WLF Legal Opinion Letter
A Hazardous Precedent: Federal Agency Proposal Targets Workers' Private Health Records
By Victor E. Schwartz, Phil Goldberg & Christopher E. Appel
August 3, 2012 (Vol. 21 No. 17)
For decades, Congress and the federal judiciary, led by the Supreme Court of the United States, have expressed concern over unwanted disclosures of personal data or private health information. These privacy concerns have been amplified in today's Internet-driven age, with stories regularly emerging of highly personal information becoming at risk due to leaks and computer hackings, as well as concerns some policy makers have over legitimate endeavors related to tailored Internet marketing. Yet, some federal agencies seemingly cast these concerns aside when they believe forcing disclosure of such personal, private records will serve their purposes. Such is the case with the Federal Mine Safety and Health Administration (MSHA), which has issued a rule requiring mine operators to turn over personal medical records of their employees whenever MSHA seeks this information in auditing a mine's records.
The Federal Mine Safety and Health Review Commission recently upheld the authority of MSHA to issue the proposed rule. When MSHA initiated the new policy in 2010, MSHA sought private health records of mine workers at thirty-nine mines as part of its regular audit program to see whether the mines were in compliance with reporting obligations for workplace injuries and illnesses. The demands were not accompanied by any allegations that the mines had failed to comply with their reporting obligations or indications that there were insufficient workplace safety practices at the mines. MSHA also did not have basic protections in place to assure the continued privacy of the records once turned over to the government.
Mine operators and mine workers both objected to this new rule. The operators asked MSHA to meet with them to discuss ways they could validate their workplace safety reports without providing confidential employee records. This is why: MSHA had never made such a request before, does not require operators to keep these records, and had not engaged in any notice and comment rulemaking to seek input from mines and mine workers on the privacy and liability implications of this new policy. MSHA refused to meet with the operators and, instead, started enforcement actions against the operators for not complying with the new rule.
The mine workers intervened in the enforcement action, urging the Review Commission to reject the rule and asking operators not to turn over their medical records. The records could reveal intimate and potentially awkward details of miners' and their families' physical and mental illnesses and therefore should not be viewed by MSHA officials who live and work in the same communities as the miners. These types of records are also generally protected by a number of federal laws, including the Health Insurance Portability and Accountability Act, the Family Medical Leave Act, and the Americans with Disabilities Act. In response to these objections, MSHA added some privacy protections, but did not drop the rule or the enforcement action against the mine operators.
When the Commission entered its ruling in May 2012, it concluded that MSHA was acting within its statutory authority and did not need to engage in notice and comment rulemaking. See Blue Ridge, Inc. v. Secretary of Labor, MSHA, 2012 WL 2069674 (May 24, 2012, F.M.S.H.R.C.). But several of the Commissioners had used the October 2011 hearing on the rule to voice concerns that MSHA did not have privacy protections in place necessary for maintaining the highly personal records. Commissioner Young, who supported MSHA's authority to pursue its initiative, said last year that he was "disappointed" that MSHA would not talk with operators about the operators' "reasonable concerns." Commissioner Nakamura, who also sided with the majority, called the initiative "haphazard," and commended the mines for forcing MSHA to "think harder" about the policy and appropriate privacy safeguards.
Commissioner Duffy, the lone dissenter, said that the privacy protocols, in addition to being the right policy, are constitutionally required. In his written dissent, he called it "fatal" to the order's validity that the protections were "not finalized and made public until the very eve of the hearings in these cases and was still undergoing public explanation and clarification during and after oral argument." The Commission ultimately concluded that "the tardiness of the protections is insufficient to invalidate the audit initiative."
Even if MSHA and other agencies can require such disclosures (which is an open question, as briefing in the mines' appeal before the Seventh Circuit is expected in September), they should exercise that authority the right way: by engaging in notice and comment rulemaking so that all issues and stakeholders can be considered and addressed in a fair, appropriate manner. Mine operators and workers could then give input and better prepare for and abide by this new requirement. If the current rule, despite its original lack of privacy protections, is upheld, the door could be opened to further expansion of federal intrusion into people's personal lives and subject employers to privacy tort suits from employees whose records are disclosed to the government.
The Equal Employment Opportunity Commission (EEOC) recently put employers in a similar legal pickle by, ironically, issuing a new guidance denying employers the right to see potentially useful public information about job applicants. Here, the EEOC imposed restrictions on the use of individual criminal history background checks in the hiring process. While this guidance can assure employers will consider job applicants with a criminal history--which is its goal--courts are placing a greater duty of care on employers to conduct such background checks. For instance, an Indiana appellate court recently determined that a hotel operator could be held liable for not conducting such a background check on an employee who murdered a hotel guest. See Santelli v. Rahmatullah, 2012 WL 1066102 (Ind. Ct. App., Mar. 29, 2012).
Whether at the hand of MSHA, EEOC or other federal agency, employers cannot be left in a "no-win" situation: fail to follow a rule or guidance and have trouble with the government, or comply and expose themselves to other difficulties, including strained employee relations and major tort litigation. When making public policy decisions on the use of personal information, particularly highly sensitive private data, federal agencies should not act with tunnel vision on their own objectives. In the case of MSHA, it is now up to the courts to assure that the agency properly considers the personal, business, and legal implications of their rules before requiring mine operators to turn over the personal medical records of their employees.
Victor E. Schwartz is Chairman of the Washington, D.C.-based Public Policy Group of the law firm Shook, Hardy & Bacon L.L.P. Phil Goldberg is a partner, and Christopher E. Appel is an associate, in the group.