A review of current HR privacy issues

By Brian O’Connor, CIPP and Amy Yates, CIPP

Wellness programs and medical inquiries

Many employers are offering wellness programs to employees in an effort to reduce overall health insurance spending and to reduce employee absence due to illness. Typical offerings include exercise, weight reduction, and stress management programs.

Employee participation is, of course, key to the success of these programs and their positive impact on the company’s bottom line. Incentives directly impact employee participation. However, the use of incentives can raise legal issues as well as complaints from employees who may not qualify for the incentives.

Some employers offer incentives in the form of cash payments, days off, reduced health insurance premiums, waived deductibles, and health coaches. In return, employees may be asked to complete an annual health exam, fill out a questionnaire, undergo biometric screening, attend meetings, or consult with a health counselor.

The provisions of HIPAA (Health Insurance Portability and Accountability Act) impose certain limits on wellness programs. Title I of HIPAA prohibits discrimination on the basis of “health factors” such as medical conditions, disability, claims history, genetic factors, and others. However, HIPAA also contains an explicit exception for certain types of wellness programs.

“Unregulated” wellness programs may be offered without restriction by employers. Such programs provide rewards regardless of health factors, or have no incentives at all. If incentives are offered, they must be so low that an employee’s decision to provide health information would be considered voluntary under the Americans with Disabilities Act. Examples include the reimbursement of fees for joining a health club or a smoking-cessation program, or encouraging participation in preventative care by waiving a deductible.

In contrast, programs that offer benefits or impose penalties based on health factors are regulated by HIPAA. Under this type of program, an employee might be offered lower premiums if they do not smoke, if their cholesterol level is, for example, below 200, or if their body mass index is below a certain level. Because these programs may penalize less healthy employees, the programs are allowed only if they meet five conditions:

   1. The programs must promote health improvement, not just reward healthy employees. Also, they cannot be a subterfuge for discrimination against people with disabilities.

   2. The combined value of all incentives must be less than or equal to 20 percent of the total premium for single employee coverage. The incentive may not affect eligibility for a health benefit.

   3. All employees must be made eligible at least once each year.

   4. The incentives must be available to all “similarly situated” individuals. Furthermore, if an employee may not be able to meet an eligibility factor due to a medical condition, or doing so is medically inadvisable, then    the employer must offer a “reasonable alternative” measure of eligibility (e.g., a low-salt diet as an alternative to low blood pressure readings).

   5. Plan materials describing program terms must mention the availability of “alternative standards.”

In addition to these rules, employers should seek legal advice on the data privacy requirements under HIPAA and the ADA, which will apply to any medical information that employees provide while participating in such programs. Also, it is important to get legal advice on the disability discrimination issues that arise under the ADA and state disability discrimination laws. Finally, some wellness programs that offer “medical care” are covered by ERISA (the Employee Retirement Income Security Act), which imposes additional requirements and restrictions.

Despite the legal complexities, many employers believe that wellness programs improve employee health enough to generate significant savings in health insurance costs and illness absences.

Employee monitoring

Another evolving area relating to employee personal data is the use of electronic monitoring tools to discover employee theft, fraud, and other types of misconduct in the workplace or on the employer’s computer and communication systems. The following is a very-high-level summary of what is generally allowed and prohibited in the U.S. Additional restrictions may exist under certain state laws. In addition, many types of electronic monitoring are prohibited in the European Union and in countries with similar privacy legislation.

In the U.S., most legislation on electronic monitoring recognizes the rights of employers as property owners, who should be free to observe what employees do while on the employer’s property and while using the electronic resources that the employer has purchased for employees to perform their jobs.

Employers now use electronic devices to conduct monitoring inexpensively, as compared to decades-old efforts involving legions of supervisors and security guards. The tools may be as simple as access systems that record data from an employee’s ID badge as they enter and leave the workplace, or as sophisticated as “content monitoring” software that silently registers activities by all users in the employer’s computer system, then flagging or prohibiting certain behaviors that may indicate misconduct by an employee.

Employees in the U.S. have no general right of privacy in the workplace under the federal Constitution, or under most state constitutions. A few state constitutions create employee privacy rights, and a number of states recognize certain privacy torts. While courts have rarely interpreted either to create significant restrictions on the most typical types of employer monitoring, more recent cases have created some exceptions.

Telephone monitoring
The federal “wiretap” law has regulated telephone monitoring since the mid-twentieth century. Generally, it prohibits the interception of telephonic conversations without the express consent of at least one participant. However, it also recognizes the right of “service providers” to intercept calls in the normal course of providing the service. Employers are often deemed to be providers of their own phone systems, and therefore have a limited right to monitor calls of a non-personal nature. However, it is advisable for employers to obtain consent from its employees to the monitoring of calls. For example, an employer may want to get written consent from employees in a call center as a condition of taking the job. This will allow unlimited monitoring of calls by the employer, except in 12 states that require two-party consent. For calls in those states, or involving individuals in those states, most companies use a pre-recorded notice of monitoring. If the caller stays on the line, they give an implied consent to monitoring.

Video monitoring

Many employers place video cameras at facility entrances, in parking lots, and in warehouses or other locations with a higher risk of employee theft. The cost of this technology continues to decrease.

There is no federal law restricting the private use of silent video monitoring. Consequently, an employer may place video cameras in almost any location on its property, without prior notice to employees. Note that in Connecticut and Delaware, employers must post notices of their video monitoring activities before beginning such activities. In addition, New York and a number of other states have laws prohibiting or restricting the use of video in locker rooms, changing rooms, and similar locations. Placing a camera in an employee’s office might create a common-law invasion of privacy claim in California and a few other states if the employee has a reasonable expectation that their office is generally private, and the employer has not notified them of their right to monitor activities in such locations.

E-mail, text messages, and Internet use

In 1986, the wiretap laws were amended by the Federal Electronic Communications Privacy Act to cover the interception of electronic communications, including e-mail. The Stored Communications Act further amended the laws to protect electronic communications in storage on computers. However, these laws continued the exceptions that allow the interception of communications with the consent of one party, as well as the right of “service providers” to monitor communications in their systems.

More specifically, if an employer is the “provider” of the equipment and applications that facilitate e-mail and text messaging, it is free to review any message stored in its systems without prior notice to, or consent from, anyone using those systems. As a result, even if an employer reads an employee’s personal e-mails or texts sent via the employer’s systems, the employee has no claim under federal law. In addition, few state courts have found such activities to violate common law, unless the employer has led an employee to believe that their use of such systems would not be monitored.

The situation is more complicated if an employer uses a vendor to provide e-mail, text messaging, or instant messaging services to employees. In such cases, even if the employer is the “subscriber” to such services, some courts have held that the employer may not compel the vendor to provide copies of an employee’s messages without the employee’s consent. As a result, employers who purchase such services from vendors should obtain a blanket consent from each employee as a condition of using such messaging services. In addition, employer policies should make clear that an employee must consent to any later employer request for copies of such messages in the course of an employer investigation. See Quon v. Arch Wireless Operating Co., 529 F.3d 892 (9th Cir. 2008); but compare with Flagg v. City of Detroit, 2008 WL 3895470 (E.D. Mich. Aug. 22, 2008).

Even better, an employer should arrange for copies of all messages to be stored on the employer’s own systems. These copies are very useful as backups, and for litigation purposes. Moreover, copies stored on the employer’s equipment are not subject to the Stored Communications Act, and may be reviewed by the employer without an employee’s prior notice or consent. See Hilderman v. Enea, 551 F. Supp. 2d 1183 (S. D. Cal. 2008).

All employers should have a policy on the use of its electronic resources and communications systems, and should have employees acknowledge the policy or agree to its terms. Such a policy should make clear that all systems and messages are the property of the company; that employees should use them for business purposes only; that they should have no expectation of privacy with respect to their use of the systems or the messages they send; that the employer can and will review employee messages; that the employee agrees that any vendor of messaging services may provide copies of all messages to the employer; misuse of the systems is prohibited and may result in termination of employment; and that the policy may not be modified orally, but only in writing by a company officer.

For more on the topic of employee monitoring, see the article “Employee monitoring technologies and data privacy—no one-size-fits-all globally” in the May issue of the Privacy Advisor.

Brian O'Connor, CIPP, is chief security and privacy officer at the Eastman Kodak Company, where he coordinates the development and implementation of employee data and information security policies. He directs Kodak’s Corporate Security group, which conducts investigations, manages a global badge and access control system, and provides executive protection services. Before his appointment as CSPO, O’Connor was senior counsel in Kodak’s Employment Law Legal Staff, advising management and human resource professionals on all legal issues relating to applicants, employees, and former employees.

Amy Yates, CIPP, is a director in the Security and Privacy Services practice at Deloitte & Touche LLP, and is aligned with its Security and Privacy Services Center of Excellence. She advises domestic and international clients on a wide range of privacy and data protection issues, working with clients to develop business solutions for addressing complex data protection requirements. Before Deloitte, Yates served as the chief privacy officer for Hewitt Associates LLC, where she established and led Hewitt's Privacy Office and its global privacy program for five and a half years.