Monthly Archives: April 2017

Hospital Employee’s Misuse of Personal Health Information: a Wake Up Call for Hawaii Employers

Hawaii employers covered by HIPAA should review their privacy and HIPAA policies and conduct an audit of their practices in order to protect against the improper use and disclosure of private health information and to reduce the risk of privacy breaches in their own organization.

In June 2009, a 22-year-old Honolulu mother of three young children was sentenced to a year in prison for illegally accessing another woman’s medical records and posting on a MySpace page that she had HIV.
The State of Hawaii brought charges against the woman under a state statute criminalizing the unauthorized access to a computer; and which categorized the conduct of the defendant as a class B felony.

According to accounts of the incidents that led to the woman’s conviction, there was a feud between the victim and the victim’s sister-in-law, a friend of the defendant. The defendant, who worked as a patient service representative at the hospital where the victim was a patient, accessed the computer for the victim’s sister-in-law. Over the course of approximately ten months, the defendant accessed the patient’s medical records three times through a computer. After she learned of the victim’s medical condition, the defendant posted on her MySpace page that the victim had HIV. In a second posting, she said the victim was dying of AIDS. The victim complained to hospital officials of the unauthorized access. After an internal investigation the hospital terminated the defendant’s employment.

The defendant’s conduct, of course, was egregious and inexcusable. The one-year jail term handed down by the Court exceeded the term recommended by the prosecutor. Nevertheless, beyond the issue of holding the defendant accountable for her actions some may question to what extent the hospital should bear responsibility for the breaches of confidentiality that occurred.

Federal law imposes statutory burdens on health care providers to protect against the improper use or disclosure of private health information and to reasonably limit uses and disclosures to the minimum necessary to accomplish their intended purpose.

Specifically, the Health Insurance Portability and Accountability Act of 1996’s (“HIPAA”) privacy regulations became effective on April 14, 2003. HIPAA is intended to protect consumers’ health information, allow consumers greater access and control to such information, enhance health care, and finally to create a national framework for health privacy protection. HIPAA covers health plans, health care clearinghouses, and those health care providers that conduct certain financial and administrative transactions electronically.

In addition to the privacy regulations, HIPAA’s security rules became effective on April 21, 2005. Together the privacy and security regulations are the only national set of regulations that governs the use and disclosure of private, confidential and sensitive information.

Under HIPAA’s Security Rule, the standards for the protection of electronic information covered by HIPAA are divided into three groups: Administrative safeguards, Physical safeguards and Technical safeguards.
A couple of the most significant required safeguards under HIPAA are the Administrative “Sanction Policy” and “Security Awareness Training” safeguards.

The sanction policy standard requires a communication to all employees regarding the disciplinary action that will be taken by the covered entity for violations of HIPAA. The sanction policy should have a notice of civil or criminal penalties for misuses or misappropriation of health information and make employees aware that violations may result in notification to law enforcement officials and regulatory, accreditation, and licensure organizations.

The security awareness training standard requires all employees, agents, and contractors to participate in information security awareness training programs. Based on job responsibilities, the covered entity should require individuals to attend customized education programs that focus on issues regarding use of health information and responsibilities regarding confidentiality and security.

The HIPAA privacy and security regulations require a privacy officer and security officer to be designated by the covered entity. The privacy and security officer should continually analyze and manage risk by thoroughly assessing potential risks and vulnerabilities, and implementing related security measures.

The U.S. Department of Justice (“DOJ”) clarified the penalties that may be assessed and against whom for HIPAA violations. Covered entities and individuals whom “knowingly” obtain or disclose individually identifiable health information in violation of HIPAA may be fined up to $50,000, as well as imprisonment up to one year.

Federal Computer Fraud and Abuse Act Remedies Potentially Available to Hawaii Employers for Deleted Files

Hawaii employers could have a federal civil remedy available in federal court in addition to the ability to invoke Hawaii criminal statutory law for damage caused to either network or company-owned computers by former employees.

The federal Eastern District Court of Missouri recently issued a ruling that could broaden the remedies available to Hawaii employers for damage caused to computers by departing employees.

Specifically, in Lasco Foods, Inc. v. Hall and Shaw Sales, Marketing, & Consulting, the Court interpreted the Computer Fraud and Abuse Act (“CFAA”) to permit a federal remedy for employers whose former employees delete and/or steal company information from laptop computers.

In that case, two managers left the plaintiff company and, according to the plaintiff, failed to return their laptop computers when requested and copied or downloaded confidential and trade secret information. The files on the computer containing such information were then deleted prior to the laptop computers being returned. The plaintiff filed a complaint alleging several causes of action, including a claim under CFAA.

The Court rejected the defendants’ argument in a motion to dismiss that the plaintiff was prohibited from asserting a claim under CFAA. The CFAA permits a cause of action for any person who suffers damage or loss by a violation of the act, so long as the damage sustained during a one-year period totals at least $5,000 in value.

The CFAA defines damage as “any impairment to the integrity or availability of data, a program, a system or information.” The CFAA defines loss as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”

The Court found that the plaintiff sufficiently alleged facts to satisfy both the “damage” and “loss” test. The Court found that the company sufficiently pled loss with its allegations that defendants deleted information, requiring forensic analysis and other remedial measures to retrieve and analyze defendants’ computers and restore the data. The Court’s ruling did not require, as other case law on the issue suggested, that the subject information must be destroyed on the employer’s network computer as opposed to a laptop computer.

The Court’s interpretation of CFAA is more in line with Hawaii criminal statutory law addressing criminal computer-related activity. For instance, HRS § 708-892 states that a person has committed the crime of “Computer Damage in the First Degree” where:

(a) The person knowingly causes the transmission of a program, information, code, or command, and thereby knowingly causes unauthorized damage to a computer, computer system, or computer network; or
(b) The person intentionally accesses a computer, computer system, or computer network without authorization and thereby knowingly causes damage.

Under the statute, the damage must: “Result in a loss aggregating at least $5,000 in value, including the costs associated with diagnosis, repair, replacement, or remediation, during any one-year period to one or more individuals.” Also, computer damage in the first degree is a class B felony.

The Hawaii penal code explicitly permits the conviction of a person that causes damage to not only a computer network, but also a company-issued computer. Generally, in most garden-variety cases where a former employee has been found to have deleted/destroyed computer files, the cost to engage a computer forensics professional to assess and restore or attempt to restore lost data will exceed $5,000 under the Hawaii criminal statute and CFAA.

Thus, a Hawaii employer could have a federal civil remedy available in federal court in addition to the ability to invoke Hawaii criminal statutory law for damage caused to either its network or company-owned computers.

Hawaii Employment Law Basics: Medical Examinations and Disability Law

Hawaii law and the Americans with Disabilities Act prohibit employers from discriminating against employees and applicants for employment who have disabilities. Physical examinations cannot be used to unfairly or disproportionately screen out disabled individuals. Employers may not require medical examinations of job applicants until after conditional offers of employment are made. Finally, medical examinations of current employees must be job related and consistent with business necessity.

Hawaii employers may require job applicants to undergo a physical examination as part of the hiring process. Employers may also have medical examination requirements for current employees. Whether imposed at the hiring stage or on the current workforce, employers’ physical or mental examination requirements are subject to significant restrictions under federal and state law.

Hawaii’s Employment Practices law and the Americans with Disabilities Act (“ADA”) prohibit employers from discriminating against employees and applicants for employment who have disabilities. As a result, physical examinations cannot be administered or used in a way that unfairly or disproportionately screens out or adversely affects the employment opportunities of disabled individuals. In the hopes of eliminating the unlawful consideration of disabilities in hiring, both Hawaii state and federal law stated that employers may not require medical examinations of job applicants until after conditional offers of employment are made. Employment may be conditioned on the results of the examination only if all entering employees in the same job category are subject to the same examination.

Medical examinations of current employees must be job related and consistent with business necessity. Such examinations must be limited in scope to the employee’s ability to perform specific and essential job functions, or to evaluate an employee’s disability or need for reasonable accommodation. The Hawaii Administrative Rules require the employer to provide the medical examiner with a written job description, including the essential job functions and the Hawaii state regulations defining “reasonable accommodation” and “direct threat.”

All information regarding the medical condition or history of an applicant or employee must be collected and maintained separately as confidential records. If the Company requires an employee to complete a medical examination, the Company should first obtain an authorization form compliant with HIPAA, which prohibits health care providers from releasing protected health information to employers except in limited circumstances.

Moreover, Hawaii law prohibits the release of test results of sexually-transmitted diseases (such as HIV/AIDS) for employment, educational, or housing purposes without the voluntary consent of the tested individual.

Tests for use of illegal drugs are not considered medical examinations.

Compensation and Benefits in Belgium: Limiting the Use of Golden Parachutes

This article outlines the state of affairs on the limitations that many politicians announced in the wake of the financial crisis on the use golden parachutes.

Golden parachutes are special protection measures given to top managers in the form of substantial additional dismissal premiums foreseen in the employment agreement (or management agreements). Although many politicians announced strict prohibitions on the use of such golden parachutes in the wake of the financial crisis, Belgian parliament still has not passed any form of new legislation on the subject and it does not look like it is likely to do so in the near future.

In the absence of any new legislation on the subject, existing golden parachutes remain valid and enforceable. Agreeing to new golden parachutes also remains possible although some exceptions might apply. Earlier this year, a new Corporate Governance Code for listed companies was presented. The new code is a revision of the 2004 code commonly known as the Code Lippens. One of the new principles of the code is that every new contract with top managers should include language on severance pay.

The code stipulates that top managers (the CEO or executive management members) should specify that severance pay awarded in the event of early termination should not exceed twelve months’ (basic and variable) remuneration. These twelve months may be raised to eighteen months upon recommendation by the remuneration committee. In this case the contract should specify when such higher severance pay will be due and the higher severance pay should be justified in the remuneration report which is published in the annual report. The code moreover stipulates that the contract should specify that the severance pay should neither exceed twelve months’ basic remuneration nor take account of variable remuneration when the departing top manager did not meet the performance criteria referred to in the contract.

Note that the Belgian Corporate Governance Code is not of mandatory application. It provides guidelines with which listed companies have to ‘comply or explain’. The impact of the code is therefore rather limited. To underscore the rather symbolic nature of these provisions, it can be noted that the code cannot limit the protection offered by Belgian employment law which can (easily) surpass the limitations set forth by the code. As usual, careful drafting of the employment (or management) agreement is the main message.