Header graphic for print

Workplace Privacy, Data Management & Security Report

Second Circuit Finds No Consent in TCPA Appeal

In a recent ruling, the U.S. Court of Appeals for the Second Circuit revived a claim against debt collector under the Telephone Consumer Protection Act (“TCPA”), finding that the recipient of the call never expressly consented to the calls.

The plaintiff, Albert Nigro, called the power company to discontinue service at the home of his recently deceased mother-in-law, Joan Thomas.  As required by the power company, Nigro provided his own telephone number.  Thereafter, the power company hired a third party, Mercantile Adjustment Bureaus (“MAB”) to collect on Thomas’ outstanding debt to the power company.  In connection with those collection efforts, MAB called Nigro. 

Nigro subsequently filed suit against MAB alleging MAB’s calls to Nigro violated the TCPA.  The district court granted MAB’s motion for summary judgment holding that MAB was not liable under the TCPA because Nigro had consented to the calls by providing his number to the power company.

On appeal to the Second Circuit, the Court reversed the district court’s granting of summary judgment and stated that Nigro “plainly did not consent” to the calls.  The Court went on to say that Nigro was apparently not event aware of the debt to the power company, was not responsible for same, and did not provide his telephone number in connection with the transaction that resulted in the debt.  Specifically, the Court cited a 2008 Federal Communications Commissions (“FCC”) ruling finding that Nigro did not consent because his number was not “provided during the transaction that resulted in the debt owed.”

Notably, the FCC also filed a brief in the Second Circuit asking the Court to reverse to district court’s ruling.  In their brief, the FCC similarly argued that Nigro’s provision of his cell phone number to the power company did not qualify as consent to receive autodialed or prerecorded debt collection calls to that number.

As highlighted by this case, often one of the most difficult issues to navigate when considering TCPA compliance is the issue of consent and how it was obtained.

Ebola Presents Significant Workplace Challenges

We addressed the dangers of “snooping” into patient records by hospital workers spurred by incidents of Ebola and Enterovirus D-86 in the U.S. Of course, the workplace challenges created by Ebola, Enterovirus D-86 and other contagious diseases and illnesses in the workplace go far beyond snooping, and far beyond healthcare employers. Employers in all industries are facing dilemmas in which they have to weigh legal standards that are less than clear against the often competing interests of employees who are suspected of having these diseases or illnesses, their co-workers and the businesses’ customers. At the same time, businesses, employers and the public try to sift through the seemingly cryptic, sometimes conflicting, and fast moving guidance from federal and state public health agencies.

Employers need to be thinking about the possibility that they too could be faced with having to make decisions concerning a potentially infected employee.  These decisions include those pertaining specifically to the employee’s employment, what to tell other employees, family members, customers and when, and addressing inquiries from the media and public health agencies.

There are some basic rules, factors and resources to keep in mind when planning. 

We collaborated with our Workplace Safety and Health Practice Group and our Disability, Leave and Health Management Practice Group to summarize these rules and resources, and plan to collectively communicate more on this topic in the coming days and weeks. Although each situation is different and the circumstances seem to be changing minute to minute, having a basic strategy in place can be instrumental in making prompt, measured decisions.

Data Breach Notification Deadline Extended 10 Days for Certain Healthcare Providers in California

While recent legislation has tended to tighten data breach notification requirements (e.g., Florida and California), Assembly Bill 1755 extended the breach notification deadline from five to 15 days for certain healthcare providers. More specifically, according to AB1755 which becomes effective January 1, 2015, the deadline to provide notification of a breach of medical information for healthcare providers covered by California Health and Safety Code Section 1280.15 (clinics, health facilities, home health agencies, and hospices) will be 15 days. As under the existing rule, notification must be provided within that time frame to affected patients (or their representatives) and the California Department of Public Health.

Under current law, notice to the affected patient or his or her representative must be made to the patient’s or representative’s last known address. AB1755 adds some flexibility by incorporating HIPAA’s provisions for providing confidential communications under 45 CFR 164.522(b). Under that section of HIPAA, a covered healthcare provider generally is required to “accommodate reasonable requests by individuals to receive communications of protected health information…by alternative means or at alternative locations.” In that case, under AB1755, healthcare providers may send the notification using the alternative means or to the alternative location. In addition, notice can be provided by email only if the patient has previously agreed in writing to electronic notice by email.

Another change made by AB1755 is to apply the extended notification deadline in the case of a law enforcement delay. In other words, in the event notification is delayed due to law enforcement, notification must be made no later than 15 days following the conclusion of the law enforcement delay, not five days.

It is important to note that the HIPAA standards for breach notification also may apply. Under the HIPAA breach notification rule, notice will be considered timely if it is provided “without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.” In that case, depending on the circumstances, notification beyond 5 or 10 days may be considered unreasonable under HIPAA. Accordingly, healthcare providers subject to both HIPAA and California Health and Safety Code Section 1280.15, as amended, should be careful not to rely solely on the 15-day period under AB1755 as the deadline for providing notification.

It is important for healthcare providers and all entities that handle personal information to continually review their incident response plans and adapt them to changes in their business and changes in the law.

Enterovirus D-68 and Ebola Cases Raise Privacy Concerns for Healthcare Providers and their Workers

On September 25, a four-year old boy from New Jersey died of Enterovirus D-68, reports myfoxphilly.com. Increasingly, there are reports about potential Ebola cases in the U.S.

Naturally, the spread of infectious disease raises concern for everyone, particularly for healthcare workers who want to do their jobs, and also protect their families. There are already indications that these concerns may have led to impermissible “snooping” by healthcare employees. Covered entities therefore need to take this increased risk seriously and remind members of their workforces that they may not access patient records for an impermissible purpose. Healthcare workers also should be reminded that impermissible snooping also can lead to termination, fines, and in some cases criminal prosecution.

 

For some “covered entities” that may not yet maintain as robust a program for creating HIPAA privacy and security awareness, this would be a good opportunity to communicate some of the basic safeguards required under HIPAA, including when and under what circumstances they can share patient information with family, friends, public health agencies, and the media. All covered entities should also remember to documents these efforts, as it is required under HIPAA and will help them to substantiate their compliance efforts.

Healthcare providers also must remember that HIPAA is not the only game in town. They have to also consider more stringent state laws that may apply in these situations. Additionally, for healthcare providers in different settings, such as universities in an educational setting, the Family Educational Rights and Privacy Act (FERPA) may have additional protections for treatment records pertaining to students.

No one knows where the next victim of Enterovirus D-68 or Ebola will show up for care. First and foremost, that provider needs to be prepared to treat that person. But the provider also needs to be sure privacy and security safeguards are in place to avoid a breach of the patient’s privacy and a compliance exposure.

Data Incident Response–Are You Prepared?

Two recent surveys provide some detailed analysis of cybersecurity and its impact in today’s world.

The Global State of Information Security Survey 2015, conducted by PricewaterhouseCoopers LLP (PWC),  found a 48% increase in the number of security incidents detected from 2013.  PWC surveyed more than 9,700 security, information technology and business executives found a total of 42.8 million security incidents detected on an annual basis.  While this figure appears astronomical, it does not include undetected attacks, which would only serve to increase this figure.  Many of these attacks result in what is commonly known as a data breach.

From a loss perspective, the Survey found the annual financial costs of investigating and mitigating security incidents increased substantially this year, particularly among large organizations, with the number of respondents reporting losses of $20 million or more almost doubling over 2013.  Notably, most respondents experienced a minimum of $50,000 in financial losses due to security incidents.

Notwithstanding the significant number of incidents detected and the related loss, the 2014 Critical Security Control Survey, conducted by the SANS Institute, found that only 26% of CEOs and top level managers are aware of cybersecurity risks and remediation obligations.  The Sans Survey, of 300 cybersecurity professionals, also found that less than 50% of companies have proper technological controls against malware and other malicious code and that 63% of companies say their in-house cybersecurity group lacks the necessary resources to assess and meet the cyber threat.

As we mentioned earlier this year, and as confirmed by each of these survey, organizations need to implement data incident response plans.  To this end, we have prepared a summary of some of the Key Action Items for Responding to Data Breaches.  While this list is not exhaustive, it should provide a general guide for incident response.

California AB-1710 – Requires Credit Monitoring Information in Data Breach Notice, Including Services Must Last 12 Months and Be Provided at No Cost

California Governor Jerry Brown signed AB-1710 into law yesterday amending its existing data breach notification statute. The most significant change – companies that experience a data breach must provide information in the notification that if identity theft prevention and mitigation services are provided, they must be provided for at least 12 months to affected persons at no cost if the breach exposed or may have exposed specified personal information. The new law also expands the application of safeguard requirements for personal information and further prohibits certain uses and disclosures of Social Security numbers. The new law becomes effective January 1, 2015.

Identity Theft Prevention and Mitigation Services (“Credit Monitoring”) Notification Mandate.

Currently California and 46 other states have laws that, in general, require entities that own or license certain personal information to notify individuals whose personal information has been involved in a data breach. The precise definitions of these or similar terms vary somewhat state-to-state. But none of the states have imposed a broadly applicable requirement by statute or regulation that entities facing a breach notification obligation must also provide credit monitoring services, or “identity theft prevention and mitigation services,” to affected persons. Of course, many companies have provided such services, and State Attorneys General have urged businesses to extend such services. What the law appears to require is that if identity theft prevention and mitigation services are provided, the notification must inform the affected persons that they will be provided for at least 12 months and at no cost, and the notice has to provide information on how to obtain the services.

The language adding the new “identity theft prevention and mitigation services” requirement is set forth at Cal. Civil Code 1798.82(d)(2)(G) and it reads:

If the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed personal information defined in subparagraphs (A) and (B) of paragraph (1) of subdivision (h).

The new requirement applies only if the breach involved Social Security numbers, driver’s license numbers or California identification card numbers, but not credit card account numbers or the other elements of personal information in the existing California law.

It is also interesting to note that California’s existing law provides that HIPAA covered entities (there is no mention of business associates here) are deemed to comply with “the notice requirements in subdivision (d)” of the California law, if they comply with the breach notification obligations under HIPAA. Subdivision (d) refers to Cal. Civil Code 1798.82(d), the same section which contains the new identity theft prevention and mitigation services notification requirement. It is unclear, however, whether the reference to subdivision (d) would include the identity theft prevention and mitigation services notification requirement, since that seems to create an obligation beyond the notice requirement where identity theft prevention and mitigation services are offered. Covered entities have to be careful here and also consider the preemption provisions under HIPAA.

Safeguarding Personal Information.

Prior to AB-1710, California required businesses that own or license personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. To own or license meant that the business retained personal information as part of the business’ internal customer account or for the purpose of using that information in transactions with the person to whom the information relates. AB-1719 expands this requirement to businesses that “maintain” personal information. That is, personal information that a business maintains but does not own or license. This is a significant expansion of the safeguards requirement and businesses maintaining the personal information of California residents should be taking steps to safeguard that information, whether it applies to customers, employees, students, or other residents. For this purpose, personal information means:

an individual’s first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:

(A) Social security number.

(B) Driver’s license number or California identification card number.

(C) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

(D) Medical information (any individually identifiable information, in electronic or physical form, regarding the individual’s medical history or medical treatment or diagnosis by a health care professional).

Note, however, that this obligation does not apply to providers of health care, health care service plans, or contractors regulated by the Confidentiality of Medical Information Act.

Prohibitions on Sale and Marketing of Social Security Numbers.

California also maintained specific protections for Social Security numbers prior to AB-1710, including prohibiting persons or entities from publicly posting or displaying an individual’s Social Security number or doing certain other acts that might compromise the security of an individual’s Social Security number, subject to certain exceptions.

AB-1710 amends those protections to prohibit the sale, advertisement for sale, or offer to sell an individual’s Social Security number. The prohibition does not extend to the release of Social Security numbers when the release is incidental to a larger transaction and is necessary to identify the individual in order to accomplish a legitimate business purpose. This exception might apply, for example, in the course of a sale of a business and records containing Social Security numbers are released to the buyer. However, release of an individual’s Social Security number for marketing purposes is not permitted. Additionally, the release of an individual’s Social Security number for a purpose specifically authorized or specifically allowed by federal or state law is not prohibited by this change.

States have been amending their breach notification and data security laws over the past few years, likely in response to the data breaches constantly in the media and the large number of complaints of identity theft being received by federal and state agencies. See, e.g., recent amendments to Florida’s law. Companies need to be aware of these changes and start reviewing and updating their security incident response plans, as well as their overall risk assessment, particularly in California, where the law now may require a more costly response in certain cases.

Have You Obtained a HPID?

Written by Tyler Philippi

The Department of Health and Human Services (“HHS”) recently released guidance on the application process to obtain a Health Plan Identifier (“HPID”).  A HPID is an all-numeric 10-digit identification number that many HIPAA-covered health plans are required to adopt by November 5, 2014.  Think of a HPID like an EIN for health plans.  HPIDs will be used in all HIPAA standard transactions, such as the payment of health care claims, claim status checks, health plan eligibility confirmations, and premium payments.

The HPID requirement is another product of the Affordable Care Act and seeks to reduce administrative costs by promoting electronic transactions between medical providers and health plans.  To acquire HPIDs for their health plans, plan sponsors will have to register with the Centers for Medicare and Medicaid Services’ (“CMS”) Health Plan and Other Entity Enumeration System (“HPOES”) available through the CMS Enterprise Portal.

It is fair to say that prior to this new guidance the instructions for the application process were not exactly easy to follow.  This new two-page document, however, navigates users through the HPID application process step-by-step.  In essence, employers will register their organization, identify approved users in the web portal and their roles, and designate an “Authorizing Official User” to act on behalf of the organization in approving/submitting applications.

HPIDs are not required for every health plan, only Controlling Health Plans (“CHP”).  A CHP is a health plan that either controls its own business activities or is not controlled by an entity that is not a health plan and exercises sufficient control over any Subhealth Plans (“SHP”).  A SHP is simply a health plan whose business activities are controlled by a CHP and obtaining a HPID for SHPs is optional.

Making the HPID optional for SHPs recognizes that employers can structure their health plans in a variety of different ways.  For instance, a welfare benefit plan that has three medical benefit arrangements is only required to obtain a single HPID for the welfare benefit plan.  The employer could, however, assign separate HPIDs to each medical arrangement if it would simplify claims administration, or any other reason.  For most entities, coordination with the third-party claims administrator will determine whether obtaining a SHP has any benefit.

HPIDs will be required to be used in HIPAA standard transactions beginning November 7, 2016.  It is the obligation of the HIPAA covered entity to use an HPID in the electronic HIPAA transactions and ensure that business associates of the entity are also using a HPID.

Medical Information Worth 10x More Than Credit Card Data On Black Market

When many people think about identity theft and data breaches, they tend to think about credit card data and bank accounts. This makes sense given the large-scale breaches in the news lately. However, Reuters reported last week that medical information is ”worth 10 times more than [] credit card number[s] on the black market” a trend that has been developing for some time. This makes health care providers and their business associates increasingly likely to be targets of an attack. Small businesses in this industry are not immune as even a solo practitioner can amass data on thousands of patients. See NYT article making this point and providing some helpful strategies.

Like financial institutions, insurance companies, and retailers, businesses in the healthcare industry maintain vast amounts of sensitive data including health insurance policy numbers, social security numbers, birth dates and other billing information, not to mention sensitive diagnosis information. As healthcare costs continue to rise, the opportunity to use another’s identity, policy or account to obtain healthcare products and services is a strong driver of the value of this data on the black market. In addition, providers and other health care businesses generally are not as advanced as banks and financial institutions in safeguarding individually identifiable health information, or spotting identity theft. As data is not perishable, and this sector is reported to generally be slower in reacting, identity thieves tend to have a longer time frame to use the information.

The increasing exposure for businesses in the healthcare industry is evident in recent studies by the Ponemon Institute which show cyber attacks have risen from 20 percent in 2009 to 40 percent in 2013, as noted in the Reuters article. Other reports highlight increases in HIPAA breaches. See also MelaMedia’s helpful collection of statistical information concerning HIPAA data breaches and other metrics.

Clearly, the healthcare industry will need to continue to address this increasing threat, although static budgets and strapped resources of course present significant challenges. For organizations that have not already worked through a HIPAA compliance program, there is a bunch of low hanging fruit that can be adopted with relative ease and low expense to safeguard data. Creating adequate safeguards and a culture of privacy and security does not happen overnight. It requires buy-in and leadership from senior management, a careful understanding the organization’s risks and vulnerabilities, knowing what the law requires, coordination with key persons inside the organization and certain third parties outside the organization, frequent and regular security awareness and training, and regular re-evaluation of the organization’s approach for changed circumstances.

Delaware Joins List of States Regulating Data Disposal

On January 1, 2015, Delaware employers who dispose of records which contain the unencrypted personal identifying information of employees must take steps to ensure the privacy of such information.  The bill, H.B. 294, was recently signed by Delaware’s Governor Jack Markell.

The new law defines personal identifying information as an employee’s first name or first initial and last name in combination with one of the following data elements that relate to the employee, when either the name or the data elements are not encrypted:

  • the employee’s signature;
  • full date of birth;
  • social security number;
  • passport number;
  • driver’s license or state identification number;
  • insurance policy number;
  • financial services account number;
  • bank account number;
  • credit card number;
  • debit card number;
  • any other financial information; or
  • confidential health care information.

Under the law, employers are required to take reasonable steps to destroy or arrange for the destruction of an employee’s personal identifying information when in a “tangible medium,” or that is stored in an electronic or other medium and is retrievable.   Destruction is to be by shredding, erasing, or otherwise modifying the personal identifying information to make it entirely “unreadable or indecipherable” through any means.  Importantly, the law permits a private right of action for any employee who incurs actual damages due to the reckless or intentional violation of this statute.

Delaware also enacted a companion bill, H.B. 295, in July which imposed the same requirements for the proper destruction of personal data on Delaware businesses disposing records containing consumers’ personal identifying information.

Both of these statutes are aimed at addressing one of the more common ways in which a business may experience a data breach, namely the improper disposal of records.  Notably, both of this measures include broader definitions of personal identifying information than Delaware’s data breach notification statute which only includes the following data elements:  Social Security number; driver’s license number or Delaware Identification Card number; or account number, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial account.

Upon enactment, Delaware joins the list of 30 other states which in some way regulate the disposal of personal information.