Privacy & Security Matters

Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney

Rx for HIPAA Compliance

Posted By Cynthia Larose on Posted in HIPAA/HITECH

Weighing in at half the length of Tolstoy’s legendary tome War and Peace, it is no surprise that the thought of the impending deadline for compliance with the 538-page  HIPAA Omnibus Rule  has left many small clinical practices feeling overwhelmed.   HHS Office of Civil Rights (OCR) and the Workgroup for Electronic Data Interchange (WEDI) are co-sponsoring four upcoming webinars to help smaller health care providers better understand HIPAA compliance and enforcement topics.  The webinars will specifically focus on practical strategies for implementing the Omnibus Rule’s new requirements within a small clinical practice.

Each of the 90-minute sessions (1-2:30 p.m. EST) is free to all registrants, and will educate participants on the following topics:

  • Friday,  June 14th – HITECH Omnibus Overview of the Rule
  • Friday, June 28th - Drill down on the new HITECH Privacy Rule
  • Wednesday, July 17th – Breach and Enforcement under the HITECH Omnibus Rule
  • Friday, July 26th – Business Associates and the HITECH Omnibus Rule

WEDI was formed in 1991 by the then-HHS Secretary, Dr. Louis Sullivan, and the organization has been an official advisor to HHS since being named to that role in the 1996 HIPAA legislation.  According to the website, ”WEDI is a coalition comprised of a cross-section of the healthcare industry: doctors, hospitals, health plans, laboratories, pharmacies, clearinghouses, dentists, vendors, government regulators and other industry stakeholders.”

Smaller providers are particularly vulnerable to HIPAA enforcement – private practices and outpatient facilities are the first and third most common provider types required to adopt corrective action in response to an OCR investigation.  And in the past year, OCR entered into its first settlement agreement regarding a breach of less than 500 individuals. Previously, to get answers tailored to their needs, these providers could consult that “Small Providers and Small Business” Frequently Asked Questions and a dedicated summary page on OCR’s website.  OCR’s and WEDI’s joint effort to target these providers is a golden opportunity for these covered entities and their business associates to educate themselves on their new increased obligations under the law and regulations.

The Great Disappearing Acts: California Considers Two Bills Addressing the Removal of Online Information of Minors

Posted By Cynthia Larose on Posted in Children, Legislation, Privacy Regulation

Written by Jake Romero

Do you ever find yourself worrying that, given the types of things minors deem appropriate to post on social networking Web sites like Facebook and Twitter, our country won’t be able to produce an electable candidate for president in 40 years?  If so, you’ll be glad to know that the California state legislature is in the process of considering two bills that could impact the obligations of online services operators to delete certain types of information collected from minors.  The first bill, California Senate Bill 568, would give minors an “eraser button” with respect to the content and information that they provide to Web sites and online services, while the latter, California Senate Bill 501, would require social networking sites to remove identifying information about minors from their pages if those minors or their parents request it.

CALIFORNIA SENATE BILL 568 – THE “ERASER BUTTON”

California Senate Bill 568, which was introduced by Senator Darrell Steinberg and has already been passed unanimously by the Senate, would require that, at the request of a minor, the operator of any Web site, online service, online application, or mobile application remove all content or information submitted to the operator’s site or service by that minor.  If passed, S.B. 568 would also require operators of Web sites, online services, online applications and mobile applications to notify minors that they have the right to request that their information be deleted, while cautioning that such removal does not ensure “complete or comprehensive” removal of that information.  S.B. 568 would also prohibit the operators of online services that are directed to minors (or, if not directed at minors, where the operator has actual knowledge that a minor is using the service) from marketing goods or services to minors if those goods or services cannot legally be purchased by a minor.

If S.B. 568 is passed in its current form, it could require operators of online services to make a number of changes to their data collection and retention policies.  First, operators should note that S.B. 568 expands and deviates from the protections provided by the federal Children’s Online Privacy Protection Act (“COPPA”), as amended.   COPPA permits parents of a child under the age of 13 to contact the operator of an online service to request that any information their child has provided be deleted. Our blogposts about the latest amendments to COPPA (effective July 1, 2013) can be found here.  S.B. 568 not only raises this age to 18, but also puts the power directly in the hands of the minor, rather than the parent or guardian.  The bill does provide for certain exceptions to the removal requirement where the content or information was submitted to the online service by a third party (rather than directly by the minor) or where any provision of state or federal law requires the operator to maintain such information.

As currently drafted, S.B. 568 would create a number of potential pitfalls for online operators by not providing clear guidance on a number of key aspects of the bill.  For example, there is no definition for what constitutes “content or information submitted to or posted on the operator’s website.”  Depending on how broadly this is interpreted, an operator may have a difficult time removing all such information in response to requests.  S.B. 568 also does not provide guidance with respect to what actions are sufficient to constitute “removal” of content or information or what online services would be deemed to be directed toward minors.

If passed, S.B. 568 will become effective as of January 1, 2015.

CALIFORNIA SENATE BILL 501 – THE SOCIAL MEDIA PRIVACY ACT

Like S.B. 568, Senate Bill 501, which was introduced by Senator Ellen Corbett and has been passed by a majority in the California Senate, expands the obligations of certain online service operators with respect to the removal of information related to minors.  In its current form, S.B. 501 would require social networking sites to remove personal identifying information of any registered user under the age of 18 within 96 hours of the receipt of any request from that minor or his or her parent or guardian and imposes a civil penalty of $10,000 for each failure to do so.

S.B. 501 does include limitations on the obligations of social media operators.  Social networking sites are permitted under S.B. 501 to require that any request submitted to remove information include the following statement:

“I attest that the information in this request is accurate, that I am the registered user or the parent or legal guardian of the registered user to whom the personal identifying information in this request pertains, and that I am authorized to make this request under the laws of the State of California.”  

Also, (similar to the restriction contained in S.B. 568) social networking sites are not required to remove information where state or federal law requires that it be maintained.

To the surprise of no one, social networking sites have taken issue with S.B. 501’s requirements.  As reported in the L.A. Times, a coalition that includes Facebook, Google, Zynga and Tumblr have banded together to opposed S.B. 501.  In a letter to Senator Corbett, the Applications Developers Alliance claims on behalf of its members that the 96 hour deadline for removal of information is unworkable, as it does not permit sufficient time to verify requests before removing data.  In addition, the Applications Developers Alliance also argues in its letter that S.B. 501 infringes the privacy rights of users under the age of 18, because it permits a parent or guardian to unilaterally request that information be deleted.

PREPARING FOR CHANGE – CONSIDERATIONS IN THE MEANTIME

Online service operators will need to begin considering what actions will need to be taken if, as seems likely, one or both of S.B. 501 and 568 are signed into law.  Here are some important questions to ask:

  • • Does your online service collect information from users under the age of 18?  If so, do you have full and complete understanding of what information is collected, and how and where it is stored?
  • • If requested, are you able to separate out a minor’s information and remove it?  How long would this process take?
  • • Do you have a point-of-contact in place for requests to delete information?  Do you have policies in place regarding how to respond to such requests, and have you trained your employees to respond appropriately?
  • • Is there any aspect to your online service that can be considered to be directed toward minors?
  • • Do you sell goods or services that minors cannot legally purchase?  If so, are your marketing practices solely targeted toward adults?
  • • Does your online service constitute “social networking”?  (As defined in Section 62(d) of S.B. 501, a “social networking Internet web site” would mean “an Internet Web-based service that allows an individual to construct a public or partly public profile within a bounded system, articulate a list of other users with whom the individual shares a connection, and view and traverse his or her list of connections and those made by others in the system.”)

Ultimately, if either or both of S.B. 501 and S.B. 568 are signed into law, online service operators may have to reassess the cost-benefit analysis of collecting certain types of data from minors.  The collection of user data can yield substantial monetary benefits for online operators.  However, there is no clear way to know how often requests would be made under either of these statutes, and whether the aggregate cost of responding to such requests would outweigh the benefits of collecting certain types of user data.

If S.B. 501 and/or S.B. 568 are adopted they will bring with them considerable change to the online marketplace.  In the meantime, you can find comfort in two fact:  (1) many more of our children could become president someday, and (2) your Mintz Levin privacy team is always available to help with any questions you may have.

July 1 COPPA Compliance Deadline is Approaching

Posted By Cynthia Larose on Posted in Children, Federal Trade Commission, Privacy Regulation

Written by Julia Siripurapu

Today, the FTC sent more than ninety (90) “educational” letters to domestic and foreign businesses whose Web sites and online services (including mobile apps) appear to collect personal information from children that are 12 years old and under, in an attempt to help the businesses come into compliance with the amendments to the Children’s Online Privacy Protection (COPPA) Rule (the “Amendments”), going into effect on July 1. Our prior blogposts about the Amendments can be found here.

Copies of each one of the four (4) form letters may be found below:

  • Letter to Domestic Companies That May Be Collecting Images or Sounds of Children
  • Letter to Domestic Companies That May Be Collecting Persistent Identifiers from Children
  • Letter to Foreign Companies That May Be Collecting Images or Sounds of Children
  • Letter to Foreign Companies That May Be Collecting Persistent Identifiers from Children

The FTC urged letter recipients “to review your apps, your policies, and your procedures for compliance.”

The agency also hinted that it will give credit to companies just for making an effort. “As with all our enforcement activities, the Commission will exercise its prosecutorial discretion in enforcing the COPPA Rule, particularly with respect to small businesses that have attempted to comply with the Rule in good faith in the early months after the Rule becomes effective,” the letter stated.

The FTC also set up and maintains an e-mail hotline, where companies can ask FTC staff questions about how to comply with the Amendments.

The penalties for violating COPPA can be steep. In February 2012, social networking app Path agreed to pay $800,000 to settle FTC allegations that it wrongly collected personal information from children. And in October 2012, Artist Arena, the operator of fan websites for music stars such as Justin Bieber shelled out $1 million to settle FTC charges that it improperly collected personal information from children without parental consent.

Other prior COPPA penalties include $1 million paid by  Sony BMG Music Entertainment in 2008, and $1 million by social networking Web site Xanga.com in 2006.

As we move towards July 1 and the COPPA compliance deadline, please contact any member of the Mintz Levin privacy team with questions regarding your company’s compliance efforts.

Warrantless Cell Phone Searches – A Look at the Case Law

Posted By Cynthia Larose on Posted in Uncategorized

Written by Bridget M. Rohde and Sara J. Crasson, CIPP/US

When a person is arrested with a cell phone, law enforcement officers will likely want to search the phone’s contents.  Today’s smart phones are a treasure trove of contacts, calendars, voice and text messages, e-mail, videos, photographs, internet use records, GPS and cell phone tower location tracking data, and information captured by all kind of additional applications, which may include sensitive personal data, like banking and medical information.  The exception to the warrant requirement for a search incident to arrest was intended to allow law enforcement officers to prevent the loss or destruction of evidence and to seize weapons or materials that could be used to escape custody.  Courts differ on how it applies to a cell phone.

Recently, in United States v. DiMarco, the Southern District of New York suppressed photographs found on the defendant’s cell phone.  2013 U.S. Dist. LEXIS 16279 (S.D.N.Y. February 5, 2013).  When DiMarco was arrested in possession of a firearm, ammunition, and a silencer, his cell phone was seized.  A Special Agent from the Bureau of Alcohol, Tobacco, Firearms and Explosives (“ATF”) inspected his phone several hours later at the police station.  She used her own mobile phone to take photographs of the pictures on DiMarco’s phone.  Later, the Government attempted to use the ATF agent’s photographs as evidence.  The Court suppressed the results of the ATF agent’s search after it determined the search was not performed incident to the arrest because of the delay between the arrest and the search, and because the agent’s motivation for searching the phone was to look for evidence against DiMarco, rather than to stop evidence from being destroyed or to eliminate a potential physical threat to the officers.

Other courts have allowed cell phone searches incident to arrest, sometimes for different reasons.  In United States v. Finley, the Fifth Circuit allowed the warrantless search of a cell phone where law enforcement officers seized the phone when they arrested its owner at a traffic stop and searched the phone’s contents at the home of a co-defendant, stating that the search was still incident to arrest because “the administrative processes incident to the arrest and custody [had] not been completed.”  477 F.3d 250, 259 (5th Cir. 2007).  The Tenth Circuit came to a similar conclusion when it allowed a warrantless search of an arrestee’s cell phone in Silvan W. v. Briggs, holding that “[b]ecause . . . warrantless arrests were constitutionally permissible, so too were the contemporaneous searches of their persons for weapons and evidence.  Further, the permissible scope of a search incident to arrest includes the contents of a cell phone found on the arrestee’s person.”  309 Fed. Appx. 216, (10th Cir. 2009).  In People v. Diaz, the Supreme Court of California held an arrestee had no reasonable expectation of privacy in his cell phone when he was arrested with it on him.  244 P.3d 501, 505 (Cal. 2011).

This line of thinking was rejected by the Supreme Court of Ohio, in Ohio v. Smith, which noted that cell phones “are capable of storing a wealth of digitized information wholly unlike any physical object found within a closed container,” rejected all analogies to containers and devices courts had previously found searchable, and held that “because an individual has a privacy interest in the contents of a cell phone that goes beyond the privacy interest in an address book or pager, an officer may not conduct a search of a cell phone’s contents incident to a lawful arrest without first obtaining a warrant.”  124 Ohio St. 3d 163 (2009).

The law in this area could develop in several ways.  For example, the California legislature passed a bill in 2011 requiring a warrant to search a cell phone, but California Governor Jerry Brown vetoed the bill.  Also, the Supreme Judicial Court of Massachusetts raised a new issue when it allowed a warrantless cell phone search incident to arrest, but restricted the decision to the facts of the case, explicitly noting that it did not “suggest that the assessment necessarily would be the same . . . in relation to a different type of intrusion into a more complex cellular telephone or other information storage device.” Commonwealth v. Phifer, 979 N.E.2d 210, 216 (Mass. 2012).  Future courts may develop distinctions based on the kind of data being searched in a cell phone.

 

For more information, see “No Clear Rule On Warrantless Cellphone Searches” by Bridget M. Rohde and Sara J. Crasson at http://www.law360.com/articles/428965/no-clear-rule-on-warrantless-cellphone-searches.

Enter, the APPS Act

Posted By Cynthia Larose on Posted in Mobile Privacy, Privacy Regulation

Written by Amy Malone

U.S. Rep. Hank Johnson, a Democrat from Georgia, has introduced a mobile privacy bill that if passed will require mobile application developers to maintain privacy policies, obtain consent from consumers before collecting data, and securely maintain the data they collect.

The Application Privacy, Protection and Security Act of 2013, or the “APPS Act,” also requires app developers to establish a data retention policy and allows users to request app developers to stop collecting their data and delete any stored information about the user.  App developers are charged with taking “reasonable and appropriate” measures to prevent unauthorized access to personally indefinable and de-identified information collected by the app.

Over the last year, the public was able to express their concerns and suggestions regarding mobile privacy through a web-based project called  AppRights started by Rep. Johnson.  In a press release Rep. Johnson said that more than 80% of AppRights participants wanted Congress to protect consumers’ privacy on mobile devices by imposing regulations that require app developers to tell users what information is being collected and how it is being used, to secure user information and to make controls easy to implement on mobile devices.

Under the APPS Act, enforcement will be provided by the Federal Trade Commission and state attorneys general can bring civil actions on behalf of residents to enforce the regulation and obtain damages.  There is also a safe harbor provision that allows app developers to satisfy the requirements of the Act by adopting and following a code of conduct for privacy that is established using a multistakeholder process facilitated by the National Telecommunications and Information Administration.

EU Data Protection Regulation: and the horizon recedes again . . .

Posted By Susan Foster on Posted in European Union, Legislation, Privacy Regulation

Written by Susan Foster, Solicitor England & Wales/Admitted in California

(LONDON) We recently wrote that a crucial committee vote on the new EU Data Protection Regulation had been pushed back until May 29-30.   The vote has been delayed again until an unspecified future date, although Jan Phillip Albrecht, the MEP who is one of the leading advocates for the Regulation, still thinks that a committee vote will be possible before the European Parliament’s July recess.  This may be overly optimistic, given that the European Parliament still needs to sift through over three thousand amendments to the Regulation.

Delays to complex EU Regulations are nothing new – and the delay does not mean that the draft Regulation has hit any fatal roadblocks.   Interested organizations will no doubt see the delay as a useful opportunity to extend their lobbying for changes to the draft Regulation.

FTC on COPPA: No Delay

Posted By Cynthia Larose on Posted in Children, Federal Trade Commission, Privacy Regulation

This afternoon, the Federal Trade Commission (FTC) unanimously rejected requests from industry organizations to delay the July 1 date for compliance with the amendments to the Children’s Online Privacy Protection Act (COPPA).    In its response letter, the Commission noted that the updated rule has been in the works for three years and the July compliance date was announced last December, giving industry enough time to prepare.

According to the letter,

The Commission appreciates that some of your members will need to make changes to their business practices in order to comply with the amended Rule. At the same time, we note that all stakeholders have had sufficient opportunity to raise issues and articulate their concerns, the [statement of basis and purpose] provides sufficient guidance regarding the obligations the amended Rule will impose onCOPPA-covered entities, and the more than six-month time period between issuance of the amended Rule and its effective date is adequate. Moreover, petitioners have not raised anyconcrete facts to demonstrate that a delay is necessary. In light of these factors, combined with the Congressional mandate to protect the privacy of children under the age of 13 and theCommission’s commitment to “[e]nsure that COPPA continues to meet its originally stated goals to minimize the collection of personal information from children and create a safer, more secureonline experience for them,” the Commission finds no basis for delaying the effective date of the amended Rule.

 

During the six-month period the Commission noted, FTC staff have conducted numerous meetings and consultations with organizations and individual businesses on how to ensure compliance with the new rule.  The FTC also recently issued an updated set of FAQs for businesses and parents.

 

UPDATE: About California’s Right to Know Act — Silicon Valley No Longer Worried

Posted By Cynthia Larose on Posted in Privacy Regulation

We just wrote the other day about the proposed California Right to Know Act –

There is breaking news today out of Sacramento that Assemblywoman Bonnie Lowenthal has withdrawn her bill.    For more, see “Silicon Valley tech firms win privacy battle”

And more here

 

 

Understanding HIPAA: OCR Publishes New Provider and Consumer Guides

Posted By Cynthia Larose on Posted in HIPAA/HITECH, Privacy Regulation

Written by Kimberly Gold

(Originally posted in Mintz Levin’s Health Law Policy Matters blog)

Understanding the complexities of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules is often a challenge for health care providers and consumers.  Recognizing  the widespread confusion surrounding the interpretation of the rules, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released new tools to educate providers and consumers about HIPAA.

Many consumers regularly sign a HIPAA Notices of Privacy Practice with little to no understanding of what the form actually says or means.  To help consumers understand their rights under the HIPAA Privacy Rule, OCR has developed consumer guides about HIPAA, which are available in eight languages.  These materials include information about individuals’ health information privacy rights, understanding the HIPAA Notice of Privacy Practices, and sharing health information with family members and friends.  Along with these fact sheets, OCR released seven consumer-facing videos on its YouTube channel.

But OCR has not forgotten about providers who may also be grappling with HIPAA.  OCR released videos on its YouTube channel specifically for providers, covering topics such as establishing safeguards to protect patient information and to comply with the Security Rule’s requirements.  OCR also launched three modules for providers on compliance with the HIPAA Privacy and Security Rules:

  1. Patient Privacy: A Guide for Providers;
  2. HIPAA and You: Building a Culture of Compliance ; and
  3. Examining Compliance with the HIPAA Privacy Rule.

While these guides are not a substitute for legal advice, they should be helpful to providers and consumers.  The new tools also demonstrate OCR’s recognition that understanding HIPAA sometimes requires a little bit of help.

Upcoming Events

Posted By Cynthia Larose on Posted in Events and Webinars

Mark your calendars:  Upcoming events with Mintz Levin privacy attorneys

Boston, Thursday, May 2, 2013, New England Legal Foundation Cyber Security: Advising Corporate Leaders on Critical Risk Issues

Everywhere, Thursday, May 2, 2013,  CBIZ MHM/Mintz Levin Webinar, Outsourcing Services to a Third Party: Privacy Impacts and Service Organization Control Reporting

Seattle, WA, Friday, May 10, 2013, Northwest Summit for Financial Professionals, After Patco:  What is Legally Defensible Security in a Commercial Customer Relationship?

SAVE THE DATE:  Boston, MA,  Wednesday, June 5, 2013, Mintz Levin, Cybersecurity: It’s Not Just for IT Anymore — Raising Awareness of Cyber Risk to the Boardroom and the Growing Risk to Directors