Workforce Bulletin

As previously noted, the Illinois Biometric Information Privacy Act (BIPA) has invited a great deal of litigation, often resulting in interpretations favorable toward plaintiffs. As a result, we advise employers who use biometric technology in Illinois workplaces to adhere carefully to their obligations under BIPA. While that advice won’t change, employers operating in the health care sector can take some – though not too much – comfort in a recent ruling that limits their exposure under this law.

In Mosby v. Ingalls Memorial Hospital, the Illinois Supreme Court delved ...

On February 1, 2023, the FTC announced a proposed $1.5 million settlement with GoodRx Holdings, based on alleged violations of the Federal Trade Commission Act (“FTC Act”) and Health Breach Notification Rule (“HBNR”) for using advertising technologies on its websites and mobile app that resulted in the unauthorized disclosure of consumers’ personal and health information to advertisers and other third parties. On the same day, the U.S. Department of Justice, acting on behalf of the FTC, filed a Complaint and Proposed Stipulated Order detailing the FTC’s allegations and the terms of the proposed settlement. 

As reported in a June 3, 2022 press release from the House Committee on Energy and Commerce, U.S. Representatives Frank Pallone, Cathy McMorris Rodgers, and Senator Roger Wicker released a “discussion draft” of a federal data privacy bill entitled the “American Data Privacy and Protection Act” (the “Draft Bill”), which would impact the data privacy and cybersecurity practices of virtually every business and not-for-profit organization in the United States.

As further described below, the Draft Bill’s highlights include: (i) a comprehensive nationwide data privacy framework; (ii) preemption of state data privacy laws, with some exceptions; (iii) a private right of action after four (4) years, subject to the individual’s prior notice to the Federal Trade Commission (“FTC”) and applicable state attorney general before commencement of lawsuit; (iv) exemptions for covered entities that are in compliance with other federal privacy regimes such as the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and Gramm-Leach Bliley Act (“GLBA”) solely with respect to data covered by those statutes; (v) exclusions from Act’s requirements for certain “employee data”; and (vi) a requirement for implementation of reasonable administrative, technical and physical safeguards to protect covered data. The Draft Bill would be enforced by the FTC, and violations treated as unfair or deceptive trade practices under the Federal Trade Commission Act, as well as by state attorneys general.

On March 15, 2022, President Biden signed into law the 2022 Consolidated Appropriations Act containing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the “Cyber Incident Reporting Act”). While President Biden’s remarks highlighted the $13.6 billion in funding “to address Russia’s invasion of Ukraine and the impact on surrounding countries,” the 2022 Consolidated Appropriations Act contained numerous other laws, including the Cyber Incident Reporting Act, which should not be overlooked. The Cyber Incident Reporting Act puts in motion important new cybersecurity reporting requirements that will likely apply to businesses in almost every major sector of the economy, including health care, financial services, energy, transportation and commercial facilities. Critical infrastructure entities should monitor the upcoming rule-making by the Cybersecurity and Infrastructure Security Agency (“CISA”), as the final regulations will clarify the scope and application of the new law.

A recently discovered security vulnerability potentially affecting at least 100 million Internet of Things (“IoT”) devices[1] highlights the importance of the newly enacted IoT Cybersecurity Improvement Act of 2020 (the “IoT Act”). Researchers at the security firms Forescout Research Labs and JSOF Research Labs have jointly published a report detailing a security vulnerability known as “NAME:WRECK.” This is exactly the type of issue that the new IoT Act was and is designed to address at the governmental level, because the vulnerability can detrimentally affect ...

Many employers have established wellness programs to promote employee health and, in doing so, help counter the ever increasing costs associated with employer-sponsored health benefit plans. Often employers want to establish programs that provide employees with incentives to achieve certain health outcomes, such as smoking cessation or weight loss. Employers must exercise caution in creating such health-contingent wellness programs, which necessarily require employees to disclose health information, because the Americans with Disabilities Act (“ADA”) and the ...

Our Employee Benefits and Executive Compensation practice now offers on-demand “crash courses” on diverse topics. You can access these courses on your own schedule. Keep up to date with the latest trends in benefits and compensation, or obtain an overview of an important topic addressing your programs.

In each compact, 15-minute installment, a member of our team will guide you through a topic. This on-demand series should be of interest to all employers that sponsor benefits and compensation programs.

In our newest installment, Tzvia Feiertag, Member of the ...

Our colleague Brian Cesaratto at Epstein Becker Green has a post on the Health Law Advisor Blog that will be of interest to our readers in the technology industry: "Harden Your Organization’s Domain Name System (DNS) Security to Protect Against Damaging Data Loss and Insider Threat."

Following is an excerpt:

Although there is no specific mention of DNS in HIPAA, the Gramm Leach Bliley Act, the GDPR or State cybersecurity laws or regulations, including California, Massachusetts or New York, an organization cannot comply with those regulatory frameworks requiring ...

Today, Law360 published our article “Considering Best Data Practices for ERISA Fiduciaries.” (Download the full article in PDF format.)

In this article, we outline steps that ERISA plan fiduciaries can take to develop a policy concerning protection of plan data and prudent selection and monitoring of plan service providers who handle PII.  Benefit plan service providers, including technology-based outsourcing companies, should also consider these important guidelines and implement the appropriate safeguards to protect against infringement of plan and participant ...

In light of the many high profile cyber-attacks on businesses this past year, employers should assess their vulnerability relative to data breaches and take steps to protect themselves from hackers as well as more innocuous business practices that could result in data breaches. Businesses that handle protected health information are regulated under HIPAA to adopt administrative, technical, and physical safeguards to protect the confidentiality of this information. However, various state and federal laws place duties upon employers to protect non-HIPAA-covered sensitive ...

By Ian Carleton Schaefer

The newest issue of Take 5 is online, featuring contributions from Michelle Capezza, Nancy Gunzenhauser, Marshall Jackson Jr., Brandon Ge, Gregg Settembrino, and myself, colleagues in our firm’s Technology, Media, and Telecommunications (TMT) Strategic Industry Group.

In this issue, we cover employment issues in “The Cloud”:

1. Solving Rainy Day Problems While It's Only Partly Cloudy: Wage and Hour Concerns
2. PHI in the Cloud: HIPAA, Data Privacy, and Data Security
3. The Cloud, the Evolving Role of the CIO, and the Increasing Importance of Attracting ...

By Alaap Shah and Marshall Jackson

Data is going digital, devices are going mobile, and technology is revolutionizing how companies operate. It seems to be business as usual, as your hospitality company continues to collect, use and transmit large amounts of sensitive data to operate the business. You have even taken measures to help guard against the “typical” risks such as lost laptops, thumb drives and other electronic devices. However, unbeknownst to you, hackers sit in front of their computers looking for ways into your network so that they may surreptitiously peruse ...

By: Alaap Shah and Marshall Jackson

Data is going digital, devices are going mobile, and technology is revolutionizing how companies operate. It seems to be business as usual, as your hospitality company continues to collect, use and transmit large amounts of sensitive data to operate the business. You have even taken measures to help guard against the “typical” risks such as lost laptops, thumb drives and other electronic devices. However, unbeknownst to you, hackers sit in front of their computers looking for ways into your network so that they may surreptitiously peruse ...

By Frank C. Morris, Jr. and Jordan B. Schwartz

An employer's wellness program—despite certain "penalty" provisions—was recently held not to be discriminatory under the Americans with Disabilities Act ("ADA") by the U.S. Court of Appeals for the Eleventh Circuit in Seff v. Broward County.  The Eleventh Circuit found the wellness program, sponsored by Broward County, Florida ("County"), was established as a term of the County's insured group health plan and, as such, fell under the ADA's bona fide benefit plan "safe harbor" provision.  This ruling is welcome news for employers with or considering wellness programs.

However, if the County's wellness program had not been found to be a part of the County's health benefits plan, then potential plaintiffs or the Equal Employment Opportunity Commission ("EEOC") would likely have argued that the wellness program runs afoul of the EEOC's views on "voluntariness" requirements for employer-sponsored wellness programs.

The ADA's Impact on Wellness Programs

Wellness initiatives seek to boost employee productivity and reduce both direct and indirect medical costs, which are desirable outcomes for employers.  Employer-sponsored wellness programs have grown exponentially over the past decade, as employers have increased their focus on controlling health care costs and improving the overall safety and health of employees.  According to recent studies, approximately 46% of participating employers had implemented wellness programs.  Despite the growing popularity and positive aspects of wellness programs, legal uncertainties surrounding these programs—including restrictions imposed by the ADA, the Genetic Information Nondiscrimination Act ("GINA"), and the Health Insurance Portability and Accountability Act ("HIPAA")—have presented obstacles to their implementation and growth.

Certain ADA restrictions have contributed to many employers declining to start wellness programs. Specifically, the ADA prohibits employers from making disability-related inquiries or requiring medical examinations of prospective or current employees unless they are job-related or subject to a business necessity exception. On the other hand, voluntary medical exams are permitted so long as the information obtained is kept confidential and not used to discriminate. There is little guidance, however, either from the courts or the EEOC, analyzing whether an employer-sponsored wellness program that encourages participation by providing incentives, or penalizes non-participation, can be considered "voluntary" and therefore permissible under the ADA.

The ADA has certain safe harbors for insurers and bona fide benefit plans that exempt such programs from ADA restrictions. Under these safe harbors, employers, insurers, and plan administrators are permitted to establish a health insurance plan that is "bona fide" based on underwriting risks, classifying risks, or administering such risks that are based on or not inconsistent with state law. Thus, if a wellness program qualifies for the ADA's safe harbor provision, an employer need not worry whether such program otherwise would have been considered voluntary. Notably, the EEOC has not addressed wellness programs and the ADA's safe harbor provision.

Seff v. Broward County

In October 2009, the County adopted a wellness program for its employees as part of its health plan open enrollment. The wellness program consisted of three parts: (1) a biometric screening consisting of a "finger stick" to measure glucose and cholesterol; (2) disease management for five specified conditions; and (3) an online Health Risk Assessment ("HRA"). Participation in the program was not required as a condition of participation in the County's health plan, but employees who did not undergo the screening or complete the HRA incurred a $20 bi-weekly charge subtracted from their paychecks.

In response to this program, current and former County employees who enrolled in the County's health insurance plan and incurred the $20 bi-weekly fee filed a class action lawsuit in the U.S. District Court for the Southern District of Florida. They alleged that the wellness program's biometric screening and online HRA violated the ADA's prohibition on non-voluntary medical examinations and disability-related inquiries. The County argued that its wellness program was part of its health plan and, as such, fell under the ADA's safe harbor provision.

The primary question addressed by the district court was whether the wellness program was a "term" of a bona fide benefit plan, which would allow it to come within the ADA's safe harbor provision for such plans. In granting summary judgment to the County, the district court determined that the program was indeed a "term" of the County's group health plan based on the following three factors:

1. The health insurer offered the wellness program as part of its contract to provide insurance, and paid for and administered the program;
2. The wellness program was available only to plan enrollees; and
3. The county presented a description of the wellness program in at least two employee benefit plan handouts.