Tag Archives: civil rights

How Strict Can a Dress Code Be?

Does your company have a “look” or standard of dress it requires in the workplace? No hats, or maybe no beards? Can you deviate from the dress code?

Increasingly, employees and applicants for employment are making “failure to accommodate” claims on the grounds that they were discriminated against based on their need for a change or exception to a workplace grooming or dress policy. Examples of religious discrimination or failure to accommodate can include: not hiring the applicant because she doesn’t fit the company’s “look” or placing an employee in a non-customer-facing position because of religious attire or grooming (e.g., long beard, piercings, head scarf ).

The law

Title VII of the Civil Rights Act of 1964 (“Title VII”), 42 U.S.C. § 2000e, et. seq., as amended, prohibits employers with at least 15 employees from discriminating in employment hiring, recruitment, promotion, benefits, training, job duties, termination or any other aspect of employment on the basis of religion. It also prohibits retaliation for complaining of religious discrimination or for participating in the investigation of such claims, and for denying reasonable accommodations, including accommodations for religious attire or grooming standards. It is the EEOC’s position that an employer is required to reasonably accommodate an employee’s religious beliefs or practices, unless doing so would cause more than a minimal burden on the operations of the employer’s business.

Title VII only provides protection to sincerely held religious beliefs and practices about dress code. These protections are broadly interpreted and cover not only traditional religious beliefs but also those that are new and uncommon. If an employee merely makes such a request for accommodation based on personal preference rather than religious belief, there are no Title VII protections or implications. However, the requirement that employers and their management learn to distinguish between these two types of requests can be daunting and dangerous in light of the litigious society we live in.

Recent case

In February 2015, the United States Supreme Court heard arguments in a case filed against Abercrombie & Fitch, where a Muslim applicant was rejected after wearing a head scarf (known as a hijab) to an interview, based on the hiring manager’s belief that such covering violated the company’s rigid “look” policy, which forbids caps and hats. The applicant never asked for an accommodation, and the employer never opened a dialog as to whether a reasonable accommodation to the dress code would be necessary. Once a ruling is issued, we hope the Supreme Court will provide guidance as to when an employer has any obligation to open dialog about religious accommodation without the employee or applicant making such a request.

Takeaway

To ensure compliance with the law, employers must be informed and vigilant when applying workplace uniform, “look” or grooming policies, particularly as they apply to employees or applicants in need of a religious accommodation. Management or hiring decision makers should be trained on how to implement religious accommodation requests, specifically, learning to identify and understand religious clothing accommodation requests and how to properly engage in such discussion. When in doubt as to the proper handling of a religious clothing accommodation, we suggest that you contact a labor and employment lawyer before making employment decisions. Your attorney can also help identify potential pitfalls in uniform, look or other clothing policies. Further, a well-designed employment practices liability (EPL) insurance policy should be purchased to mitigate potentially costly financial damage, should you be faced with a discrimination suit based on religious dress or grooming.

Is EEOC an Unlikely Friend on Work Comp?

The traditional school of thought since the Americans with Disabilities Act (ADA) was enacted in 1990 is that it did not apply to state workers’ comp cases because they involve temporary disabilities and work restrictions. Claimants were not considered “qualified individuals with a disability” under the ADA. Even if the ADA provision for a “reasonable accommodation without undue hardship” is to be taken into consideration, the process would not begin until the claimant reached maximum medical improvement (MMI). But informal EEOC guidelines released in December 2014 stated that these traditional understandings may not be legal.

The EEOC release stated that it is “not true” that MMI should be considered the trigger for ADA-related protections for employees and obligations for employers. Employers must begin the ADA interactive process for return to work (RTW) much sooner than commonly thought. The EEOC is saying that workers’ comp and the ADA process are to run simultaneously, not sequentially. In addition, the worker must be an active participant in the process. This is a major surprise to many in the industry.

I have been a proponent of using “the spirit of the ADA” to implement return-to-work practices in workers’ comp programs for 25 years. (See previous ITL article, “Return-to-Work: A Success Story,” June 25, 2014.) However, these new “interactive process” guidelines may change the whole practice of RTW in workers’ comp because most employers and their third-party administrators (TPAs) or insurers typically postpone attempts at a reasonable accommodation until the claimant reaches MMI. That may now be construed as a violation of employee rights and employer obligations under the ADA.

In addition, the EEOC guidelines give a very broad definition of disability and when it applies under the ADA. The EEOC spokesperson said the ADA applies “all the time” and “as soon as notified” when “a medical condition has the potential to significantly disrupt an employee’s work participation. . . . The only relevant question is whether the disability is now, or is perceived as potentially, having an impact on someone’s ability to perform their job, bring home a paycheck and stay employed.”

That is a mouthful to swallow and think about. The ADA would apply if the disability is “perceived” as having an impact on the ability to perform a job. Perceived by whom? The employer? The employee? The physician? What physician?

What does this mean for employers?

The EEOC stated that its biggest concern is the employee who has a disability but who can perform the essential functions of a job with a reasonable accommodation. The cause of the disability is considered irrelevant under the ADA. It will now be very difficult for employers to say that a worker is not a “qualified” individual under the ADA because the person obviously held the job prior to the disability.

The EEOC stated that everyone, including treating physicians, TPAs and employers, should “keep that in mind” but that only the employer is accountable for complying with the ADA. Treating physicians and employer vendors who fail to communicate with employers during the “stay @ home” process may be exposing the employer to increased risk and liability, and the EEOC spokesperson said this failure would be particularly troublesome if a treating physician who is picked by the employer doesn’t tell the employee about adjustments that might allow her to work. The employer may be liable for failing to provide that accommodation even if not properly passed along. The EEOC spokesperson went on to say that physicians and vendors should be educating employers. But who, may I ask, is educating the physicians and employer vendors?

How should employers react to these EEOC process guidelines for workers’ comp and other non-occupational disability programs? Employers should embrace them!

Most that is truly considered workers’ comp managed care and RTW best practices are encompassed in these interactive guidelines: prompt, high-quality medical care followed by 24-hour contact between workers, treating providers and supervisors. Safe return to work, with or without reasonable accommodations, should be the goal from day one and documented in each case, even without intervention by the EEOC.

Sebastian Grasso, CEO of Windham Group in Manchester, NH:

sgrasso@windhamgroup.com

which specializes in “failed return-to-work,” agrees and argues that the EEOC action should be a “wake-up call” for employers. Grasso, like several other industry experts interviewed for this article, said that in his 25-year career in the RTW business his employer/insurer clients have never brought up the ADA in workers’ comp cases. He said the two problems faced on a daily basis in the workers’ comp industry that severely hamper RTW efforts are erroneous job descriptions and inflexible employers who won’t take injured workers back unless they are “100%.” This traditional mindset and passive approach to RTW may now be considered an ADA violation, so employers and insurers may have to re-think their RTW policies and procedures.

Grasso stated; “We get injured workers back to their original jobs; it’s what we do every day. It’s the right thing to do; it’s non-adversarial and benefits all the players in the process.” This approach appears to be both within the spirit and now actual guidelines of the ADA, according to the EEOC.

Ted Ronca (medsearch7@optionline.net), a leading workers’ comp and disability attorney based in New York, also stated that he never saw the ADA brought up in a workers’ comp case in New York in the past 24 years. Ronca also feels employers should “champion” the new approach for workers’ comp RTW programs. He recommends the first thing for employers is to establish job requirements and bring the employee into these preliminary discussions. Ask the worker for his input on reasonable accommodations and document the discussion.

Back when the ADA was enacted in 1990, many believed a slew of litigation would result from workers’ comp cases. This has rarely, if ever, happened. Most experts I have spoken to are not aware of any cases, but the original fears may now come to fruition. As Ronca noted; “75% of the cases in the New York work comp system involve cases where the claimant’s attorney is claiming total disability and seeking a lump-sum award.” Getting that injured worker back to work is not on the claimant’s attorney agenda but should be on the employer’s.

Employers should not fear the ADA but embrace it. The ADA has built-in protections for employers such as that any accommodations must be “reasonable without undue hardship.” This means significantly difficult or expensive. In addition, employers are not required to eliminate or reduce the essential functions of a job even temporarily. The EEOC is simply saying that employers may choose to reduce job demands and productivity expectations on a case-by-case basis and that no blanket policy is appropriate.

However, the EEOC goes on say that the ADA cannot be used to deny a benefit or privilege to which an employee is entitled, such as time off under the Family and Medical Leave Act (FMLA), workers’ comp, disability, sick leave, accrued vacation or any other leave and benefits. The EEOC considers the ADA “civil rights for people with disabilities.”

I just loved the EEOC comment that an employer’s stay @ home policy is not a reasonable accommodation. Not only is an interactive process the right thing to do for disabled workers, it will save money, improve productivity and protect employers from potential ADA violations and obligations.

It may be time to rethink your return to work program. It’s about time!

EEOC Suit Against CVS Raises Concerns

The Equal Employment Opportunity Commission has challenged the legality of provisions commonly included in severance, separation or other settlements with employees being terminated. These provisions state that settlement benefits are to be paid only if the employee doesn’t file charges or otherwise communicate with the EEOC.

Employers planning to use such provisions should note a lawsuit filed by the EEOC against the nation’s largest integrated provider of prescriptions and health-related services, CVS Pharmacy.

In Equal Employment Opportunity Commission v. CVS Pharmacy, Inc., CA no. 14-cv-863 (N.D. Ill., 2014), the EEOC charges that CVS unlawfully violated employees’ right to communicate with the EEOC and file discrimination charges. The EEOC says CVS committed the violation through an overly broad severance agreement that included five pages of small print.

The lawsuit claims CVS violated Section 707 of Title VII of the Civil Rights Act of 1964, which prohibits employer conduct that constitutes resistance to the rights protected by Title VII.

The lawsuit also is notable because it is not filed in response to an investigation of a discrimination charge. According to the EEOC, Section 707 permits the agency to seek immediate relief without the same pre-suit administrative process that is required under Section 706 of Title VII, and does not require that the agency’s suit arise from a discrimination charge.

“Charges and communication with employees play a critical role in the EEOC’s enforcement process because they inform the agency of employer practices that might violate the law,” according to the EEOC attorney leading the litigation, John C. Hendrickson. “For this reason, the right to communicate with the EEOC is a right that is protected by federal law. When an employer attempts to limit that communication, the employer effectively is attempting to buy employee silence about potential violations of the law. Put simply, that is a deal that employers cannot lawfully make.”

EEOC District Director Jack Rowe added, “The agency’s most recent strategic enforcement plan identified ‘preserving access to the legal system’ as one of the EEOC’s six strategic enforcement priorities. That was no accident. The importance of employees’ ability to participate in the agency’s process, free from fear of adverse consequences, cannot be overstated. It is always difficult for an employee to report employer discrimination to federal law enforcement officials. Anything that makes that communication harder increases the risk that discrimination will go unremedied.”

The litigation showcases the need for employers to use caution when attempting to prevent employees from reporting to or cooperating with regulators investigating suspected discrimination or other legal violations. The EEOC’s challenge in the CVS litigation is not unique. Challenges have arisen under a wide range of federal and state laws.

The Labor Department Wage and Hour Division has rules that say employers will receive no shield from investigations by the agency or from enforcement of wage and hour laws on settlements with terminated employees that didn’t involve the division. The Justice Department and other government enforcement agencies often view confidentiality provisions as prohibited obstruction or retaliation. In addition, government investigators often view the existence of gag rules as evidence that an organization does not maintain the required culture of compliance.

The CVS litigation also cautions businesses against taking for granted the appropriateness of their current agreements with employees. The EEOC challenge is just one of several developments that can affect the design and use of severance, separation and other settlement agreements with employees intended to resolve employment discrimination claims. While many employers may assume they can safely use agreements used in connection with previous terminations, the CVS litigation highlights the potential advisability of seeking the advice of qualified legal counsel, even if the employer benefited from the advice of legal counsel in drafting the previous agreement.

More Issues With Healthcare Privacy

Think your healthcare organization or health plan has healthcare privacy covered? Think again.

A series of supplemental guidance issued by the Department of Health and Human Services Office of Civil Rights (OCR) in recent weeks is giving healthcare providers, health plans, healthcare clearinghouses (covered entities) and their business associates even more to do. They must review and update their policies, practices and training for handling protected health information. This is beyond bringing their policies and practices into line with OCR’s restatement and update to the Omnibus Final Rule that OCR published Jan. 25, 2013.

Covered entities generally had to be in compliance by Sept. 23, 2013, but many covered entities and business associates have yet to complete the policy, process and training updates required to comply with the modifications implemented in the Omnibus Final Rule.

Even if a covered entity or business associate completed the updates, however, recent supplemental guidance published by OCR means that most organizations now have even more work to do on HIPAA compliance. This includes the following supplemental guidance concerning its interpretation and enforcement of HIPAA against covered entities and business associates published by OCR since Jan. 1, 2014 alone:

·         HIPAA Privacy Rule and Sharing Information Related to Mental Health

·         Spanish Language Model Notices of Privacy Practices

·         CLIA Program and HIPAA Privacy Rule; Patients' Access to Test Reports

·         Proposed Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and the National Instant Criminal Background Check System (NICS)

Beyond this 2014 guidance, covered entities and their business associates also should look at enforcement actions and data as well as other guidance OCR issued during 2013 after publishing the Omnibus Final Rule, such as:

·         HIPAA Privacy Rule: Disclosures for Emergency Preparedness – A Decision Tool

·         The HIPAA Privacy Rule and Refill Reminders and Other Communications About a Drug or Biologic Currently Being Prescribed for the Individual

·         Health Information of Deceased Individuals

·         Student Immunizations

·         Model Notices of Privacy Practices (English)

With OCR stepping up both audits and enforcement and penalties for violations, covered entities and business associates should act quickly to review and update their policies, practices and training to implement any adjustments needed to maintain compliance and manage other risks under these ever-evolving HIPAA standards.

When conducting these efforts, covered entities and business associates should not only carefully watch for and react promptly to new OCR guidance and enforcement actions but should document their commitment and continuing compliance and risk-management activities, while taking well-documented, reasonable steps to encourage business associates to do the same. This documentation could help demonstrate that an organization maintains the necessary “culture of compliance” commitment needed to mitigate risks in the event of a breach or other HIPAA violation.   

When carrying out these activities, most covered entities and business associates also will want to take steps to monitor potential responsibilities and exposures under other federal and state laws, such as: the privacy and data security requirements that often apply to personal financial information; trade secrets or other sensitive data; and judicial precedent.

Privacy Enforcement In The Healthcare Arena​

The Exposure
Organizations that deal with private health information (PHI) should know how to properly handle such data in absence of a breach as well as how to respond after a breach occurs. According to the 2011 Computer Security Institute Crime and Security Survey, 97% of organizations report using anti-virus software, 95% use firewalls, 85% use anti-spyware software, 66% use data encryption and 62% use intrusion detection systems.

The Open Security Foundation’s website, www.datalossdb.org, shows that despite taking meaningful steps to prevent security breaches, healthcare organizations accounted for 18% of the 1,032 data breaches reported in 2011 and 15% of all time. Further, according to the Ponemon Institute’s 2011 Cost of Breach Study, the per capita costs of a breach for healthcare organizations average around $240 per record. When compared to retail, which averages $174 per record, education which averages $142 per record, and an average of $194 per record for all industries, healthcare organizations clearly have cause to be concerned about breach response expenses.

A healthcare organization or business associate1 should also be aware of the increased standards that have been imposed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), the Privacy Rule and the Security Rule. One aspect of the Health Information Technology for Economic and Clinical Health Act act that may surprise many is the potential for the Office of Civil Rights (OCR) to fine an organization in absence of a breach.

In 2012, the Office of Civil Rights will conduct 150 audits of Covered Entities. If material security weaknesses are reported, a formal compliance review will follow. If that review uncovers blatant security violations, civil monetary fines could follow. Enforcement action around data breaches has been on the rise, and fines and penalties are being levied more frequently than in the past. The Department of Health & Human Services (DHHS) posts examples of resolutions including fines on their website. These initial audits are likely only the beginning of expanding regulatory oversight related to private health information.

Theodore Kobus III of Baker & Hostetler LLP, one of the national leaders of their Privacy, Security and Social Media Practice, advises the following regarding the current regulatory environment:

Data security extends beyond breach response and we are seeing an increasing number of regulatory investigations and fines stemming from how an organization responds to changes in its risks. A big part of being prepared includes understanding the nature and scope of the information you hold and how that data needs to be protected as risks in the organization evolve. For example, if you store data in an area that was once monitored by a security guard, but that area is now unoccupied, you may want to consider implementing other security measures.

Reducing The Exposure
In a previous article regarding lost laptops, we provided basic tips for handling a privacy breach.

With the type and volume of private health information that organizations in the healthcare arena touch, they are expected to take even more comprehensive steps to anticipate, prevent, respond to, and survive a breach. While many organizations are large enough to have entire departments dedicated to this issue, the complexity of the privacy laws means that, regardless of the organization’s ability to dedicate resources, it is important to work with legal counsel that is solely focused on privacy related issues. Similarly, healthcare providers should also seek out specialized network security risk management providers who can help answer important questions like:

  • Am I prepared to show that I took the proper steps before a data breach occurred?
  • Do I have an effective incident response plan in place when there is a problem?
  • Am I protecting digital records as well as paper records under the requirements of the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act?
  • Are my vendors and business associates also in compliance with the proper standards?

Many insurers have existing relationships with computer forensic firms, notification vendors, credit monitoring providers, legal forensic firms, public relations firms and others to help navigate the huge distractions following a data breach. To this end, we have seen insureds purchase cyberliability coverage solely for the value-added services provided by the insurer. Many of these buyers feel that they can afford a security breach, but that they don’t have the time to line up all the necessary critical response vendors if a breach occurs.

Neeraj Sahni of Kroll Advisory Solutions points out:

The ease of access to electronic data, anywhere-anytime, makes security a challenge as negligence leads to recurring data breaches. Preventive preparation is the most important loss control mechanism for any organization that has sensitive data. Thus waiting for a breach to occur is reactive and may incur more liability for any company. An incident response plan potentially helps lessen the impact of a breach. Also note, being compliant with security and privacy regulations does not provide assurance to an organization against a data breach.

Contractual Risk Transfer May Not Be Enough
Contracts with business associates and other trading partners may be part of the solution, but not the whole solution, as observed by Theodore Kobus III:

Many organizations think that a contract shifting liability to a third party is all that you need to protect the organization in the event that a vendor causes a breach. This type of protection is good, but it does not solve all of the organization’s issues. Notwithstanding the public relations issues the organization may face after a breach by a vendor, laws such as HITECH and various state laws still hold the organization who owns the data ultimately responsible for the breach. Another consideration about shifting all responsibility for a breach to the vendor is the lack of control about the messaging after a breach occurs. Remember, even though the vendor may have caused the breach, these are still your customers and your reputation is at risk.

Mr. Kobus brings up a dangerous situation. If a healthcare provider has fully shifted post-breach responsibilities to a vendor that caused the breach, the treatment of its customers or patients is in the hands of the vendor. To shift financial responsibility is one thing, but the provision of post-breach services such as call centers and identity/credit services should remain in the healthcare provider’s control. When it comes to the handling of an organization’s reputation, the preferred approach is to proactively protect its reputation rather than scramble to restore it after a poorly handled data breach.

The Right Insurance To Survive A Breach
Healthcare providers and business associates should have their own policy to protect their organization. The company’s own employees are a significant cause of data breaches, as are external hacks. The organization will not be able to unfailingly transfer that risk to other parties.

Organizations should also ensure their vendors have the financial assets or insurance to back up their contractual promises. If an entity is going to rely on a third party vendor to hold on to private health information for which they are responsible, they should be reviewing the vendor’s professional liability insurance rather than just asking if they have a policy.

Types Of Risk Transfer Vehicles
Cyberliability is the generic description of the type of policy healthcare organizations will need. In a prior article, we went into some detail about what is available. Here are some of the typical insuring agreements in a Cyberliability policy:

  • 1st Party Business Interruption — Covers lost business income in the event a virus infection or hacker shuts down your network.
  • 1st Party Data Asset — Covers the expense to recover lost data and other expenses.
  • Cyberextortion — Covers expenses and ransom if a hacker threatens your network or data.
  • 3rd Party Network Security — Covers your liability when hackers use your system to inflict damage on others.
  • 1st Party Privacy
    • Notification Expenses — When data is lost, you must notify all potential victims within a very brief period of time and in accordance with the state laws where the potential victims reside.
    • Forensic Expenses — The insurer will cover the expenses associated with bringing in computer experts to determine the cause of a breach and list of potential victims. Some insurers also cover legal forensic experts.
    • Credit Monitoring — The insurer may cover one to two years of credit monitoring services for those exposed.
    • Credit or Identity Repair Services — The insurer will cover the expenses for up to one year to restore compromised identities and repair a victim’s credit rating following an actual identity theft.
    • Crisis Management — Public Relations expense coverage to protect the image of the organization.
  • Regulatory Defense and Expenses — Many new regulations exist related to the protection of confidential data. The insurance will provide defense cost coverage and in many cases cover fines, penalties and restitution funds levied by a regulatory body, where insurable. This coverage is designed to help healthcare organizations respond to actions brought by state agencies, state attorneys general, the Department of Health and Human Services, the Office of Civil Rights and other regulatory agencies.

There are now more than 30 different insurers with dedicated cyberliability policies, and no two insuring agreements are the same. It is important to be diligent in making sure the coverage sought is the coverage bought.

Conclusion
The current regulatory oversight and monetary implications surrounding a loss of private health information means that firms in the healthcare arena should be more aware than most of privacy enforcement and how to protect their clients, constituents, reputation, and organization.

1 A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A member of the covered entity’s workforce is not a business associate. (For more information, see hhs.gov.)