EEOC Extends Workplace Protection for Sexual Orientation

On the heels of the U.S. Supreme Court’s landmark same-sex marriage decision, the EEOC has issued a decision of its own that could help extend workplace protections for the LGBT community. On July, 15, 2015, the EEOC ruled that existing civil rights laws bar workplace discrimination on the basis of sexual orientation. The complaint was filed by a federal air traffic control employee against the Secretary of the Department of Transportation, alleging that the complainant was denied a job opportunity because of his sexual orientation. After the Department dismissed the complaint, the complainant appealed the decision to the EEOC, which reversed the Department’s decision. Continue Reading →

FTC Action Should Serve as a Wake Up Call to Health Care Providers and Business Associates

Late in August of 2013 the Federal Trade Commission filed a complaint against medical testing company LabMD, Inc., alleging that the company failed to reasonably protect the security of consumers’ personal data, including medical information. In November of 2013, LabMD filed a Motion to Dismiss the complaint, arguing, among other things, that the FTC did not have the authority to regulate a private company’s data security practices as “unfair…acts or practices” under the FTC Act (15 U.S.C. §45(a)(1)). Included in LabMD’s argument was the contention that Congress, by enacting HIPAA, stripped the FTC of any authority that the FTCA over data security. The FTC Commissioners found LabMD’s arguments unpersuasive and in a January 16, 2014 order denied the Motion to Dismiss.


Health care providers and business associates should take heed that, while such enforcement has been rare, the FTC does have the authority to take action to protect consumers in data security matters that would normally be considered within the exclusive province of the Office of Civil Rights. HIPAA covered entities and business associates that handle patient information should remain vigilant in their efforts to maintain appropriate safeguards for patient information.

William Dillon
Board Certified in Health Law

Merry Christmas from the OCR – Dermatology Practice Settles Potential HIPAA Violations

On December 24, 2013 the HHS Office of Civil Rights (“OCR”) and Adult & Pediatric Dermatology, P.C., of Concord, Massachusetts entered into a Resolution Agreement whereby the practice agreed to settle potential violations of the HIPAA privacy and security rules. The potential violations of HIPAA resulted from the theft of an unencrypted thumb drive, containing the ePHI of approximately 2,200 patients, from the car of a practice employee.

Upon being notified of the breach the OCR conducted an investigation and determined that the practice had failed to conduct and accurate and thorough analysis of potential risks to ePHI in the care of the practice. The OCR further determined that the practice did not have adequate written policies and procedures and did not adequately train employees.

The Resolution Agreement entered into between the practice and the OCR requires the practice to make a $150,000.00 payment to the OCR as well as implement a corrective action plan. The Resolution Agreement is not an admission of liability by the practice.

A copy of the Resolution Agreement may be found at:

Physician practices should view this settlement as clear indication that OCR expects the compliance of all covered entities and not just large entities such as hospitals, universities and managed care entities. Physician practices that are not yet in compliance with the HIPAA privacy and security rules should take the appropriate steps to come into compliance.

William Dillon
Board Certified in Health Law


In 2012, the EEOC issued guidance to employers regarding the use of criminal background checks as a pre-employment screening process. link The Agency believed that the use of criminal background check would or could lead to a disparate impact on black job applicants. In its guidance, the Agency stated, “National data supports a finding that criminal record exclusions have a disparate impact based on race and national origin.

On Tuesday, in its continued effort to limit the use of background checks, the EEOC filed suit against Dollar General Corp and a U.S. unit of German auto maker BMW, AG alleging that the companies’ policies regarding the use of background checks had the effect of discriminating against black applicants.

Despite its actions, EEOC senior Counsel James A. Paretti Jr., speaking the American Bar Association ‘s Labor and Employer Conference, explained that the EEOC was not seeking to bar the use of criminal background checks but wanted employers to at least consider what it calls the “Green Factors” in making its employment decisions. In Green, the 8th Circuit identified three factors that it considered relevant to assessing the applicant’s criminal record as it related to the job being sought. They are:

  • The nature and gravity of the offense or conduct;
  • The time that has passed since the offense or conduct and/or completion of the sentence; and
  • The nature of the job held or sought.

See Green v Missouri Pacific Railroad, 549 F.2d 1158 (8th Cir. 1977).
Employers are cautioned that the use of background checks without consideration of the “Green Factors” could lead to litigation by either a rejected applicant or the EEOC.

For more information on this case and other employment law related matters, please contact Brennan Donnelly at

Federal Judge Concludes that Florida Statute is Preempted by HIPAA

In an order issued on September 25, 2013, Judge Robert Hinkle of the United States District Court for the Northern District of Florida has ruled that a 2013 legislative change to the presuit process for pursing a medical-negligence claim is preempted by HIPAA.

In 2013, the Florida legislature added a new requirement to Florida’s medical-negligence claim presuit process whereby an individual who was considering pursuing a malpractice claim against a health care provider would be required to sign an authorization that would allow the defendant or the defendants attorney to conduct ex parte interviews of the plaintiff’s other health care providers, limited to matters pertinent to the potential malpractice claim. The Court held, among other things, that the mandatory authorization requirement was contrary to both the judicial and administrative protections of HIPAA, which allow an individual to object to a disclosure of medical information, as well as the authorization of requirements of HIPAA. Speaking to the authorization issue, the Court stated that “An authorization signed under duress-a gun to the head, for example-is not valid.”

Case Information: Murphy v. Dulay, Case No.: 4:13cv378-RH/CAS Northern District of Florida

By: William Dillon, Board Certified in Health Law

U.S. Department of Labor Finalizes Rules On Employment of Veterans and Disabled Persons

Employers with Federal Government contracts are affected by the final rule proposed by the USDOL. On September 24th the USDOL published two final rules in the Federal Register aimed at increasing hiring of disabled persons and veterans. The rules are effective on March 24th 2014 and federal contractors wil be required to comply with the new rules by that date. Both rules establish minimum goals for hiring disabled employees and veterans. You can view the new rule regarding veterans at You can view the new rule regarding disabled persons at

By: Brennan Donnelly

Consumer Fraud in the Health Insurance Market Place

Beginning on October 1, 2013, Floridians will have access to the Health Insurance Market Place that has been established as a result of the Affordable Care Act. Eligible consumers will be able to obtain information about available health insurance coverage options for them and their families. Unfortunately, there are those that would seek to take advantage of these consumers. Accordingly, the Office of the Inspector General for the Department of Health and Human Services has issued an alert, warning consumers of possible fraudulent scams that may be occurring in the market place. The Consumer Alert may be accessed via the following link:

By: William Dillon – Board Certified in Health Law

OCR Provides Guidance Regarding Student Immunizations

There have been barriers, real or perceived, which in some cases have prevented the timely exchange of student immunization records between health care providers and schools. In notice published on September 19, 2013, the Department of Health and Human Services, Office of Civil Rights published guidance that will, hopefully, facilitate the timely flow of student immunization information between health care providers and schools.

As explained in more detail in the link below, OCR will not require health care providers to obtain a formal written consent or authorization in order provide immunization records to a school. There must still be an agreement from the parent of a child to provide the records but such agreement may be oral or written. In either case, the health care provider would be required to document the parent’s agreement in the child’s medical records.

By: William Dillon, Board Certified in Health Law –

OCR Posts Model Notice of Privacy Practices

With the September 23, 2013 HIPAA compliance deadline just days away, the Department of Health and Human Services, Office of Civil Rights has published guidance to assist covered entities in complying with the new requirements under the Omnibus Rule. Below is a link to the OCR guidance and Model Notice.

William Dillon, Board Certified in Health Law