As a result of the COVID-19 pandemic, employers are finding that they are receiving and processing an ever-increasing amount of their employees’ confidential health information. From COVID-19 test results to vaccination status, some employers are likely faced with now routinely having to collect the medical information of their employees for compliance with internal or external rules and regulations. Furthermore, with OSHA and other federal regulators currently working on regulations to implement vaccine mandates or require weekly testing of non-vaccinated workers, businesses with a hundred or more employees soon will be required to receive and maintain even more of their employees’ private health information. This increase in collecting and storing employee health information correlates to a similar increase in the risk of a cyberattack that may result in the inadvertent disclosure of this confidential information.
With employees’ confidential health information likely being transmitted and stored on their employer’s computer network, the security of that information is paramount. Unfortunately, 2021 has been a record year for cybersecurity incidents. The Identity Theft Resource Center has highlighted that the number of data breaches through September 30, 2021 is up 17 percent when compared to the number for full-year 2020. That is concerning given that 2020 itself was a record year for all manner of breach events. With remote work, regular reporting of vaccination status or COVID-19 test results, tracking and analyzing of this same information for either regulatory compliance or reporting, and ongoing maintenance of the status quo for “routine” employee health information unrelated to the pandemic, now is the best time for employers to turn their attention to ensuring that they have a robust and effective cybersecurity plan in place. Failure to do so can lead to dire consequences for the employer, including regulatory and legal penalties.
Three key statutes require employers to protect their employees’ confidential information and prevent the inadvertent or unauthorized disclosure of their employees’ private health information: the Americans with Disabilities Act (“ADA”), the Genetic Information Nondiscrimination Act (“GINA”), and in certain circumstances the Health Insurance Portability and Accountability Act (“HIPAA”). Under the ADA, an employer must keep all medical information separate from general personnel files, treating this information as separate and confidential. GINA broadly prohibits employers from requesting, requiring, or purchasing an individual’s genetic information with some safe harbors for inadvertent disclosure of genetic information given in response to an otherwise allowable inquiry. HIPAA generally will apply to employers only in cases where a company-operated health plan is utilized, as HIPAA controls protection of health information in the healthcare industry (i.e., healthcare providers, health insurers, and other related entities).
A recently enacted federal rule, the Health Breach Notification Rule (16 C.F.R. 318.1-9), provides clear requirements for notifying individuals affected by a breach exposing their confidential health information. The Health Breach Notification Rule filled a gap in the requirement for breach notification, and provides enforcement mechanisms for violations of the Rule in the event of a non-HIPAA related breach of security that results in the disclosure of private health information. The rule defines a “breach of security” as an acquisition of an individual’s personal health records or individually identifiable health information without the authorization of that individual. The rule broadly covers vendors of personal health records, as well as providing a catch-all category capturing many entities that either access or send information in a personal health record or engage with another entity which itself offers individuals’ personal health records. Upon discovery of a breach of security, the discovering entity must notify each individual who is a citizen or resident of the Unites States whose unsecured identifiable health information was acquired by an unauthorized person. Additionally, notice must be given to the Federal Trade Commission.
Cyber threats to employees’ private health information can come from anywhere, including internally from the organization. That was the case involving a malware attack against SalusCare, a large mental health services provider based in Florida. This breach may have exposed as many as 85,688 patient and employee records containing information on patients’ psychiatric and addiction counseling and treatment along with other confidential information, including patient and employees’ Social Security and credit card numbers. The extent of the breach was not clear, but the organization’s entire records database was uploaded to a cloud-based storage account managed by Amazon. Once it was uploaded, it was unclear exactly which records in the database were accessed. This meant that all the records uploaded as part of the breach had to be considered compromised. SalusCare filed a successful suit to compel Amazon to provide the logs showing exactly what data was accessed as part of the breach. The sheer amount of information included in the breached database necessitated the notification of every patient and employee whose records were breached in order to fully comply with ADA and HIPAA. Even a small cyber data breach can result in a statutorily required investigation and notification process that will cost tens to hundreds of thousands of dollars. A breach of this size could bankrupt a company if it lacked sufficient cyber security insurance.
Showing that not all cybersecurity threats are internal to an employer, a ransomware attack against a Virginia-based occupational health care provider could have exposed the medical records of UPS and Norfolk Southern employees. Following the ransomware attack and accompanying data breach, hackers posted various medical records of truck drivers and rail workers employed by these entities. As these employees are subject to various DOT-mandated medical exams, which must be maintained in order to show regulatory compliance, these entities and their contracted-with health care providers must safeguard these medical records against wrongful disclosure. HIPAA requires such safeguards for the health care provider, and the ADA would enforce a similar requirement upon the employer. While the health care provider itself was obviously under breach-notification requirements via HIPAA, the above referenced Health Breach Notification Rule likewise would require UPS and Norfolk Southern to provide notice to affected employees. The key here would be collaborative and open dialogue regarding the data breach between the health care provider and employers in order for them both to comply with regulatory requirements and to effectively respond to, contain, and remedy the data breach’s effects on their employees. The EEOC recently issued an Opinion Letter regarding the electronic storage of employees’ confidential health information. The EEOC warned that maintaining employees’ confidential medical information in one combined electronic database could in itself lead to violations of the ADA and GINA. This is due to the fact that placing protected information in a larger record database containing non-protected information could permit any employee with access to the entire record database to also access the electronic medical record system. The unauthorized access of employees’ confidential medical information without proper cause or authorization would constitute an ADA and/or GINA violation, which may require an investigation and notification pursuant to the Health Breach Notification Rule. This is true even if no further actions were taken by the breaching employee, or if the individual who committed the breach had no ill intent. Therefore, to ensure the confidentiality of employees’ private health information, employers are required to segregate this sensitive information into its own separate electronic database that is password protected.
Courts have held that employers have a common law duty to reasonably safeguard their employees’ confidential information. A recent and high profile case from Pennsylvania dealt with a large-scale data breach that exposed the information of approximately 62,000 current and former UPMC employees. In the subsequent class action lawsuit brought by the affected employees, the Pennsylvania Supreme Court held that UPMC had a duty to take reasonable security measures to protect its workers’ data. See Dittman v. UPMC, 649 Pa. 496, 196 A.3d 1036 (2018) While UPMC’s employees’ confidential health information was not at issue in this litigation, the reasoning and holding utilized by the Pennsylvania Supreme Court applies to employers’ duty to protect their employees’ private health information.
There are clear, and sometimes simple, steps that employers can take to prevent these scenarios and better safeguard their employees’ confidential health information. These steps include:
- Identifying and addressing third-party vendors’ vulnerabilities that enhance risk, especially as to the electronic transfer of employee health information or other sensitive data.
- Increasing investment in security software systems and ensuring that all employees are adequately trained in these systems’ importance and use for protecting sensitive information.
- Requiring VPN or other secure connection, such as multifactor authentication, when accessing data systems remotely.
- Backing up employees’ private health information or other sensitive data and storing it off-network to minimize points of access.
- Increasing the involvement of corporate officers and boards of directors in security matters to ensure leadership is appropriately aware of the risks of data breaches and the potential impact these breaches can and will have.
- Establishing a security incident response team familiar with and trained to comply with applicable rules and laws regarding confidentiality of employee medical and health information, i.e., ADA, GINA, HIPAA, and the Health Breach Notification Rule.
- Conducting periodic data breach drills to test the effectiveness of your incident response plans.
- Reviewing, and enhancing when necessary, all safeguards in place with respect to employees’ confidential health information in order to reduce the risk of breaches and maintain compliance with applicable rules and laws.
- Developing and keeping up-to-date templates for notice of breach letters.
- Purchasing effective cyber liability insurance commensurate that provides sufficient coverage for company specific needs and breach-exposure risk.