Legal Report – E-Verify Mandate And Mandatory Union Rights Posting For Federal Contractors and HIPAA Breach Notification Rule
By: Lawrence P. Postol
Vice President of Legislative Affairs
On August 25, 2009, the United States District Court for the District of Maryland upheld the E-Verify regulation and federal contractors will now be required to use E-Verify as of September 8, 2009. United States Chamber of Commerce vs. Napolitano, 8:08-CV-03844 (8/26/09).
The regulation will require the federal government to include a clause in contracts that are awarded after the September 8 effective date requiring contractors to use E-Verify to confirm the identity and employment authorization of all new hires and of any current employees who are assigned to work under the government contract. The rule applies to all contracts over 120 days and a value over $100,000. The regulation will also require subcontractors to use E-Verify if the value of their goods or services exceed $3,000. There are a number of exceptions contained in the regulation.
The U.S. Chamber of Commerce and other interested parties had filed a lawsuit challenging the regulation in December 2008, arguing in part that the requirements imposed by the regulation violated the Illegal Immigration Reform and Immigrant Responsibility Act’s (IIRIRA) prohibition against mandating participation in the E-Verify program.
The court rejected this argument, however, ruling that if “[businesses] wish to enter contracts with the government,” the decision to do so “is a voluntary choice.” The court also upheld one of the more controversial provisions of the new E-Verify rule, which requires that contractors and subcontractors use E-Verify for existing employees who are assigned to the federal contract. The court stated that “nothing in IIRIRA explicitly prohibits the executive branch from using E-Verify for current employees.”
First time participants in E-verify will have 30 days to enroll in E-verify and they and existing participants will have 90 days thereafter to begin using E-verify for existing employees and new hires.
On August 3, 2009, the Department of Labor issued a Notice of Proposed Rulemaking regarding proposed regulations to implement Executive Order 13496, which requires federal contractors to post notices informing employees of their rights under the National Labor Relations Act (“Act”). As proposed, the regulations would provide contractors with direction on the content, size, and form of the required notices. Furthermore, the regulations would make it clear that the notice requirements of Executive Order 13496 apply to contractors and subcontractors alike. In addition, the proposed regulations include exceptions and exemptions for certain types of federal contracts. Finally, the proposed regulations would set forth the standards and procedures to be used for complaints, compliance evaluations, and enforcement purposes.
The Department of Labor proposes that the notices indicate, among other things, that: (1) “the policy of the United States is to encourage collective bargaining;” (2) under federal law, employees have the right to organize a union and take collective action, “including attending rallies on non-work time, and leafleting on non-work time in non-work areas;” (3) employees have the right to “strike and picket, unless [their] union has agreed to a no-strike clause;” (4) employees may “choose not to do any of these activities, including joining or remaining a member of a union;” (5) it is illegal for an employer to question employees about union activities, discriminate against employees because of their union activities, or promise employees benefits to discourage union support; (6) it is illegal for an employer to “prohibit employees from wearing union hats, buttons, t-shirts, and pins in the workplace except under special circumstances;” and (7) it is illegal for a union to “discriminate or take other adverse action against [employees] based on whether [they] have joined or support the union.” The proposed notice also would provide information about the National Labor Relations Board and how to file an unfair labor practice charge.
The American Recovery and Reinvestment Act of 2009 (“the Act”) made several changes to the HIPAA privacy rules—including adding a requirement for notice to affected individuals of any breach of unsecured protected health information. On August 24, 2009, the Department of Health and Human Services (HHS) published an interim final rule (the “Rule”) that lays out the specific steps that HIPAA-covered entities and their business associates must take. The Rule becomes effective September 23, 2009. HHS has stated that while it expects covered entities to comply with this Rule as of September 23, it will not impose sanctions for failure to provide the required notifications for breaches discovered through February 22, 2010. Instead, during such period it will work with covered entities to achieve compliance through technical assistance and voluntary corrective action.
The new requirements apply if all of the following are present:
On April 27, 2009, HHS issued the HITECH Breach Notification Guidance specifying the technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals. That guidance creates a safe harbor so that covered entities and business associates would not be required to provide the breach notifications required by the Act for PHI meeting these standards. PHI is rendered unusable, unreasonable, or indecipherable to unauthorized individuals only if one or more of the following methods are used:
(1) Encryption. Electronic PHI is only secured where it has been encrypted. The HIPAA Security Rule specifies encryption to mean the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key. The Rule identifies the various encryption processes which are judged to meet this standard. Further, such confidential process or key that might enable decryption must not have been breached. To avoid a breach of the confidential process or key, decryption tools should be kept on a separate device or at a location separate from the data they are used to encrypt or decrypt.
(2) Destruction. Hard copy PHI, such as paper or film media, is only secured where it has been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed.
The covered entity or business associate has the burden of proving why a breach notification was not required and must document why the impermissible use or disclosure fell under one of the exceptions. Covered entities should document the risk and other breach assessments accordingly.
The breach notifications required by the Act and the Rule are significant and are triggered by the “discovery” of the breach of unsecured PHI. A breach is treated as “discovered” by a covered entity as of the first day the breach is known, or reasonably should have been known, to the covered entity. Given that knowledge of a breach may be imputed, a covered entity should implement reasonable breach discovery procedures.
If you have any questions about the information in this article, you may e-mail Mr. Postol at Lpostol@seyfarth.com or call him at 202-828-5385.
