Header graphic for print

Privacy Compliance & Data Security

Information on Data Breach Prevention and the Appropriate Response

New NJ Data Security Standard More Stringent than HIPAA

Posted in Electronic Data Security

New Jersey Governor Chris Christie signed a bill (S.562) into law on January 9, 2015 that will impose a standard more stringent than HIPAA on health insurance carriers authorized (i.e., licensed) to issue health benefits plans in New Jersey.  Effective August 1, 2015, such carriers will be required to secure computerized records that include certain personal information by encryption (or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person).  “Personal information” requiring encryption includes an individual’s first name or first initial and last name when linked with any one or more of the following data elements:

*          Social security number

*          Driver’s license number or State identification card number

*          Address

OR

*          Individually identifiable health information as defined under HIPAA

Notably, the encryption requirement applies only to “end user computer systems” and “computerized records transmitted across public networks”, as those terms are defined in the law.  “End user computer systems” are defined as computer systems “designed to allow end users to access computerized information, computer software, computer programs, or computer networks” and include “desktop computers, laptop computers, tables or other mobile devices, or removable media.”

The law is more stringent than HIPAA not only because it requires encryption, but because it applies to personal data that is more rudimentary than the type of data that constitutes protected health information (PHI) under HIPAA.  For example, under the new law, if a health insurance carrier compiles or maintains a computerized record that contains an individual’s first initial, last name, and address (and this information is not publicly available in a directory listing to which the individual has consented, which effectively excludes the information from the law’s definition of a “record”), the encryption requirement would apply even if the individual is not covered (insured) by the carrier.  A health insurance carrier subject to this new law that is building a mailing list of prospective customers or otherwise collecting information about individuals who are not plan members or insureds will need to make sure its encryption capabilities encompass not only existing or future members’ PHI, but any and all “personal information” that is compiled or maintained.

FTC Approves Settlement Order With Snapchat

Posted in Data Protection Law Compliance, Electronic Data Security, FTC, Privacy Policy, Privacy Rights, Uncategorized

On December 31, 2014, the Federal Trade Commission announced that it approved a final order settling charges against Snapchat.

In its complaint, the FTC charged Snapchat with deceiving consumers over the amount of personal data that it collected and the security measures in place to protect the data from disclosure and misuse.

The settlement order prohibits Snapchat from misrepresenting the extent to which a message is deleted after being viewed by the recipient and the extent to which Snapchat is capable of detecting or notifying the sender when a recipient has captured a screenshot or otherwise saved the message.  Snapchat is also prohibited from misrepresenting the steps taken to protect against misuse or unauthorized disclosure of information.

Finally, the company will be required to implement a “comprehensive privacy program” and obtain assessments of that program every two years from an independent privacy professional for the next 20 years.

In its press release, the FTC noted that its settlement with Snapchat is “part of the FTC’s ongoing effort to ensure that companies market their apps truthfully and keep their privacy promises to consumers.”  For more information from the FTC on marketing apps, click here.

When a Consumer Gives Personal Information After Opting-Out

Posted in Gramm-Leach-Bliley, Privacy Policy

More often than not companies are realizing that they have a consumer provide her information after she has previously opted-out of marketing.  For example, a company collects contact information online, sends a consumer email marketing its services, and she opts-out of further email marketing by following the “opt-out” procedures in that email.  Six months later the same consumer participates in a survey sponsored by the same company, the terms of which state that by participating in the survey the consumer consents to receive further marketing communications from the company.  Is the company bound by the prior opt-out by the consumer, or does her participation in the survey under the rules permitting marketing override the original opt-out?

There is no one size fits all answer to the above situation.  Undoubtedly the company would be in a much better position if there is an unpopulated checkbox on the survey asking the consumer if she would like to receive future marketing.  In that case, there is an affirmative act by the consumer that almost certainly revokes the prior opt-out.

What if the survey terms state not only that by participating in the survey the consumer consents to receive further marketing communications from the company, but also affirmatively states that any prior opt-out shall be deemed revoked by participating.  What if the same type of “if you provide us your information again after opting-out your opt-out shall be void” disclaimer appeared in the company’s Privacy Policy when her information was originally collected?

If your company finds itself in a situation where it is receiving a consumer’s information repeatedly, or it is reasonably likely that scenario could arise, speak with you privacy counsel to discuss your options and the risks associated with each such option.  Planning this scenario in advance will provide your company with much greater flexibility when and if the issue arises.

Billing Company Settles FTC Charges That It Misled Consumers Regarding Health Data Collection

Posted in FTC, Privacy Policy, Privacy Rights, Protected Health Information, Regulatory Enforcement and Litigation

The Federal Trade Commission recently announced that it settled charges against a health billing company and its former CEO that they misled consumers who had signed up for their online billing portal by failing to inform them that the company would seek detailed medical information from pharmacies, medical labs and insurance companies.

The Atlanta-based medical billing provider operated a website where consumers could pay their medical bills, but in 2012, the company developed a separate service, Patient Health Report, that would provide consumers with comprehensive online medical records.  In order to populate the medical records, the company altered its registration process for the billing portal to include permission for the company to contact healthcare providers to obtain the consumer’s medical information, such as prescriptions, procedures, medical diagnoses, lab tests and more.

The company obtained a consumer’s “consent” through four authorizations presented in small windows on the webpage that displayed only six lines of the extensive text at a time and could be accepted by clicking one box to agree to all four authorizations at once.  According to the complaint, consumers registering for the billing service would have reasonably believed that the authorizations related only to billing.

The settlement requires the company to destroy any information collected relating to the Patient Health Report service.

This case is a good reminder for companies in the healthcare industry looking to offer new online products involving consumer health information that care must always be taken to ensure that consumers understand what the product offers and what information will be collected.

 

Can Third Party Certification Ensure Data Privacy Best Practices?

Posted in Data Protection Law Compliance, Electronic Data Security, FTC, Privacy Policy

This week the Federal Trade Commission (FTC) fined TRUSTe, a company that endorses the data privacy practices of businesses, for misrepresenting its certification programs to consumers. TRUSTe offers Certified Privacy Seals, representing TRUSTe’s guarantee that e-commerce websites, mobile apps, cloud-based services, and child-centric websites are compliant with applicable regulatory mandates and employ best practices in protecting consumer information. To earn a Certified Privacy Seal, businesses must share their data privacy practices with TRUSTe, meet TRUSTe’s requirements for consumer transparency, and allow consumers to choose how personal information is collected and used.

However, once TRUSTe bestowed a Certified Privacy Seal on some companies, the FTC alleges that TRUSTe did little to ensure that these companies continued to follow TRUSTe’s best practices. TRUSTe admitted that it failed to conduct annual audits of previously certified websites, but reiterated that less than 10% of TRUSTe’s certifications were part of this oversight. You can read TRUSTe’s statement on its blog.

So, if you’re a business that deals with consumer personal information, is it worth the time and expense to receive third party certifications like those given by TRUSTe? It depends. Third party oversight may be valuable reassurance for your business, instilling confidence that all best practices and regulatory frameworks are identified and followed. However, don’t rely too heavily on such third party certification. While the FTC was silent on any ramifications for customers of TRUSTe, businesses should engage any third party certification with the mindset that the business itself is ultimately responsible for ensuring its privacy practices follow industry standards and meet all regulatory requirements.

 

Michael Kline’s “List of Considerations” for Indemnification Provisions in Business Associate Agreements

Posted in Uncategorized

I strongly urge every covered entity and business associate faced with a Business Associate Agreement that includes indemnification provisions to read Michael Kline’s “List of Considerations” before signing.  Michael’s list, included in an article he wrote that was recently published in the American Health Lawyers Association’s “AHLA Weekly” and available here, highlights practical and yet not obvious considerations.  For example, will indemnification jeopardize a party’s cybersecurity or other liability coverage?

Data use and confidentiality agreements used outside of the HIPAA context may also include indemnification provisions that are triggered in the event of a privacy or security breach.  Parties to these agreements should take a close look at these “standard” provisions and Michael’s list and proceed carefully before agreeing to indemnify and/or be indemnified by the other party.

The FCC – A New Data Security Regulator?

Posted in Data Protection Law Compliance, Data Security Breach Response, Data Theft, Electronic Data Security, FCC Rules and Regulations, Privacy Rights, Regulatory Enforcement and Litigation

On October 24, the Federal Communications Commission (FCC) threw its hat into the data security regulation ring when it announced it intends to fine two telecommunications companies $10 million for allegedly failing to safeguard the personal information of their customers.

Both TerraCom, Inc. (TerraCom) and YourTel America, Inc. (YourTel) allegedly collected customers’ personal information, including names, addresses, Social Security numbers, and driver’s licenses, and stored it on servers that were widely available on public websites online through a simple Google search.  The information could be accessed by “anyone in the world” exposing their customers “to an unacceptable risk of identity theft and other serious consumer harms.”

According to the FCC, TerraCom and YourTel violated Sections 201(b) and 222(a) of the Communications Act of 1934 by:

  • Failing to properly protect the confidentiality of consumers’ personal information, including names, addresses, Social Security numbers, driver’s licenses;
  • Failing to employ reasonable data security practices to protect consumer information;
  • Engaging in deceptive and misleading practices by representing to consumers in the companies’ privacy policies that they employed appropriate technologies to protect consumer information when they did not; and
  • Engaging in unjust and unreasonable practices by not notifying consumers that their information had been compromised by a breach.

Whether the FCC’s announcement signals its intention to become yet another regulator of data security remains to be seen.  But companies that collect and store customer personal information must take the initiative to ensure information is stored properly with appropriate data security safeguards in place.  And safeguards are not enough.  If, after investigation, a company uncovers a breach, it must timely notify customers in accordance with state law and federal regulations.

For more information about the FCC’s announcement, click here.

 

HIPAA Does Not Preempt State Privacy Cause of Action But May Represent “Standard of Care”, Says Connecticut Supreme Court

Posted in Data Protection Law Compliance

As if compliance with the various federal privacy and data security standards weren’t complicated enough, we may see state courts begin to import these standards into determinations of privacy actions brought under state laws.  Figuring out which federal privacy and data security standards apply, particularly if the standards conflict or obliquely overlap, becomes a veritable Rubik’s cube puzzle when state statutory and common law standards get thrown into the mix.

A state court may look to standards applied by the Federal Communications Commission (“FCC”), the Federal Trade Commission (“FTC”), the Department of Health and Human Services (“HHS”), or some other federal agency asserting jurisdiction over privacy and data security matters, and decide whether the applicable standard or standards preempts state law.  The state court may also decide that one or more of these federal agencies’ standards represent the “standard of care” to be applied in determining a matter under state law.  Or, as shown in a recent Connecticut Supreme Court decision described below, a court may decide that state law is not preempted by federal law or standards in one respect, while recognizing that the federal law or standard may embody the “standard of care” to be applied in deciding a privacy or data security matter under state law.

Fox Rothschild LLP partner Michael Kline posted the following at http://hipaahealthlaw.foxrothschild.com/:

The Connecticut Supreme Court handed down a decision in the case of Byrne v. Avery Center for Obstetrics and Gynecology, P.C., — A.3d —-, 2014 WL 5507439 (2014) that:

[a]ssuming, without deciding, that Connecticut’s common law recognizes a negligence cause of action arising from health care providers’ breaches of patient privacy in the context of complying with subpoenas, we agree with the plaintiff and conclude that such an action is not preempted by HIPAA and, further, that the HIPAA regulations may well inform the applicable standard of care in certain circumstances.

Interestingly, the decision is dated November 11, 2014, the federal holiday of Veterans Day, but was available on Westlaw on November 7, 2014.  The Court’s decision was rendered 20 months after the date that the case was argued on March 12, 2013.

The decision adds the Connecticut Supreme Court to a growing list of courts that have found that HIPAA’s lack of a private right of action does not necessarily foreclose action under state statutory and common law.  The Byrne case, however, has added significance, as it appears to be the first decision by the highest court of a state that says that state statutory and judicial causes of action for negligence, including invasion of privacy and infliction of emotional distress, are not necessarily preempted by HIPAA.  Moreover, it recognized that HIPAA may be the appropriate standard of care to determine whether negligence is present.

The Byrne case has important implications for HIPAA matters beyond the rights of individuals to sue under state tort law, using HIPAA regulations as the standard of care.  For example, in the area of business associate agreements (“BAAs”) and subcontractor agreements (“SCAs”), as was discussed in a posting in October 2013 on this blog relating to indemnification provisions,

there should be a negation of potential third party beneficiary rights under the BAA or SCA. For example, HIPAA specifically excludes individual private rights of action for a breach of HIPAA – a [p]arty does not want to run a risk of creating unintentionally a separate contractual private right of action in favor of a third party under a[n indemnification] [p]rovision.

A party should, therefore, endeavor to limit the number of persons that may assert a direct right to sue for indemnification resulting from a breach of a BAA.  Failing to limit the number of persons that may assert a direct right to sue for indemnification resulting from a breach of a BAA or SCA can be costly indeed, especially if the number of states that follow the Byrne case principles increases.

Efforts to use HIPAA regulations as standards for causes of action under state law can be expected to rise as a result of the Byrne decision.  Covered entities, business associates and subcontractors should consider acquiring sufficient cybersecurity insurance with expanded coverage and limits.

Medical Device, “Heal Thyself” from Data Hacking

Posted in HIPAA

Innovative health care-related technology and developing telemedicine products have the potential for dramatically changing the way in which health care is accessed.  The Federation of State Medical Boards (FSMB) grappled with some of the complexities that arise as information is communicated electronically in connection with the provision of medical care and issued a Model Policy in April of 2014 to guide state medical boards in deciding how to regulate the practice of “telemedicine”, a definition likely to become outdated as quickly as the next technology or product is developed.

Interestingly, the development and use of medical devices and communication technology seems to outpace agency definitions and privacy laws as quickly as hackers outpace security controls.  So how can we encourage innovation and adopt new models without throwing privacy out with the bathwater of the traditional, in-person patient-physician relationship?  A first step is to see and understand the gaps in privacy protection and figure out how to they can be narrowed.

HIPAA does not protect all information, even when the information is clearly health information and a specific individual can be identified in connection with the health information.   A guidance document issued jointly by the U.S. Department of Health and Human Services (HHS) and the Food and Drug Administration (FDA) on October 2, 2014 (FDA Guidance Document) contains the agencies’ “non-binding recommendations” to assist the medical device industry with cybersecurity.  The FDA Guidance Document defines “cybersecurity” as “the process of preventing unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient.”  If my medical device creates, receives, maintains, or transmits information related to my health status or condition, it’s likely I expect that information to be secure and private – but unless and until my doctor (or other covered entity or business associate) interfaces with it, it’s not protected health information (PHI) under HIPAA.

The FSMB’s Model Policy appropriately focused on the establishment of the physician-patient relationship.  In general, HIPAA protects information created, received, maintained or transmitted in connection with that relationship.  A medical device manufacturer, electronic health application developer, or personal health record vendor that is not a “health care provider” or other covered entity as defined under HIPAA, and is not providing services on behalf of a  covered entity as a business associate, can collect or use health-related information from an individual without abiding by HIPAA’s privacy and security obligations.  The device, health app, or health record may still be of great value to the individual, but the individual should recognize that the information it creates, receives, maintains or transmits is not HIPAA-protected until comes from or ends up with a HIPAA covered entity or business associate.

The FDA Guidance Document delineates a number of cybersecurity controls that manufacturers of FDA-regulated medical devices should develop, particularly if the device has the capability of connecting (wirelessly or hard-wired) to another device, the internet, or portable electronic media.  Perhaps these controls will become standard features of medical devices, but they might also be useful to developers of other types of health-related products marketed to or purchased by consumers.  In the meantime, though, it’s important to remember that your device is not your doctor, and HIPAA may not be protecting the health data created, received, maintained or transmitted by your medical device.