Hello,

Here is the latest issue of “This & That” Tuesday. I hope you find it to be informative and useful.

 

Atsalis Brothers Painting to Pay $65,000 to Settle EEOC Retaliation Lawsuit

Atsalis Brothers Painting Company, a Warren, Mich.-based painting company which does business in several states, will pay $65,000 to settle a retaliation lawsuit filed by the EEOC. The EEOC had charged that Atsalis unlawfully retaliated against an employee for objecting to race discrimination.

 

In its lawsuit filed in 2011, the EEOC said that Atsalis retaliated against Rodney Trice, a journeyman painter, who complained about the use of the “N-word” by his foreman, by not bringing him back to work for the 2008 work season.  Race discrimination and retaliation for complaining about it violate Title VII of the Civil Rights Act of 1964. The EEOC filed suit after first attempting to reach a pre-litigation settlement through its conciliation process.

 

In addition to paying $65,000 to Trice, the decree requires the company to provide ongoing anti-discrimination training to all of the company’s officers, managers, supervisors and human resources personnel; create a new anti-discrimination policy; institute new procedures for handling discrimination complaints; and file reports with the EEOC regarding compliance with the decree’s requirements.

 

Disclosing Medical Information on Reference Calls

Under the Americans with Disabilities Act, an employer's ability to legally disclose medical information on a reference call depends on whether the medical information was obtained by the employer because the employee voluntarily disclosed the information, or whether the medical information was obtained by the employer through a medical inquiry that the employer made to the employee.

 

Federal Law

The ADA provides that employers may make "inquiries into the ability of an employee to perform job-related functions," but medical information obtained from such inquiries is subject to specified confidentiality requirements. Therefore, an employer would face liability for the disclosure of information learned in the course of such inquiries. Conversely, the nondisclosure provisions of the ADA do not govern voluntary disclosures of medical information initiated by the employee.

 

Courts have considered the issue of what constitutes a medical examination or inquiry for purposes of knowing when the ADA's confidentiality requirements apply. The court summarized the inquiry by stating that "which party initiates the conversation that leads to a disclosure is not relevant; which party initiates or requests the employee's actual disclosure of medical information is determinative."

 

Here is an example of a disclosure that was deemed voluntary, and therefore not protected.

An employee filed a request for leave with her employer to attend a medical appointment. Upon returning to work earlier than expected, she went to her supervisor's office to adjust her leave form. While there, her supervisor asked, "Is everything okay?" The employee responded by disclosing that she had a lump in her breast and might need a biopsy. This inquiry did not constitute a medical inquiry because the question was not about a medical condition or ability to perform job functions, nor did it require the employee to provide any medical information.

 

Here is an example of a disclosure that was deemed responsive to medical inquiries, and therefore fell under the ADA's confidentiality provisions.

An employer required his employee to submit doctors' notes with his requests for leave, providing "the specific nature of his illness or injury that prevented him from reporting to work." The court held that by requiring these kinds of detailed statements, the employer was making a medical inquiry.

 

CA Law

California's Confidentiality of Medical Information Act provides that "no employer shall use, disclose, or knowingly permit its employees or agents to use or disclose medical information which the employer possesses pertaining to its employees without the patient having first signed an authorization permitting such use or disclosure.” Medical information is defined as "any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient's medical history, mental or physical condition, or treatment." Therefore, as is the case under the ADA, an employer's liability for disclosure may turn on such factors as how the employer came into its knowledge of the medical information at issue.

 

Employer Pays $1.5M HIPAA Settlement

Blue Cross Blue Shield of Tennessee (“BCBST”) and the U.S. Department of Health and Human Services (“HHS”), the agency responsible for enforcing HIPAA, is the fourth major settlement announced by HHS in the past 15 months and the third to exceed seven figures.

BCBST stored, in a network data closet, computer equipment which included servers and 57 hard drives. The hard drives were part of a system that recorded customer service calls and contained the protected health information (PHI) of more than one million participants.

After BCBST vacated most of its office space, but while it still leased the space containing the network data closet, thieves stole the 57 hard drives from the closet. The hard drives were not encrypted. BCBST notified HHS of a security breach in accordance with the HITECH Act’s requirements.

 

To resolve HHS’s investigation, BCBST agreed not only to pay $1.5 million but also to enter into a corrective action plan (CAP). The CAP requires BCBST to do the following: (a) conduct a risk assessment and engage in a risk management process with respect to electronic PHI (ePHI) in BCBST’s possession; (b) develop facility access controls and a facility security plan to safeguard information systems and equipment containing ePHI; (c) develop physical safeguards for electronic storage media containing ePHI; (d) train all workforce members with access to ePHI in the policies and procedures embodying items (a) through (c); (e) monitor compliance with the policies and procedures; and (f) report to HHS concerning compliance with the CAP.

The underlying incident involved the theft of unencrypted hard drives. Had those hard drives been encrypted, BCBST would not have had an obligation to notify HHS of the theft. In other words, the Resolution Agreement highlights the importance of considering the feasibility of encrypting any movable storage media which contain ePHI.

 

Also, HHS seems to have set a fairly high standard for adequate physical safeguards. BCBST had in place fairly robust physical security for the stored hard drives, including “biometric and keycard scan security with a magnetic lock and an additional door with a key card lock” in addition to building security. HHS, nonetheless, appears to have taken the position that this security was inadequate. Consequently, the Resolution Agreement emphasizes the need for covered entities to pay as close attention to physical safeguards for ePHI as they do to administrative and technical safeguards.