who exercise any of their HIPAA rights (e.g., filing a complaint or requesting an accounting). Under the anti-retaliation rules, CEs must refrain from intimidation, threats, harassment, and coercion and discrimination.

19. A CE may not require an individual to waive any HIPAA rights as a condition of:

a. Treatment, payment, or enrollment in a health plan
b. Eligibility for benefits

20. A CE must train all members of its workforce on its HIPAA policies and procedures for PHI:

a. Training must be as necessary and appropriate for a workforce member (e.g., an employee) to carry out the individual’s function with the CE.
b. Training must be provided to each new workforce member within a reasonable time after the person joins the workforce.
c. Retraining is required if an individual's functions are affected by a material change to the CE’s policies or procedures.
d. The CE must document that the training was provided.
e. A CE is not required to train its BAs.

21. Violations of the HIPAA Privacy Rule may result in:

a. Minimum civil penalties of $100 per violation.
b. Maximum civil penalties of $1.5 million per year.
c. Criminal penalties for willful offenses of $50,000 to $250,000 and imprisonment.
d. Additional penalties under state law.
e. Lawsuits.

22. The HIPAA Security Rule applies to ePHI (e.g., PHI in emails, or PHI stored on computers) and protects the confidentiality, integrity, and availability of ePHI when it is stored, maintained, or transmitted.

a. CEs must comply with Security Rule if they transmit ePHI.
b. Under the HITECH Act, BAs also must comply.

23. The Security Rule is organized into three general categories of “safeguards”:

a. Administrative safeguards

i. Comprise most of the Security Rule's standards
ii. Involve administrative functions for implementing, managing, and maintaining security measures to protect ePHI
iii. Safeguards include documented policies and procedures required for managing:
1. Day-to-day operations
2. Employee conduct and access to ePHI
3. Selection, development, and use of security controls

b. Physical safeguards

i. Policies and procedures must be developed and implemented that specify the:

1. Proper functions to be performed by workstations;
2. Manner in which those functions are performed (i.e., the appropriate use of workstations); and
3. Characteristics of the physical environment of workstations that can access ePHI.

ii. A workstation includes any electronic computing device and electronic media stored in its immediate environment. Workstations also include:

1. Desktop computers and laptops
2. Other devices that perform similar functions

iii. The workstations security standard requires CEs to implement physical safeguards for all workstations that can access ePHI to limit access to only authorized users

iv. The standard also applies to offsite workstations that can access ePHI (e.g., workstations of employees who work from home)

c. Technical safeguards

i. Such safeguards involve the technology, policies, and procedures that protect ePHI and control access to it.
ii. CEs and BAs determine which security measures to adopt based on what is reasonable and appropriate.
iii. Besides audit controls, the specific standards are:

1. Access control
2. Integrity
3. Person or entity authentication
4. Transmission security

24. CEs must adopt reasonable policies and procedures to comply with the Security Rule, and must:

a. Keep all documents for six years from the later of the date (1) they were created or (2) when they were last in effect;
b. Make the documents available to employees who are responsible for implementing the policies and procedures;
c. Periodically review the documents, and update them, to ensure the confidentiality, integrity, and availability of ePHI;
d. Maintain a written record of any action, activity, or assessment required to be documented by the Security Rule; and
e. Review and update documents periodically for changes (environmental or operational) affecting the security of ePHI.

25. HIPAA Breach Notification

a. A “breach” is the unauthorized acquisition, access, use, or disclosure of PHI that compromises the PHI’s privacy or security.

b. Under the breach notification rules:

i. CEs must provide notice of a breach to individuals, HHS, and, for large breaches, to the media.
ii. BAs must provide notice of a breach to CEs.

c. HHS posts breaches affecting 500 or more individuals to its website.

d. Notice must be provided without unreasonable delay, and not later than 60 days after discovery.

e. A breach is “discovered” by a CE or BA on the first day it is:

i. Known to the CE or BA or
ii. Should have been known to the CE or BA by exercising reasonable due diligence.

f. Factors that may indicate reasonable due diligence:

i. The CE or BA took reasonable steps to learn of breaches.
ii. The breach was one that a person trying to comply with HIPAA would have investigated in similar circumstances.

g. Knowledge of a breach may be imputed to the CE or BA if it was known by an employee or agent.

h. The acquisition, access, use, or disclosure of PHI in violation of the Privacy Rule is presumed to be a breach, unless a risk assessment shows low probability that PHI was compromised.

i. Exceptions to the definition of a breach exist for:

i. The unintentional acquisition, access, or use of PHI by an employee if:

1. Made in good faith and within the employee’s authority and
2. There is no further use or disclosure of the PHI;

ii. Certain inadvertent disclosures of PHI; and

iii. Disclosures of PHI if the CE or BA has a good faith belief that the unauthorized person to whom the disclosure was made could not reasonably retain the information.

j. A breach notification to individuals must include:

i. A description of the incident, including the dates of occurrence and discovery, if known;

ii. A description of the types of PHI involved (e.g., SSNs);

iii. Any steps individuals should take to protect themselves from potential harm resulting from the breach;

iv. A description of what the CE is doing to investigate the breach, reduce resulting risk to individuals, and prevent further breaches; and

v. Contact procedures for individuals to ask questions or obtain additional information.

k. A breach notification may indicate whether employee sanctions were imposed. However, the notification need not explain the specific security vulnerability in a CE’s electronic record system that resulted in unauthorized access or how the vulnerability was exploited.

l. Regarding form, the notification should:

i. Be written at a reading level appropriate to recipients;

ii. Use clear language and syntax; and

iii. Not include extraneous information.

26. Disposing of PHI

a. HIPAA's standards generally govern disposal of PHI. According to HHS, in disposing of PHI, CEs must implement reasonable safeguards to:

i. Restrict incidental uses of PHI;
ii. Avoid prohibited uses and disclosures of PHI; and
iii. Address removing ePHI from electronic media before the media is re-used.

b. CEs must also:

i. Train employees on proper disposal procedures and

ii. Ensure that employees follow the CE’s disposal policies.

III. Other Considerations

A. Records Retention

Once you have these documents, you not only need to maintain them confidentially, but you also must follow the retention schedule by the Texas State Library and Archives Commission.

https://www.tsl.texas.gov/slrm/recordspubs/localretention.html.

Examples:

1. Absence from duty reports - SD3575-01.13 - 4 years
2. Worker’s comp - GR1050-32 - CE (calendar year end) + 5years

B. Spoliation

If you realize you have information you shouldn’t, consider spoliation issues before you destroy. If any litigation is threatened, you would not want to destroy documents that are related to the threat.

OTHER EMPLOYEE PRIVACY ISSUES

I. Evaluations

A. Tex. Educ. Code § 21.355:

A document evaluating the performance of a teacher or administrator is confidential and is not subject to disclosure under Chapter 552, Government Code (Texas Public Information Act).

B. Not limited to formal appraisals.

C. What about a verbal response to a request for a reference?

Best practice is to route through Human Resources for consistency.

II. Investigations

A. No particular law makes the results of investigation private.

B. DIA (LOCAL) – investigations into discrimination, harassment, and retaliation – implies confidentiality because references the fact that the investigator may need to make limited disclosure.

C. So, revealing investigative information would breach duty under Educator Code of Ethics.

III. Criminal History

A. FACT Clearinghouse – DPS fingerprint database

– CHRI is confidential
– Only persons authorized to access the Clearinghouse can review
– It is not just the written record itself, but the information
– Even the fact that a person has criminal history is confidential
– An agency or individual may not confirm the existence or nonexistence of criminal history record information to any person that is not eligible to receive the information even if it is another employee or board member with a good faith business purpose.
– Any person to view must obtain authorization

B. DPS public website – can be disclosed

C. Unauthorized access - criminal penalties for unauthorized access.

D. Must destroy CHR as soon as you make the hiring decision but not later than one year from when you obtained it.

E. Procedures to protect access

- Must maintain compliance with FBI Criminal Justice Information Services (CJIS) Security Policy:
https://www.fbi.gov/file-repository/cjis-security-policy-v5_6_20170605.pdf/view
- Must have procedures in place addressing personnel sanctions, controlling access to hardware and media, incident response, digital media sanitation and disposal, and media protection.
- Resources available at: https://www.cjisportal.com/TX/noncrim/launchpad/cjisdocs/docs.cgi?cat_id=3&auth=1&uid=



Back to Newsletter