Patient record requests can be a significant administrative burden for health care providers. An OCR enforcement initiative and a new federal law give providers more reason to get this process right.  We summarize these rules here.

Since the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule became effective in 2003, it generally required covered entities to provide patients timely access to their medical records. However, continued concerns over the level of patient access to records are driving increased emphasis, heightened enforcement activity, and new laws to ensure individuals have easy access to their health information, including the 21st Century Cures Act.  A critical goal of these efforts is to empower patients to be more in control of decisions regarding their health and well-being. By helping individuals have ready access to their health records, according to OCR, they are better positioned:

to monitor chronic conditions, adhere to treatment plans, find and fix errors in their health records, track progress in wellness or disease management programs, and directly contribute their information to research.

The “Right to Access” under HIPAA established a floor for patients to access their health records, which could be exceeded by more stringent state laws. In 2019, the OCR commenced its Right of Access Initiative, an enforcement priority to support individuals’ right to timely access to their health records at a reasonable cost. At least one study found providers are struggling to fully comply. Nonetheless, the OCR has announced nearly 20 enforcement actions under its Right of Access Initiative – a full list of enforcement actions is available on the OCR website. Monetary settlements to date have ranged from $3,500 to $200,000. In addition, the OCR resolution agreements require the covered entities to develop a corrective action plans to prevent further violations.

The Cures Act significantly heightens the obligations under HIPAA right to access. Its Interoperability, Information Blocking, and the ONC Health IT Certification Program seeks to minimize the interference with the ability of authorized persons or entities to access, exchange, or use electronic health information – that is, it wants to eliminate impermissible “information blocking.” More specifically, the Cures Act defines information blocking as business, technical, and organizational practices that prevent or materially discourage the access, exchange, or use of EHI when an actor knows, or (for some actors like electronic health record vendors) should know, that these practices are likely to interfere with access, exchange, or use of EHI.  The law empowers the HHS Office of Inspector General (OIG) to investigate claims of information blocking and to provide referral processes to facilitate coordination with the OCR. The goal of these provisions is to support seamless, secure access, exchange, and use of electronic health information (EHI).

During the nearly 20 years since the HIPAA Privacy Rule became effective, technological changes now support even greater access rights, including enabling access in real time and on demand. Providers, even certain providers not subject to HIPAA, will need to ensure they have compliant policies and procedures for ensuring patients have access to their records and avoiding enforcement actions, headaches, and penalties.

Beginning January 1, 2017, employees in Colorado will now have a right to inspect and copy their personnel files.  Prior to this law, Colorado had no law granting private-sector employees access to their personnel records.

Under the new law, upon a current employee’s request, an employer must allow that employee to inspect and obtain a copy of any part of the employee’s personnel file at least once annually. A former employee, however, may make only one inspection of his or her personnel file after termination of employment.  The new law also permits an employer to restrict an employee’s review of his or her personnel file to be only in the presence of an individual designated by the employer and the employer may require the employee or former employee to pay the reasonable cost of duplication of documents.

The new law does not require employers to create, maintain, or retain a personnel file on an employee or former employee nor does it require an employer to retain for a specific period of time documents that are or were contained in an employee’s personnel file.  Importantly, the law also does not create a private right of action for employees alleging violations of the law.

For additional details regarding this new law, please see the related article authored by our colleagues in Denver.

Understanding the HIPAA individual right of access to health information |  Healthcare InnovationA small New Jersey plastic surgery practice, Village Plastic Surgery (“VPS”), has become the eighteenth HIPAA covered entity to face an enforcement action under the Office for Civil Right’s HIPAA Right of Access Initiative. According to the OCR’s announcement, VPS agreed to a two-year corrective action plan and pay $30,000 to settle a potential HIPAA violation.

What is the “right to access” under HIPAA?

The HIPAA Privacy Rule generally requires HIPAA covered entities (health plans and most health care providers) to provide individuals, upon request, with access to PHI about them in one or more “designated record sets” maintained by or for the covered entity. This includes the right to inspect or obtain a copy, or both, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice. This right applies for as long as the covered entity (or its business associate) maintains the information, regardless of the date the information was created, and whether the information is maintained in paper or electronic systems onsite, remotely, or is archived.

When implementing this rule, covered entities and their business associates have several issues to consider, such as:

  • What information is subject to the right and what information is not, such as psychotherapy notes.
  • Confirming the authority of “personal representative” to act on behalf of an individual.
  • Procedures for receiving and responding to requests – such as written request requirements, verifying the authority of requesting parties, timeliness of response, whether and on what grounds requests may be denied, and fees that can be charged for approved requests.
  • To assist covered entities (and business associates), the OCR provides a summary of right of access issues, as well as a set of frequently asked questions.

Resolution of OCR’s Eighteenth “Right of Access” Enforcement Action 

The OCR’s investigation commenced in September 2019, when it received a complaint from a patient that VPS failed to timely respond to a patient’s records access request made in the prior month. According to the OCR resolution agreement, OCR determined that VPS’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access standard, which requires a covered entity to take action on an access request within 30 days of receipt (or within 60 days, if an extension is applicable).

In addition to reaching a monetary settlement of $30,000, the resolution agreement also requires VPS will have a corrective action plan (“CAP”) that includes two years of monitoring by the OCR. The CAP requires the small practice to, among other things

  • revise its right of access policies,
  • submit its right of access policies to OCR review,
  • obtain written confirmation from staff that they read and understand the new right of access policies,
  • train staff on the new policies, and
  • every 90 days submit to OCR a list of requests for access from patients and VPS’ responses.

Getting Compliant

Providers receive all kinds of requests for medical and other records in the course of running their businesses. Reviewing and responding to these requests no doubt creates administrative burdens. However, buying forms online might not get the practice all it needs, and could put the practice at additional risk if those are followed without considering state law or are not implemented properly.

Putting in place relatively simple policies, carefully developing template forms, assigning responsibility, training, and documenting responses can go a long way toward substantially minimizing the risk an OCR enforcement action and its severity. Providers also should be considering sanctions under state law that also might flow from failing to provide patients access to their records. It is worth nothing that in some cases state law may be more stringent than HIPAA concerning the right of access, requiring modifications to the processes practices follow for providing access.

HIPAA: Second Settlement this Year Related to Right to Access Initiative | Blogs | Health Care Law Today | Foley & Lardner LLPWhen providers, health plans, business associates, and even patients and plan participants think of the HIPAA privacy and security rules (‘HIPAA Rules”), they seem to be more focused on the privacy and security aspects of the HIPAA Rules. That is, for example, safeguarding an individual’s protected health information (PHI) to avoid data breaches or avoiding improper disclosures to persons without authority for receiving same. An equally important aspect of the HIPAA Rules, however, is ensuring patient access to health records, as shown by recent enforcement activity announced yesterday by the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS).

Last year, OCR commenced its Right of Access Initiative, an enforcement priority in 2019 to support individuals’ right to timely access to their health records at a reasonable cost. At least one study found providers are struggling to fully comply with the right to access requirement under HIPAA, rights which also exist under state law. A study by medRxiv reported in HIPAAJournal highlights this issue. During the study, 51 providers were sent medical record access requests and the results showed:

More than half (51%) of the providers assessed were either not fully compliant with the HIPAA right of access or it too[k] several attempts and referrals to supervisors before requests were satisfied in a fully compliant manner…

The researchers also conducted a telephone survey on 3,003 healthcare providers and asked about policies and procedures for releasing patient medical records. The researchers suggest as many as 56% of healthcare providers may not be fully compliant with the HIPAA right of access. 24% did not appear to be fully aware of the fee limitations for providing copies of medical records.

What is the right to access under HIPAA?

The HIPAA Privacy Rule generally requires HIPAA covered entities (health plans and most health care providers) to provide individuals, upon request, with access to PHI about them in one or more “designated record sets” maintained by or for the covered entity. This includes the right to inspect or obtain a copy, or both, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice. This right applies for as long as the covered entity (or its business associate) maintains the information, regardless of the date the information was created, and whether the information is maintained in paper or electronic systems onsite, remotely, or is archived.

When implementing this rule, covered entities and their business associates have several issues to consider, such as:

  • What information is subject to the right and what information is not, such as psychotherapy notes.
  • Confirming the authority of “personal representative” to act on behalf of an individual.
  • Procedures for receiving and responding to requests – such as written request requirements, verifying the authority of requesting parties, timeliness of response, whether and on what grounds requests may be denied, and fees that can be charged for approved requests.

To assist covered entities (and business associates), the OCR provides a summary of right of access issues, as well as a set of frequently asked questions.

Enforcement of the Right to Access.

The five enforcement actions announced yesterday are not the first enforcement actions taken by OCR. In September 2019, the OCR settled a compliant with a provider for $85,000 after it alleged the provider failed to respond to a patient’s request for access. In December 2019, the OCR settled a second complaint, again for $85,000, to address similar allegations, failure to respond timely, as well as failing to forward the medical records in the requested format and charging more than the reasonably cost-based fees allowed under HIPAA.

The five more recent cases involve very similar allegations against mostly small health care providers, at least in one case a not-for-profit, namely, the failure to provide patients with the right to access their protected health information under the HIPAA Rules. The total amount of the settlements with these fine entities is $136,500.

Patients can’t take charge of their health care decisions, without timely access to their own medical information,” said OCR Director Roger Severino. “Today’s announcement is about empowering patients and holding health care providers accountable for failing to take their HIPAA obligations seriously enough,” Severino added.

Getting Compliant

Providers receive all kinds of requests for medical and other records in the course of running their businesses. Reviewing and responding to these requests no doubt creates administrative burdens. However, buying forms online might not get the practice all it needs, and could put the practice at additional risk if those are followed without considering state law or are not implemented properly.

Putting in place relatively simple policies, carefully developing template forms, assigning responsibility, training, and documenting responses can go a long way toward substantially minimizing the risk an OCR enforcement action and its severity. Providers also should be considering sanctions under state law that also might flow from failing to provide patients access to their records. It is worth nothing that in some cases state law may be more stringent than HIPAA concerning the right to access, requiring modifications to the processes practices follow for providing access.

On June 6, 2023, Governor DeSantis signed Senate Bill (SB) 2262, legislation intended to create a “Digital Bill of Rights” for Floridians. While Florida’s new law provides similar privacy rights to consumers as other states’ comprehensive privacy laws passed in recent months, the law is narrower in the businesses that are regulated.

Generally, the requirements of the law take effect on July 1, 2024, with certain sections taking effect sooner.

Covered Businesses

The new legislation applies to businesses that collect consumers’ personal information, make in excess of $1 billion in gross revenues, and meet one of the following thresholds:

  • Derive 50% or more of its global annual revenues from providing targeted advertising or the sale of ads online; or
  • Operate a consumer smart speaker and voice command component service with an integrated virtual assistant connected to cloud computing service that uses hands-free verbal activation.

Consumer Rights

Like many of the comprehensive privacy laws passed in recent months, the new law provides Florida consumers the right to:

  • Access their personal information;
  • Delete or correct personal information; and,
  • Opt out of the sale or sharing of their personal information.

In addition to these rights, the law adds biometric data and geolocation information to the definition of personal data, for purposes of protecting consumers.

Covered Business Obligations

Under the new law, covered businesses and their processors are required to implement a retention schedule for the deletion of personal data. Controllers or processors may only retain personal data until:

  • The initial purpose of the collection was satisfied;
  • The contract for which the data was collected or obtained has expired or terminated; or
  • Two years after the consumer’s last interaction with the covered business.

Covered businesses will be required to provide reasonably accessible and clear privacy notices, and such notices will need to be updated annually, including disclosures to consumers regarding data collection, processing, and use practices.  

The law also requires covered businesses to develop and implement reasonable data security practices.

If you have questions about Florida’s new Digital Bill of Rights or related issues, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

Websites play a vital role for organizations. They facilitate communication with consumers, constituents, patients, employees, donors, and the general public. They project an organization’s image and promote goodwill, provide information about products and services and allow for their purchase. Websites also inform investors about performance, enable job seekers to view and apply for open positions, and accept questions and comments from visitors to the site or app, among many other activities and functionalities. Because of this vital role, websites have become an increasing subject of regulation making them a growing compliance concern.

Currently, many businesses are working to become compliant with the California Consumer Privacy Act (“CCPA”) which, if applicable, requires the conspicuous posting of a detailed privacy policy on a business’s website. But, the CCPA is not the first nor will it be the last compliance challenge for organizations that operate websites and other online services. An growing compliance burden has led to a wide range of operational and content requirements for websites. The push for CCPA compliance and responding to the flood of ADA accessibility litigation may cause more organizations to revisit their websites and, in the process, uncover a range of other issues that have crept in over the years.

What are some of these requirements?

AI – Artificial Intelligence. Organizations are increasingly leveraging automated decision-making tools to enhance their businesses in a range of areas, including employment. Needless to say, artificial intelligence (AI) and similar technologies, which power these tools, is being targeted for regulation. For example, the New York City Council passed a measure that subjects the use of automated decision-making tools to several requirements. One of those requirements is a “bias audit.” Employers that intend to utilize such a tool must first conduct a bias audit and must publish a summary of the results of that audit on their websites. We cover more about NYC Local Law 144 here.

ADA Accessibility. When people think about accommodating persons with disabilities, they often are drawn to situations where a person’s physical movement in a public place is impeded by a disability – stairs to get into a library or narrow doorways to use a bathroom. Indeed, Title III of the Americans with Disabilities Act grants disabled persons the right to full and equal enjoyment of the goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation. Although websites were not around when the ADA was enacted, they are now, and courts are applying ADA protections to those sites. The question is whether a website or application is accessible.

Although not yet adopted by the Department of Justice, which enforces Title III of the ADA, guidelines established by the Website Accessibility Initiative appear to be the more likely place courts will look to access the accessibility of a website to which Title III applies. State and local governments have similar obligations under Title II of the ADA, and those entities might find guidance here.

HIPAA…and tracking technologies, pixels. For anyone who has had their first visit to a doctor’s office, they likely were greeted with a HIPAA “notice of privacy practices” and asked to sign an acknowledgement of receipt. Most covered health care providers have implemented this requirement, but may not be aware of the website requirement. HIPAA regulation 45 CFR 164.520(c)(3)(i) requires that covered entities maintaining a website with information about the entity’s customer services or benefits must prominently post its notice of privacy practices on the site and make the notice available electronically through site.

Beyond the notice posting requirement, websites of HIPAA covered entities and business associates have operational issues to consider. In December 2022, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a bulletin with guidance concerning the use of online tracking technologies by covered entities and business associates under HIPAA. The OCR Bulletin follows a significant uptick in litigation concerning these technologies in industries including but not limited to the healthcare. For healthcare entities, the allegations relate to the sharing of patient data obtained from patient portals and websites. We do a deeper dive into this issue here.

COPPA. The Children’s Online Privacy Protection Act (COPPA) was enacted to give parents more control concerning the information websites collect about their children under 13. Regulated by the Federal Trade Commission (FTC), COPPA requires websites and online services covered by COPPA to post privacy policies, provide parents with direct notice of their information practices, and get verifiable consent from a parent or guardian before collecting personal information from children. COPPA applies to websites and online services directed to children under the age of 13 that collect personal information, and to sites and online services geared toward general audiences when they have “actual knowledge” they are collecting information from children under 13. Find out more about compliance here.

FTCA and more on tracking technologies. Speaking of the FTC, that agency also enforces the federal consumer protection laws, including section 5 of the Federal Trade Commission Act (FTCA) which prohibits unfair and deceptive trade practices affecting commerce. When companies tell consumers they will safeguard their personal information, including on their websites, the FTC requires that they live up these promises. Businesses should review their website disclosures to ensure they are not describing privacy and security protections that are not actually in place.

Further to the issue of website tracking technologies noted above under HIPAA, the FTC took enforcement action against digital healthcare companies for sharing user information vie third-party tracking pixels, which enable the collection of user data. However, the FTC’s new focus highlights that issues with pixel tracking are not only a concern for covered entities and business associates under HIPAA.

ACA – Transparency in Coverage. Pursuant to provisions in the Consolidated Appropriations Act, 2021, the Departments of Labor, Health and Human Services, and the Treasury issued regulations to implement the Transparency in Coverage Final Rules.  The Final Rules require certain health plans and health insurance issuers to post information about the cost to participants, beneficiaries, and enrollees for in-network and out-of-network healthcare services through machine-readable files posted on a public website.  The Final Rules for this requirement are effective for plan years beginning on or after January 1, 2022 (an additional requirement for disclosing information about pharmacy benefits and drug costs is delayed pending further guidance).

Comprehensive State Privacy Laws, including the CCPA. As mentioned above, a CCPA-covered business that maintains a website must post a privacy policy on its website through a conspicuous link on the home page using the word “privacy,” on the download or landing page of a mobile application. That is not all. The website must also provide certain mechanisms for consumers (including employees and applicants) to contact the business about their CCPA rights, such as the right to require deletion of their personal information, and the right to opt-out of the sale of personal information. The latter must be provided through an interactive webform accessible via a clear and conspicuous link titled “Do Not Sell My Personal Information,” or “Do Not Sell My Info.” Several of these requirements have been enhanced beginning in 2023 under the California Privacy Rights Act.

Since we originally published this post, five other states have enacted a similar data privacy framework – Colorado, Connecticut, Iowa, Utah, and Virginia. For organizations subject to those law, additional work may be needed on their privacy policies to comply.

CalOPPA. Even if an organization is not subject to the CCPA, it still may be subject to the California Online Privacy Protection Act (CalOPPA). CalOPPA requires certain commercial operators of online services, including websites and mobile and social apps, which collect personally identifiable information from Californians to conspicuously post a privacy policy. Privacy policies should address how companies collect, use, and share personal information. Companies can face fines of up to $2,500 each time a non-compliant app is downloaded.

Delaware and Nevada. In 2016, Delaware became the second state to have an online privacy protection act, requiring similar disclosures to those under CalOPPA. Nevada enacted website privacy legislation of its own. First, like DelOPPA and CalOPPA, NRS 603A.340 requires “operators” to make a privacy notice reasonably accessible to consumers through its Internet website or online service. That notice must, among other things, identify the categories of covered information the operator collects through the site or online service about consumers who use or visit the site or service and the categories of third parties with whom the operator may share such covered information. In general, an operator is a person who: (i) owns or operates an Internet website or online service for commercial purposes; (ii) collects and maintains covered information from consumers who reside in this State and use or visit the Internet website or online service; and (iii) engages in any activity that constitutes sufficient nexus with this State, such as purposefully directing its activities toward Nevada. Effective October 1, 2019, Nevada added to its website regulation by requiring operators to designate a request address on their websites through which a consumer may submit a verified request to opt out of the sale of their personal information.

California’s Fair Chance Act. This is California’s version of the “ban the box” law, those law enacted in many states which generally prohibit employers from asking job applicants about criminal convictions before making a conditional job offer. In California, the law imposes similar restrictions on employers with five or more employees. Why is this a website requirement?

Recently, the state’s Department of Fair Employment and Housing (DFEH) announced new efforts to identify and correct violations of the statute by using technology to conduct mass searches of online job advertisements for potentially prohibited statements. The DFEH deems blanket statements in job advertisements indicating that the employer will not consider anyone with a criminal history to be violative of the statute. In its press release, the DFEH states in one day of review it found over 500 job advertisements with statements that violate the statute. The DFEH has released a new Fair Chance Toolkit, that includes sample forms and guides, and employers should also consider reviewing the descriptions of job opportunities on their websites.

California Transparency in Supply Chains Act. California seeks to curb slavery and human trafficking by making consumers and businesses more aware that the goods and products they buy could be supporting the commission of these crimes. To do so, the Transparency in Supply Chains Act requires large retailers and manufacturers to provide consumers with information regarding their efforts to eradicate slavery and human trafficking from their supply chains. This information must be conspicuously provided on the company’s website (or provided in writing if it does not have a website). To be subject to the law, a company must (a) identify itself as a retail seller or manufacture in its tax returns; (b) satisfy the legal requirements for “doing business” in California; and (c) have annual worldwide gross receipts exceeding $100,000,000. To assist with compliance, the state has published a Resource Guide and Frequently Asked Questions.

GDPR. In 2018, the European Union’s General Data Protection Regulation (GDPR) became effective in 2018 and reached companies and organizations globally. In general, organizations subject to the GDPR which collect personal data on their websites must post a privacy policy on their website setting for the organization’s privacy practices.

Not-For-Profits, Donors, and Ratings. A donor’s decision to contribute to an organization is significantly affected by that organization’s reputation. To assist donors, several third-party rating sites, such as Charity Navigator, the Wise Giving Alliance, and CharityWatch, do much of the legwork for donors. They collect large amounts of data about these organizations, such as financial position, use of donated funds, corporate governance, transparency, and other practices. They obtain most of that data from the organizations’ Forms 990 and websites, where many organizations publish privacy policies.

Rating sites such as Charity Navigator base their ratings on comprehensive methodologies. A significant component of Charity Navigator’s rating, for example, relates to accountability and transparency, made up of 17 categories. A review of an organization’s website informs five of those 17 categories, namely (i) board members listed, (ii) key staff listed, (iii) audited financials published, (iv) Form 990 published, and (v) privacy policy content. Addressing some of these issues on an organization’s website could help boost its ratings and drive more contributions.

This is by no means an exhaustive list of the regulatory requirements that may apply to your website or online service. Organizations should regularly revisit their websites not just to add new functionality or fix broken links. They should have a process for ensuring that the sites or services meet the applicable regulatory requirements.

As we noted in our last post, there has been a flurry of data privacy and security activity in New York, with the State appearing poised to join California as a leader in this space.  Most recently, on April 29, 2021, the New York City Council passed the Tenant Data Privacy Act (“TDPA”), which would impose on owners of “smart access” buildings obligations related to their collection, use, safeguarding, and retention of tenant data.

Under the TDPA, a “smart access” building is one that uses electronic or computerized technology (e.g., a key fob), radio frequency identification cards, mobile phone applications, biometric information (e.g., fingerprints, voiceprints, hand or face geometry), or other digital technology to grant entry to the building, or to common areas or individual dwelling units therein.  The TDPA would require owners of smart access buildings to develop and maintain policies and procedures to address the following requirements:

  1. Express Consent. Before collecting “reference data” from a tenant for use in connection with the building’s smart access system, the building owner would be required to obtain the tenant’s express consent “in writing or through a mobile application.”  “Reference data” is the data used by the system to verify that the individual seeking access is authorized to enter.  Even after obtaining consent, the owner would only be permitted to collect the minimum amount of data necessary to enable the smart access system to function effectively.
  2. Privacy Policy. Building owners would also need to provide a “plain language” privacy policy to its tenants that includes certain disclosures, including disclosure of the data elements that the system collects, the third parties that data is shared with, how the data is protected, and how long it will be retained.
  3. Stringent Security Safeguards. Additionally, the TDPA would require building owners to implement robust security measures and safeguards to protect the data of its tenants, guests, and other users of the smart access system.  At a minimum, these security measures would need to include data encryption, a password reset capability (if the system uses a password), and regularly updated firmware to address security vulnerabilities.
  4. Data Destruction. With limited exceptions, building owners would need to destroy any “authentication data” collected through their smart access systems no later than 90 days after collection.  “Authentication data” is the data collected from the user at the point of authentication, excluding any data generated through or collected by a video or camera system used to monitor entrances, but not to grant entry.

The TDPA would impose strict limits on the categories of tenant data that building owners would be permitted to collect, generate, or utilize through their smart access systems.  Specifically, they would only be permitted to collect:

  • the user’s name;
  • the dwelling unit number and that of other doors or common areas to which the user has access;
  • the user’s preferred method of contact;
  • the user’s biometric identifier information (if the smart access system utilizes such information);
  • the identification card number or any identifier associated with the physical hardware used to facilitate building entry (e.g., Bluetooth);
  • passwords, passcodes, usernames and contact information used singly or in conjunction with other reference data to grant the user access;
  • lease information, including move-in and, if available, move-out dates; and
  • the time and method of access (but solely for security purposes).

Building owners would also be prohibited, subject to certain exceptions, from selling, leasing, or otherwise disclosing tenant data to any third parties.  Building owners that wish to engage third-party vendors to operate or facilitate use of their smart access systems would be required to first (a) provide to users the name of the vendor, the intended use of user data by the vendor, and a copy of the vendor’s privacy, and (b) obtain the users’ express written authorization to disclose the users’ data to the vendor.

Significantly, the TDPA would also create a private right of action for tenants whose data is unlawfully sold.  Such tenants would be empowered to seek either compensatory damages or statutory damages ranging from $200 to $1,000 per tenant, along with attorneys’ fees.

Unless vetoed by the City’s Mayor, the TDPA will take effect at the end of June 2021, though building owners will be granted a grace period until January 1, 2023, to develop their compliance programs and replace or upgrade their smart access systems.  Building owners should use that time wisely, as the TDPA’s requirements will, in many instances, be a heavy lift.

In 2018, the California Consumer Privacy Act (“CCPA”), which provides for an expansive array of privacy rights and obligations, was enacted.  At the time, it was reasonable to wonder whether California’s bold example would catalyze similar activity in other states.  It’s clear now that it has.   Virginia recently passed its own robust privacy law, the Consumer Data Protection Act (“CDPA”), and New York, as well as other states, like Florida, appear poised to follow suit.  (Building on its own momentum, California passed another privacy law, the California Consumer Privacy Act (“CPRA”), last November, which expands the rights and obligations established by the CCPA).

New York currently has two bills under consideration, S567 and A680, which would dramatically expand the privacy rights afforded to New York data subjects and the compliance burden imposed on the organizations that control or process that data.

S567

S567, which tracks the CCPA in certain respects, would have broad jurisdictional scope.  It would apply to any for-profit organization doing business in New York that collects the personal information of New York residents and either (a) has annual gross revenue exceeding $50M, (b) annually sells the personal information of 100,000 or more state residents or devices, or (c) derives at least 50% of its annual revenue from the sale of residents’ personal information.  Like the CCPA, S567 broadly defines personal information as any “information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device.”

S567 has been referred to the Senate Consumer Protection Committee. If passed by the Senate, the bill would be sent to the governor and, if signed, would take effect 180 days thereafter.

Key Provisions:

Consumer Rights: S567 would grant consumers, among others, the rights to:

  • Know” what categories of their personal information an organization has collected, or sold or disclosed to a third party for a business purpose (including the categories of third parties to whom the information was sold or disclosed).
  • Opt-out” of the sale of their personal information.
  • Notice: Organizations subject to the law would be required to disclose the above rights, as well as instructions for exercising them, in its online privacy policy.
  • Non-Discrimination: Subject organizations would also be required to refrain from discriminating against consumers who exercise their rights under the law.
  • Private Right of Action: S567 would provide a broad private right of action to pursue violations of its privacy provisions.  This private right would extend to “any person who becomes aware, based on non-public information, that a person or business has violated” this law.  In theory, therefore, potential plaintiffs could include vendors, competitors, and consumer privacy groups. S567 provides for statutory damage awards of the greater of $1,000 per violation or actual damages, as well as up to $3,000 for knowing or willful violations.

A680

A680, meanwhile, would grant certain rights and impose certain obligations that extend beyond even those provided for under the CCPA/CPRA.  For instance, it would require subject organizations to obtain written consent from New York data subjects before using, processing, or transferring to a third party their “personal data,” which the bill broadly defines as “information relating to an identified or identifiable natural person.”

A680 would also make such organizations “data fiduciaries,” meaning that they would owe a “duty of care, loyalty, and confidentiality” to consumers to secure their personal data against “privacy risk” (a term which the bill expansively defines), as well as to “act in the best interests of the consumer” without regard to the organizations’ own interests.

A680 would apply to organizations “that conduct business in New York state or produce products or services that are intentionally targeted to residents of New York state,” subject to certain exceptions.

The bill has been referred to the Assembly’s Consumer Affairs and Protection Committee. If passed by the Assembly and Senate, the bill would be sent to the governor for signature and would take effect 180 days after it was signed into law.

Key Provisions:

Consumer Rights: A680 would grant consumers, among others, the rights to:

  • Opt in or out of the processing of their personal data.
  • Request confirmation of whether their personal data is being processed, including whether it is being sold to data brokers.
  • Request access to their personal data.
  • Request the names of the third parties to whom their personal data is sold.
  • Request correction of inaccurate personal data.
  • Request deletion of their personal data.

Notice: Organizations subject to the law would be required to disclose the above rights to consumers and to make other requisite disclosures regarding their processing of personal data.

De-Identified Data: Subject organizations that use de-identified data would be required to “exercise reasonable oversight to monitor compliance with any contractual commitments to which the de-identified data is subject” and to “take appropriate steps to address any breaches of contractual commitments.”

Private Right of Action: In addition to granting enforcement authority to the State AG, A680 would empower consumers to bring suit in their own names for injunctive relief, as well as actual damages and reasonable attorney’s fees.

Takeaway:

Momentum is building in states across the country to enhance consumer data privacy and security protections. Organizations, regardless of their location, must therefore carefully assess their data collection activities, develop policies and procedures to address their evolving compliance obligations and data-related risks, and train their workforce on effective implementation of those policies and procedures.

Jackson Lewis’ Privacy, Data & Cybersecurity Group has been monitoring these fast-moving developments and is available to assist organizations with their compliance and risk mitigation efforts.

 

 

 

 

 

 

Employee Snooping: Your Employees' Temptations = Your LiabilityAs we noted in late January 2020, the spread of infectious disease raises particular concerns for healthcare workers who want to do their jobs and care for their patients, while also protect themselves and their families. Perhaps the desire to protect one’s self and family is what motivated a California state healthcare worker to access COVID-19-related health records of more than 2,000 current and former patients and employees over a ten-month period.

Regardless, this data breach should be a reminder for all organizations that (i) compromises to personal information of whatever kind are not only caused by criminal hackers, and (ii) considering all the personal health information being collected by organizations in connection with COVID-19 screening, testing, and vaccination programs, this is not a problem limited to health care employers.

In the healthcare sector, as with prior contagious disease outbreaks, fears about contracting the virus could lead to impermissible “snooping” and sharing of information by healthcare employees. According to a press release and published FAQs, an employee of Atascadero State Hospital with access to the hospital’s data servers as part of the employee’s information technology job duties improperly accessed approximately 1,415 patient and former patient, and 617 employee names, COVID-19 test results, and health information necessary for tracking COVID-19. The hospital discovered the breach on February 25, 2021, and, evidently, the employee’s improper access had been ongoing for 10 months.

Of course, HIPAA covered entities and business associates should be taking steps to address this risk. Such steps include, for example, continually reminding workforce members about access rights and the minimum necessary rule, which are required under HIPAA’s privacy and security regulations. At times, unauthorized access may be difficult to identify, particularly where employees have a need for broad access to information. In the case noted above, the breach was discovered as part of the hospital’s annual review of employee access to data files. Reviewing system activity generally is a good idea for all organizations, taking into account relevant threats and vulnerabilities to shape frequency, scope, and methodology.

The Office for Civil Rights has issued bulletins addressing HIPAA privacy in emergency situations, such as one in November 2014, during the Ebola outbreak, and one in February 2020 for the coronavirus. These bulletins provide good resources and reminders for health care providers when working in this environment.  They also convey helpful considerations for all organizations handling sensitive personal health information.

During the past 12 months, organizations have collected directly or through third party vendors massive amounts of data about employees. Examples include data collected during daily temperature and symptom screenings, COVID-19 test results for contact tracing purposes, and now vaccination status. Some organizations have used thermal imaging cameras that leverage facial recognition technology to screen, while others have rolled out newly developed devices and apps to manage social distancing and facilitate contact tracing efforts. We now are seeing systems being rolled-out to track and incentivize vaccinations. All of these activities involve the collection and storage of personal information at some level.

Organizations, whether covered by HIPAA or not, engaged in these activities should be thinking about how this information is being safeguarded. This includes assessing the safeguards implemented by third party vendors supporting the systems, devices, and activities. Again, these efforts should not be focused only on systems designed to prevent hackers from getting in, but what can be done internally to prevent unauthorized access, uses, and disclosures of such information by insiders, employees.

The California Privacy Rights Act (CPRA), passed in November, 2020, added to the California Consumer Privacy Act (CCPA) an express obligation for covered businesses to adopt reasonable security safeguards to protect personal information. The CPRA also clarified the CCPA’s private right of action for consumers whose personal information is breached due to a failure to implement such safeguards. But, remember, reasonable security safeguards are already required under California law, and that requirement is not limited to businesses subject to the CCPA/CPRA.

The CPRA adds subsection (e) to Cal. Civ. Code 1798.100, as follows:

A business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.

California Civil Code section 1798.81.5 requires a business that:

owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

Unlike the CCPA/CPRA, section 1798.81.5 defines “business” more broadly to include “a sole proprietorship, partnership, corporation, association, or other group, however organized and whether or not organized to operate at a profit.” Thus, even if the CCPA, as amended by the CPRA, does not apply to your business, California law still may require the business to have reasonable security safeguards.

The meaning of “reasonable safeguards” is not entirely clear in California.  One place to look, however, is in the California Data Breach Report former California Attorney General and now Vice President, Kamala D. Harris, issued in February, 2016. According to that report, an organization’s failure to implement all of the 20 controls set forth in the Center for Internet Security’s Critical Security Controls constitutes a lack of reasonable security.

So, although the CPRA generally is operative on January 1, 2023, California businesses might look to the 20 CIS controls at least as a starting point for securing personal information. With regard to which personal information to secure to minimize exposure under the CCPA/CPRA’s private right of action, the law is a bit more clear.

The CCPA extended the private right of action for data breaches only to personal information “defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5”:

(A)  An individual’s first name or first initial and the individual’s last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:

(i) Social security number.

(ii) Driver’s license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.

(iii) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

(iv) Medical information.

(v) Health insurance information.

(vi) Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes.

The CPRA added to this list, a consumer’s “email address in combination with a password or security question and answer that would permit access to the account.”

In the event a CCPA-covered business experiences a data breach involving personal information, the CCPA authorized a private cause of action against the business if a failure to implement reasonable security safeguards caused the breach. If successful, a plaintiff can seek to recover statutory damages in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief and any other relief the court deems proper. This means that plaintiffs generally do not have to show actual harm to recover. In case you were wondering, CCPA data breach litigation has already commenced.

To bring such an action under the CCPA, a consumer must provide the business 30 days’ written notice specifying the violation and giving the business an opportunity to cure. If cured under the CCPA, no action may be initiated against the business for statutory damages. However, the CPRA clarifies that businesses cannot cure a failure to have reasonable safeguards before the breach:

implementation and maintenance of reasonable security procedures and practices pursuant to Section 1798.81.5 following a breach does not constitute a cure with respect to that breach.

The CPRA also calls for additional regulations requiring businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security, to (i) perform a cybersecurity audit on an annual basis, and (ii) submit to the California Privacy Protection Agency on a regular basis a risk assessment concerning the processing of personal information.

There is more to come following the passage of the CPRA, and businesses should be monitoring CCPA/CPRA developments. However, it is critical to ensure reasonable security safeguards are in place to protect personal information.