March 2020 | Compliance Update

Federal Developments

DOT Office of Drug and Alcohol Policy and Compliance Notice

The Agricultural Improvement Act of 2018, Pub. L. 115-334, (Farm Bill) removed hemp from the definition of marijuana under the Controlled Substances Act.  Under the Farm Bill, hemp-derived products containing a concentration of up to 0.3% tetrahydrocannabinol (THC) are not controlled substances.  THC is the primary psychoactive component of marijuana.  Any product, including “Cannabidiol” (CBD) products, with a concentration of more than 0.3% THC remains classified as marijuana, a Schedule I drug under the Controlled Substances Act. We have had inquiries about whether the Department of Transportation-regulated safety-sensitive employees can use CBD products.  Safety-sensitive employees who are subject to drug testing specified under 49 CFR part 40 (Part 40) include pilots, school bus drivers, truck drivers, train engineers, transit vehicle operators, aircraft maintenance personnel, fire-armed transit security personnel, ship captains, and pipeline emergency response personnel, among others.  It is important for all employers and safety-sensitive employees to know:

  • The Department of Transportation requires testing for marijuana and not CBD.
  • The labeling of many CBD products may be misleading because the products could contain higher levels of THC than the product label states. The Food and Drug Administration (FDA) does not currently certify the levels of THC in CBD products, so there is no federal oversight to ensure that the labels are accurate. The FDA has cautioned the public that: “Consumers should beware purchasing and using any [CBD] products.”  The FDA has stated: “It is currently illegal to market CBD by adding it to a food or labeling it as a dietary supplement.”  Also, the FDA has issued several warning letters to companies because their products contained more CBD than indicated on the product label.
  • The Department of Transportation’s Drug and Alcohol Testing Regulation, Part 40, does not authorize the use of Schedule I drugs, including marijuana, for any reason. Furthermore, CBD use is not a legitimate medical explanation for a laboratory-confirmed marijuana positive result. Therefore, Medical Review Officers will verify a drug test confirmed at the appropriate cutoffs as positive, even if an employee claims they only used a CBD product.

 It remains unacceptable for any safety-sensitive employee subject to the Department of Transportation’s drug testing regulations to use marijuana.  Since the use of CBD products could lead to a positive drug test result, the Department of Transportation-regulated safety-sensitive employees should exercise caution when considering whether to use CBD products.

U.S. Citizenship and Immigration Services (USCIS) published a new version of the Form I-9. 

The new Form I-9 is dated 10/21/2019. Employers should begin using this updated version as of January 31, 2020, however, they may continue to use the prior version (dated 7/17/2017 N) until April 30, 2020. After April 30, 2020, only, the new version can be used. Minor updates were made to the Form I-9 to reflect changes in country names. Minor updates were also made to the Form I-9 Instructions, including clarification of who can act as an authorized representative on behalf of an employer, clarification of acceptable documents for the Form I-9, and updates to the process for requesting paper Forms I-9. Click here to access the new Form I-9 and Instructions.

The International Trade Administration’s Privacy Shield Team has provided updated guidance on how an EU-U.S. Privacy Shield participant may receive personal data from the United Kingdom in light of Brexit.

The guidance states that during the Transition Period from January 31, 2020, until December 31, 2020, EU law will continue to apply to data received from the UK. However, by December 31, 2020, a participant must update its public commitment to comply with the Privacy Shield to include personal data received from the UK in reliance on the Privacy Shield. The guidance provides model language for this update. In addition, a participant must maintain the current Privacy-Shield certification. After December 31, 2020, participants will be understood to have committed to comply with the UK Information Commissioner’s Office (ICO) with regard to personal data received from the UK. Click here to access the guidance.

FMCSA Drug/Alcohol Clearinghouse Rule Applies to Canadian Cross-Border Motor Carrier Employers

All Canadian employers who employ commercial drivers must now be aware of new requirements for those employees operating commercial vehicles in the United States.

As of January 6, 2020, the Federal Motor Carrier Safety Administration (“FMCSA”), operating under the Department of Transportation (DOT), has instituted new reporting requirements for all FMCSA-regulated motor carriers employing commercial motor vehicle drivers, including Canadian carriers carrying out cross-border operations. These drivers include, but are not limited to:

  • Interstate and intrastate motor carriers, including passenger carriers;
  • School bus drivers;
  • Construction equipment operators;
  • Limousine drivers;
  • Municipal vehicle drivers (e.g., waste management vehicles); and,
  • Federal and other organizations that employ drivers subject to FMCSA drug and alcohol testing regulations (e.g., Department of Defense, municipalities, school districts)

Employers of these individuals must now report all drug and alcohol violations of their drivers directly to the new Drug and Alcohol Clearinghouse (the “Clearinghouse”). According to the Clearinghouse, its purpose is to enable “employers to identify drivers who commit a drug and alcohol program violation while working for one employer, but who fail to subsequently inform another employer (as required by current regulations).”

In stark contrast to Canadian law, where drug and alcohol reporting requirements are governed provincially (save for Criminal Code violations), the Clearinghouse is nationwide. By way of comparison, one common tool utilized by Canadian employers is to request one of a number of background checks (e.g. Criminal Record Check, Criminal Record, and Judicial Matters Check, Vulnerable Sector Records Check, Credit Check, etc.). Yet, these background checks may not be proper in all cases and are limited in their scope. Therefore, where a Canadian employer utilizes an American based driver in any State, the employer must follow the process as described by the Clearinghouse.

Canadian employers utilizing American drivers or those who operate out of the United States should consider reviewing their current drug and alcohol policies to identify efficiencies that could be gained or gaps that require attention. This may be particularly difficult for Canadian employers as they must balance workplace safety and obligations under relevant health and safety legislation, an employee’s right to privacy, human rights considerations and potential circumstances regarding the need for accommodation.

State Developments

New Amendment to the PA Background Check Requirements for Employees Who Have Contact with Children

Effective December 31, 2019, Pennsylvania amended section 6344(m) of the Child Protective Services Law (CPSL), which pertains to background checks for employees who have contact with children. Specifically, the amendment prohibits employers, administrators, supervisors or other persons responsible for employment decisions from employing applicants on a provisional basis absent a waiver from the department. Child day-care centers, group day-care homes or family child-care homes may apply for a one-time extension not to exceed 45 days only if the following conditions are met.

The applicant has applied for the information required under section 6344 (b) and the applicant provides a copy of the appropriate completed request forms to the employer, administrator, supervisor or another person responsible for employment decisions.

The employer, administrator, supervisor or another person responsible for employment decisions has no knowledge of information pertaining to the applicant that would disqualify him or her from employment pursuant to section 6344 (c).

The applicant swears or affirms in writing that he or she is not disqualified from employment pursuant to section 6344(c) or has not been convicted of an offense similar in nature to those crimes listed in section 6344(c) under the laws or former laws of the United States or one of its territories or possessions, another state, the District of Columbia, the Commonwealth of Puerto Rico or a foreign nation, or under a former law of this Commonwealth.

Prior to the recent amendment, section 6344 of the CPSL, among other things, allowed employers, administrators, supervisors or other persons responsible for employment decisions to employ applicants on a provisional basis not to exceed 90 days.

Maryland Bans the Box

Over Governor Larry Hogan’s veto, the Maryland General Assembly recently enacted legislation to prohibit employers from initially seeking job applicants’ criminal records. Maryland now joins 13 states and the District of Columbia that mandate removing criminal history questions from job applications for private employers. These states are California, Colorado, Connecticut, Hawaii, Illinois, Massachusetts, Minnesota, New Jersey, New Mexico, Oregon, Rhode Island, Vermont, and Washington. At least 18 cities and counties across the country have also extended these requirements to private employers.

Effective January 1, 2020, Maryland employers may not, at any time before the first in-person interview, require an applicant to disclose whether he or she has a “criminal record” or has been the subject of criminal accusations. An employer may require the applicant to disclose that information during the first in-person interview. An employer is prohibited from retaliating or discriminating against an applicant or employee who complains of a violation of the law. “Criminal record” is broadly defined to include an arrest, a plea or verdict of guilt, a plea of no contest, marking a charge “stet” on the docket, a disposition of probation before judgment, or disposition of not criminally responsible. The law only applies to employers of 15 or more full-time employees, which includes contractual, temporary, seasonal, and contingent workers. Further, the law does not prohibit an employer from inquiring into an applicant’s criminal record or taking action the employer is required or authorized to take in accordance with federal or state law. The law also does not apply to employers that provide programs, services, or direct care to minors or vulnerable adults.

The State Labor Commissioner is responsible for investigating violations of this law. If the Commissioner determines an employer has violated the law, the Commissioner may assess a civil penalty of up to $300 for each aggrieved applicant or employee. The Commissioner must consider the gravity of the violations, the size of the employer’s business, the employer’s good faith, and the employer’s history similar violations in assessing the amount of the penalty. The law does not preempt local jurisdictions from enacting their own, more stringent ban-the-box laws. Such laws currently exist in Baltimore, Montgomery County, and Prince George’s County.

Los Angeles County DA & Code for America Announces Dismissal of 66,000 Marijuana Convictions

On February 13, 2020, the Los Angeles County DA & Code for America Announces Dismissal of 66,000 Marijuana Convictions, marking the completion of five-county clear my record pilot.

The City of Oakland, California has enacted an ordinance banning criminal background checks for rental housing. 

Other cities in California have passed similar ordinances which are limited to rentals for affordable or subsidized housing. The Oakland ordinance applies more broadly to nearly all rental housing, with a few exemptions including for rental property occupied in part by the owner and for certain sexual offenders. Click here to read more.

The California Consumer Privacy Act (CCPA) data broker registry is live

The CCPA requires data brokers to have registered with the California Attorney General by January 31, 2020. The website of the Office of the Attorney General provides that a data broker that has not registered by the January 31st deadline should register as soon as possible and maybe liable for civil penalties for each day it fails to register. The CCPA defines “data broker” as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” There are exceptions to this definition for consumer reporting agencies to the extent the activities are covered by the Fair Credit Reporting Act (FCRA), and financial institutions to the extent the activities are covered by the Gramm-Leach-Bliley Act (GLBA).                                                                            

Illinois Residents File Class Action against Biometrics Company for Collecting Information without Consent

Two Illinois residents filed a class action Complaint in the U.S. District Court for the Southern District of New York against a biometrics company and its company’s licensing agent for gathering biometrics identifiers and information without informed consent. The plaintiffs alleged that Clearview AI, Inc. and CDW Government LLC violated Illinois’ Biometric Information Privacy Act (BIPA) by actively collecting, storing and using biometrics, in addition to those of most of the residents of Illinois, without receiving the appropriate informed consent. As cited in the Complaint, the Illinois legislature states that:

“[b]iometrics . . . are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometrics facilitated transactions.” The plaintiffs stated that Clearview created a facial recognition tool using a database of approximately three billion photographs that Clearview built from scraping sources including Instagram, Twitter, YouTube, Facebook and Venmo. According to the plaintiffs, the facial recognition tool was designed to allow a user to identify virtually anyone by uploading a photograph and then be able to instantly see photos of the person on various social media platforms. The Plaintiffs also alleged that Clearview licensed its facial recognition tool to “hundreds of law enforcement agencies”. The plaintiffs are seeking to represent residents of Illinois whose biometric identifiers were collected by Clearview over the past five years.

Court Cases

Facebook has agreed to pay $550 million to settle a privacy lawsuit alleging violations of the Illinois Biometric Information Privacy Act (BIPA). 

Under BIPA, companies must obtain explicit permission before collecting biometric data, such as face scans, from consumers. BIPA includes a private right of action which allows Illinois consumers to sue companies directly. In this case, the plaintiffs alleged that Facebook ran afoul of BIPA by using facial recognition technology to identify and automatically tag users. This settlement comes a week after Facebook’s petition for certiorari was denied by the Supreme Court. It is being called the largest privacy class action cash settlement to date. Click here to read more.

Walgreens to pay $7.5M in settlement over phony pharmacist

Walgreens will pay $7.5 million to settle with California authorities after an employee was criminally charged with impersonating a pharmacist and illegally filling more than 745,000 prescriptions in the San Francisco Bay Area. Kim Thien Le has pleaded not guilty to felony impersonation charges. Prosecutors said that from late 2006 through 2017, Le used the license numbers of registered pharmacists in order to impersonate them and dispense prescriptions at Walgreens stores in Santa Clara and Alameda counties.

The prescriptions allegedly included more than 100,000 for opioids such as fentanyl, morphine, and codeine.

Le herself didn’t have a pharmacist license, prosecutors said. The district attorneys in both counties filed a consumer protection action against Walgreens. Prosecutors on Monday announced that the pharmacy giant agreed to settle. The company will pay $7.5 million in penalties, costs, and remedial payments.

“The burden is on the company to make sure its employees are properly licensed and to complete a thorough background check,” Alameda County District Attorney Nancy O’Malley said in a news release announcing the settlement. In a statement Monday, Walgreens said Le hasn’t worked for the company since 2017.

“Pharmacy quality and safety are top priorities, and upon learning of this issue, we undertook a re-verification of the licenses of all our pharmacists nationwide,” the statement said.

The complaint alleged Walgreens failed to vet Le thoroughly when it promoted her to positions requiring a license and failed to make sure that its internal systems were strong enough to prevent an employee from evading them.

Philadelphia Salary Inquiry Ban Upheld by Third Circuit

In 2017, Philadelphia became the first city to prohibit private employers from inquiring about a job applicant’s wage history and from relying on an applicant’s wage history in setting his or her salary. Since then, approximately 17 states and 20 cities have enacted similar bans. Philadelphia’s ban, however, was embroiled in litigation since its enactment.

The Chamber of Commerce of Greater Philadelphia sued the city arguing that the inquiry and reliance provisions violated the First Amendment’s free speech clause. In 2018, a federal district court upheld the ordinance’s prohibition on employers relying upon wage history but held that the prohibition on employers inquiring about wage history was unconstitutional. On February 6, 2020, the Third Circuit Court of Appeals reversed the district court and held that the prohibition on salary inquiries was constitutional.

The Philadelphia ordinance makes it an unlawful employment practice for an employer or employment agency to “inquire” about or “rely” upon an applicant’s wage history. Thus, employers may not:

Inquire about an applicant’s wage history, require disclosure of wage history, or condition employment or consideration for an interview or employment on disclosing wage history. “Inquire” means asking a job applicant in writing or otherwise; “wages” means all earnings of an employee (by time, task, piece, commission, or other methods of calculation) and includes fringe benefits, wage supplements, or other compensation.

Rely on the wage history of an applicant from any current or former employer of the individual in determining his or her wages at any stage in the employment process, including the negotiation or drafting of any employment contract, unless such applicant knowingly and willingly disclosed his or her wage history.

Retaliate against an applicant employee for exercising his or her rights under the ordinance.

However, the ordinance does not apply to any actions taken by an employer or employment agency under any federal, state or local law that specifically authorizes the disclosure or verification of wage history for employment purposes. Given the Third Circuit’s ruling, the full ordinance is now effective.

Other Developments

Genetic Information under HIPAA

Genetic Information is quickly becoming an important part of our lives. The Health Insurance Portability and Accountability Act of 1996, as amended, and the final Privacy Rule (HIPAA) are implicated by a healthcare provider’s or benefit plan’s creation, storage, and use of Genetic Information. Although HIPAA was enacted in 1996, and the final Privacy Rule was promulgated in 2003, it was not until 2008 that these laws and regulations were amended to ensure that Genetic Information was to be treated as Health Information protected by HIPAA. These amendments included the addition of five key defined terms that confirm the scope of Genetic Information and the many individuals whose Genetic Information is protected under HIPAA, and to allow consistency with the defined terms adopted under the Genetic Information Nondiscrimination Act of 2007 (GINA) adopted a year before, in 2007. Today, as a result, HIPAA includes definitions for the following terms: (1) Individual; (2) Genetic Information; (3) Genetic Test; (4) Genetic Services; and (5) Family Member.

“Individual” means the person who is the subject of protected health information or PHI under HIPAA.

“Genetic Information” includes specific information about a particular Individual and the Individual’s Family Members in regard to their genetic test information, the manifestation of a disease or disorder in Family Members of the Individual, or any request for, or receipt of, Genetic Services by the Individual or any Family Member of the individual. The term also includes any Genetic Information of a fetus carried by the Individual or Family Member who is a pregnant woman and any embryo legally held by an Individual or Family Member utilizing an assisted reproductive technology. For purposes of this definition, the term Genetic Information excludes information about the sex or age of any Individual.

“Genetic Test” means an analysis of human DNA, RNA, chromosomes, proteins, or metabolites, if the analysis detects genotypes, mutations, or chromosomal changes. The term Genetic Test does not include an analysis of proteins or metabolites that is directly related to a manifested disease, disorder, or pathological condition.

“Genetic services” means a Genetic Test, genetic counseling (including obtaining, interpreting or assessing Genetic Information), or genetic education.

“Family Member” means, with respect to the Individual:

A Dependent of the Individual; or

Any person who is a first-degree (parents, spouses, siblings and children), second-degree (grandparents, grandchildren, aunts, uncles, nephews, nieces), third-degree (great-grandparents, great-grandchildren, great aunts, great uncles, and first cousins), or fourth-degree (great-great-grandparents, great-great-grandchildren, and children of first cousins) relative of the Individual or of a Dependent of the Individual.

The definition also notes that relatives by affinity, such as by marriage or adoption, are treated the same as relatives by consanguinity, that is, relatives who share a common biological ancestor. In determining the degree of the relationship, relatives by less than full consanguinity (such as half-siblings, who share only one parent) are treated the same as relatives by full consanguinity (such as siblings who share both parents).

In summary, HIPAA defines Health Information to include Genetic Information. Second, HIPAA provides five important definitions that confirm (1) the scope of the Genetic Information that is protected, (2) the categories of Individuals, Dependents and other Family Members whose Genetic Information is protected, and (3) a detailed definition of what qualifies as Genetic Tests and Genetic Services as they are conducted by health care providers. Third, this overview is an important first step in confirming the impact that HIPAA has on Genetic Information, as it is created or received and maintained by HIPAA Covered Entities in the delivery of health care services today.

Must an Employer Pay for Medical Marijuana?
Apparently yes – at least in New Jersey. In Hager v. M&K Construction, a New Jersey state appellate court recently affirmed a workers’ compensation judge’s order for an employer to reimburse a former employee for his use of medical marijuana for chronic pain following a work-related accident.

Case Background

In 2001, the employee severely injured his back in a work-related accident. Over the course of the next 15 years, he underwent multiple unsuccessful surgeries and was prescribed a slew of opioid pain medications.

In April 2016, the employee was experiencing side effects from his use of opioids and wanted an alternative. His doctor provided him with an authorization for medical marijuana. During a follow-up appointment with his doctor in May 2016, the employee reported that medical marijuana had provided some relief for his incessant pain and he had stopped taking opioids. He continues to treat his pain with two ounces of medical marijuana per month, as authorized by his doctor, for which he pays $616 a month out-of-pocket.

At the trial for his workers’ compensation claim, the judge found that the present condition of the employee’s back was causally related to his long-ago accident at work and that the employee exhibited permanent partial total disability. Doctors for both the employer and employee “agreed that the treatment of pain with opioids carried a risk of death and that opioids were significantly more addictive than marijuana.” The judge concluded that medical marijuana was the “clearly indicated option.” The judge ordered the employer to reimburse the employee for the costs of medical marijuana and any related expenses. A shocked employer appealed, arguing that the federal Controlled Substances Act (“CSA”), which makes it a crime to manufacture, possess, or distribute marijuana, preempted the New Jersey Compassionate Use Medical Marijuana Act (in July 2019, the Act was amended to the “Jake Honig Compassionate Use Medical Cannabis Act”) because it was impossible to comply with both laws.

The Court’s Decision

Addressing this issue for the first time, the New Jersey appellate court found that there was no conflict between the CSA and the Jake Honig Act because an employer’s reimbursement of a registered patient’s use of medical marijuana does not require the employer to violate the CSA, as it does not manufacture, possess or distribute marijuana. The court also rejected the employer’s argument that it would be aiding and abetting the employee in a commission of a crime – the possession of marijuana – if it reimbursed him for medical marijuana as ordered by the judge. The court found that the employer is not an active participant in the commission of a crime because it would be complying with an order requiring it to reimburse the employee for the legal use of medical marijuana under New Jersey law. In addition, the court rejected the employer’s argument that compliance with the order exposes it to the threat of federal prosecution for aiding and abetting the employee in the possession of marijuana. The court noted that the employer could not point to any federal prosecution against an employer or insurance carrier for its reimbursement of authorized medical marijuana treatment. The court further rejected the employer’s argument that the judge failed to consider whether medical marijuana can be a reasonable and necessary form of treatment under the state’s Workers’ Compensation Act because it is illegal under the CSA. The court cited to the doctors’ testimony and found that the judge weighed the “alternative legal modalities of treatment” available to the employee.

Notably, the court found that the employee’s use of medical marijuana allowed him to cease using opioids, and stated, “That achievement, by itself, in light of the opioid crisis in existence today, should suffice as a rationale for the reimbursement of medical marijuana.” (Interesting that the solution to one illegally used substance is another one. The lesser of two evils, it appears.)


It is unclear if the case will be appealed. However, this ruling is in line with New Jersey’s recent amendment to the Jake Honig Act, which, among other things, now expressly prohibits an employer from taking any adverse action against a medical marijuana user if the adverse employment action is “based solely on the employee’s status” as a medical marijuana patient. We must wait to see if other states will follow this court’s example with regard to requiring an employer to reimburse for medical marijuana.

This information has been prepared by Validity Screening Solutions for informational purposes only and is not legal advice. The content is intended for general information purposes only, and you are urged to consult a lawyer concerning your own situation and any specific legal questions you may have.