Healthcare providers continue to have challenges with responding to attorney requests for information and subpoenas. We highlighted some of these last year, along with some issues providers should be considering to help meet those challenges.  In this case, after the patient advised the provider not to disclose her PHI to her significant other, the provider received a subpoena in connection with a paternity suit that was sent on behalf of the significant other seeking the patient’s medical file. According to the Supreme Court’s decision, the provider “did not alert the plaintiff of the subpoena, file a motion to quash it or appear in court. Rather, the defendant mailed a copy of the plaintiff’s medical file to the court.” Without deciding whether Connecticut’s common law recognizes a negligence cause of action arising from this situation, the Court agreed with the patient, concluding such an action is not preempted by HIPAA and, further, that the HIPAA regulations may be used to establish the providers standard of care. Byrne v. Avery Center for Obstetrics and Gynecology, P.C., No. 18904.

As part of its reasoning supporting the decision, the Court pointed to language in the preamble to the final HIPAA privacy regulations discussing preemption. Specifically, the Court noted that commentators had raised the issue of whether “a private right of action is a greater penalty, since the proposed federal rule has no comparable remedy.” Standards for Privacy of Individually Identifiable Health Information, 65 Fed.Reg. 82,462, 82,582 (December 28, 2000). The Department of Health and Human Services responded:

the fact that a state law allows an individual to file [a civil action] to protect privacy does not conflict with the HIPAA penalty provisions

(While the Department’s view is not binding, the Court noted that “[w]here an agency has authoritatively interpreted its own rule, courts generally defer to that reading unless it is plainly erroneous or inconsistent with the regulation.”) The Court went on to list a number of decisions holding that HIPAA does not preempt causes of action that exist as a matter of state common or statutory law and arise from health care providers’ breaches of patient confidentiality in a variety of contexts. The Court also mentioned some of these cases permitted HIPAA to inform the relevant standard of care in such actions.

This case should be a strong reminder to covered entities, and their business associates, to be more careful when responding to requests for protected health information under HIPAA. Often documents seeking protected health information look official and threatening, but they may be nothing more than an attorney’s request for PHI, which without more generally will not justify disclosure. The fact that a private right of action does not exist under the HIPAA privacy or security regulations is not the end of the inquiry. Providers and business associates have to consider the layers of other laws that potentially could provide a patient a remedy for a questionable disclosure of the patient’s medical records, such as state health laws and regulations, common law torts, and other measures.

Most employers are well aware that potential liability lurks if unauthorized information is disclosed to third parties. Obvious examples would include unauthorized employee or applicant health or financial information or personal information such as social security numbers and the like.

In an interesting twist, the Minnesota Supreme Court considered whether liability could be created when disclosure of requested information was incomplete.

In Larson v. The Northwestern Mutual Life Insurance Company, CMInformation Specialists, Inc., Minnesota Supreme Court, No. A13-0186, October 22nd, 2014, Larson sued Northwestern Mutual for death benefits related to her deceased husband’s life insurance policy. Northwestern Mutual denied death benefits on the grounds that her husband had not been forthcoming regarding a prior heart-related condition when he completed the life insurance application years earlier. Northwestern Mutual maintained it would not have written the policy if it had been aware of the cardiac condition.

Larson sued CMInformation Specialist because they had been retained by Northwestern Mutual to gather all relevant medical records related to Larson’s husband during the policy application process. Apparently, the records gathered by CMI were incomplete as the cardiac-related medical records were not provided to Northwestern Mutual. Larson claimed that had CMI provided all of the requested records, Northwestern Mutual would have been made aware of the heart condition and therefore would not have been in a position to deny the death benefits at issue.

Larson sued CMI on the specific legal grounds that it had violated a Minnesota statute relating to the authorized production of a patient’s medical records. CMI argued that the Minnesota statute in question imposed liability only for the unauthorized disclosures of medical records and therefore did not provide a cause of action when an entity gathering medical records fails to disclose all of the records authorized for release.

Ultimately, the Court found in favor of CMI, holding that no unauthorized records had been disclosed. The Court held that liability under the specific Minnesota statute only arose when the disclosing entity actually discloses an unauthorized health record.

Although no liability for an incomplete disclosure was found in this case, it does not take a stretch of logic to apply this question to other situations. What if an employer does not provide all requested information or records in regard to a reference request that is accompanied by a consent? What if an employer provides incomplete responses to a payroll information request from a lending institution? What if an employer does not provide all requested information to a subpoena in a collateral legal proceeding? Generally, employers are most concerned about providing more information than is authorized. Employers should be cautioned to consider that in some instances, not providing complete information in response to requests may also create liability as well.

Thanks to a new state law enacted to protect minors from the modern follies of youth, minors in California can ring in the New Year by permanently deleting their regrettable online posts. This so-called “Online Eraser Law” – signed by Governor Jerry Brown on September 23, 2013 – will take effect on January 1, 2015.

The “Online Eraser Law” provides protections to minors, defined as California residents under age 18, including affording minors the right to “erase” content or information they post online. The new law imposes specific obligations on operators of Internet websites, online services, online applications, or mobile applications that are either directed to minors or with respect to which the operators have actual knowledge that a minor who is a registered user of the website or application is using. Such operators specifically will be required to permit minors to remove, or request and obtain removal of, such content or information; provide notice to minors of their rights to do so; provide clear instructions to minors about how to exercise these rights; and notify minors that removal of such content or information does not ensure complete removal.

This “Online Eraser Law” is not likely to be a foolproof method of achieving the goal of protecting minors from themselves. While it provides a means to remove content or information they personally posted, it does not apply to content or information posted or shared by others.

This law also contains protections for minors from certain marketing practices, including protecting them from being targeted by marketing of an enumerated list of products and services, such as alcohol, tobacco, drugs, firearms, tattoos, and other things deemed inappropriate for minors.

Although the law is not targeted specifically to employers, its seemingly broad application may have a far-reaching impact. Employers therefore need to determine whether they fall within the scope of the law and, for those who do, must ensure policies and practices are in place to comply with its requirements and constraints. A thorough review of online privacy policies and procedures is recommended.

Just before the tricks and treats began, the FCC issued an order about another tricky practice—junk faxes.  On October 30, 2014, FCC confirmed that all fax ads must contain an opt-out provision and comply with the rules set out in FCC’s 2006 Junk Fax Order.  There is a six-month window for companies to come into compliance.

The rule requires that faxes sent to recipients that have provided “a prior express invitation or permission to the sender” must include an opt-out notice that is:

  • Clear and conspicuous and on the first page of the ad;
  • State that the recipient may request that the sender not send any more ads and that the failure to comply, within 30 days, of such request, is unlawful; and
  • Contain a domestic contact telephone number and fax number for the recipient to transmit an opt-out request.

Faxes sent pursuant to an on-going business relationship must also meet these requirements. An opt-out will not satisfy the rule unless all three requirements are met.

economistThe October 25, 2014 issue of the Economist, a U.K. business news periodical, contains a tongue-in- cheek guide to “skiving,” which apparently is the British word for shirking on the job. The piece highlights the challenge and opportunity created by new technology for employees who want to pretend to work, rather than work. It notes:

[I]nformation technology is both the slacker’s best friend and deadliest enemy. The PC is custom-made for the indolent: You can give every impression of being hard at work when in fact You are doing your shipping, booking a holiday or otherwise frolicking in the cyber-waves. And thanks to mobile technology you can now continue to frolic while putting face time in meetings. . . . But there is a dark side to IT: one estimate suggests that 27 [million] employees around the world have their internet use monitored. Dealing with this threat requires vigilance: do everything you can to hide your browsing history. It may also require something that does not come naturally to skivers: political activism. Make a huge fuss about how even the smallest concessions on the principles of absolute data privacy will create a slippery slope to a totalitarian society. Skiving is like liberty: it can flourish only if Big Brother is kept at bay.

–  A Guide to skiving, The Economist, Oct. 25, 2014.

From the nation that gave us George Orwell, the point is well made. For many jobs, shirking is becoming more difficult. Good news for employers. Increasing productivity is probably the number two motivation for employee monitoring after protection of assets, data, and trade secrets. New privacy legislation at the state level in the U.S., however, means that employers need to be careful about how and what they monitor, and provide proper notice when required. Increasingly sophisticated employee monitoring may also mean dark days ahead for slackers, which perhaps takes out just a little of the human element of the workplace, even if it increases worker productivity overall.

Following up on our recent post on the subject, I had the opportunity to speak with Colin O’Keefe, Editorial Manager-LexBlog, on the FCC’s first foray into policing a cybersecurity incident. In the brief video interview, I explain what happened and what it could mean going forward.  Special thanks to Colin, and LXBN TV, for the opportunity.

 

Data is rarely still. It is captured, processed and moved around the world at speeds we wouldn’t have dreamed possible 20 years ago. Data often disrespects borders. By way of example, companies often mistakenly store personal data in the cloud to be accessed by multiple international locations, without considering the legal rights of the data subjects in the countries in which data processors or controllers do business, or where the data subject resides. These issues give rise to data transfer laws across geographic boundaries.

On October 28, the Federal Communications Commission (FCC) announced that it is joining fifty other countries and the U.S. agency the Federal Trade Commission (FTC) to launch the Global Privacy Enforcement Network (GPEN). FCC and FTC’s decision to help form this group grew out of a 2007 Recommendation on Cross-Border Cooperation in Enforcement of Laws Protecting Privacy, adopted by the Organization for Economic Cooperation and Development (OECD).

This is a development employers, especially those with international human resources information systems (HRIS) that are stored in the cloud, should follow. We do not yet have a full understanding of how the GPEN will function. However, industry press believes that increased focus on international data protection by two of the U.S.’s largest data privacy and security regulators could portend tighter auditing of those functions at home.

The GPEN will include, but not be limited to, the following sovereign nations in addition to the U.S.: Australia, Canada, France, Germany, Israel, Ireland, Italy, the Netherlands, New Zealand, Spain and the United Kingdom. FTC officials have said they hope to reduce the number of privacy and security related unfair and deceptive trade practices pertaining to privacy and cyber security.

Organizations in addition to FTC and FCC include the European Union, the Australian Information Commissioner, Office of the Privacy Commissioner of Canada, Dutch Data Protection Authority, Commission Nationale de l’Informatique et des Libertes of France, Federal Data Protection Authority of Germany, Federal Institution for Access to Information and Data Protection of Mexico, and the Office of the Privacy Commission of New Zealand.

Employers with HRIS or other cloud-based symptoms that process data abroad should assess risks related to data transfer rules both in U.S. and their other host countries. FTC and FCC’s move in helping to form GPEN is just one of many more “nods” from U.S. and foreign regulators that they are examining data at home and abroad.

On October 24, 2014, the Federal Communications Commission (FCC) announced its intention to fine two telecom companies $10 million for several violations of laws protecting the privacy of phone customers’ personal information.  This marks the FCC’s first data security case and the largest privacy action in the FCC’s history.

According to the FCC, TerraCom, Inc. and YourTel America, Inc. stored Social Security numbers, names, addresses, driver’s licenses, and other sensitive information belonging to their customers on unprotected Internet servers that anyone in the world could access.  The information was collected in connection with eligibility verification for the Lifeline program, the government’s telephone subsidy program for low-income Americans.  The companies allegedly breached the personal information of over 300,000 consumers through their lax security practices.

The privacy policies for the two companies stated that they had in place “technology and security features to safeguard the privacy of your customer specific information from unauthorized access or improper use.”  Nevertheless, the FCC’s asserts that from September 2012 through April 2013, the sensitive information they collected was apparently accessible via the Internet and readable by anyone.   Importantly, the FCC took issue with the fact that even after learning of the security breach, the companies allegedly failed to notify all potentially affected consumers, thus depriving the consumers of any opportunity to protect their personal information from misuse.

The FCC alleges that the carrier’s failure to reasonably secure their customer’s personal information violates the companies’ statutory duty under the Communications Act.    Specifically, the carriers had an alleged duty to protect the information, and the companies failure to do so constitutes an unjust and unreasonable practice in violation of the Act, as their data security practices lacked “even the most basic and readily available technologies and security features…”  Similarly, the FCC alleges that the companies’ deceptive and misleading representations of customer privacy protections, and their subsequent failure to notify, constitute unjust and unreasonable practices as well.

Travis LeBlanc, Chief of the FCC’s Enforcement Bureau, said, “Consumers trust that when phone companies ask for their…personal information, these companies will not put that information on the Internet or otherwise expose it to the world….When carriers break that trust, the [FCC] will take action to ensure that they are held accountable…”

Effective management of an Ebola infection in your business can be dramatically enhanced by some careful planning. If you are addressing safety and health issues, questions about whether an employee should come to work (or employees who don’t want to come to work because of a belief there is an infected employee there already), or privacy issues relating to persons who may have been infected with Ebola, having thought through some of the key legal requirements and principles and other considerations can help you to make measured decisions more quickly. Our privacy group has been coordinating with other key practice groups at our Firm to develop resources and gather and communicate insights that may be helpful to clients and others as they consider steps they should take to be prepared for an Ebola infection in their workplace.

In addition to a high level summary of key issues, three of us sat down today to discuss some of the key considerations in this area, with an overriding theme of Ebola preparedness. You can access our conversation here. Of course, as noted during our discussion, your particular circumstances, industry, location and so on will shape the course of action that is best for you and in line with your risk tolerances. In addition, as we receive more information about Ebola from public health agencies and guidance from other federal and state agencies, the steps you planned to take may need to be modified.

We hope you enjoy our discussion.

 

An employer had no cause of action under the Computer Fraud and Abuse Act (“CFAA”) against an employee who accessed its computer systems to misappropriate confidential and proprietary business information to start a competing business, the U.S. District Court for the Southern District of Ohio has held. Cranel Inc. v. Pro Image Consultants Group, LLC, 2014 U.S. Dist. LEXIS 137347 (S. D. Ohio Sept. 29, 2014).

The employer alleged that the employee emailed himself certain Microsoft Excel, Microsoft Word and PDF files containing the employer’s confidential, proprietary, or trade secret information and convinced a co-worker to send him a proprietary pricing tool that he could not access. The employer claimed that this employee and his competing business violated, among other things, subsection (a)(2)(C) of the CFAA, which prohibits “intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing]… information from any protected computer.”

Judge James Graham recognized that courts across the country have struggled with whether a valid CFAA claim exists where an employee accesses his employer’s computer to misappropriate confidential information. Judge Graham noted a split in opinion on the issue, with some courts construing “without authorization” and “exceeding authorized access” broadly and others interpreting these words narrowly, holding that once an employee is granted access to the employer’s computer system, he does not violate the CFAA regardless of how he subsequently uses the information. The court determined the narrow interpretation was more appropriate in light of the CFAA’s definition of “exceeds authorized access.”

The CFAA defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. §1030(e)(6). The court cited LVRC Holding L.L.C. v. Brekka, 581 F.3d 1127 (9th Cir. 2009), with approval and found that an employee authorized to access the employer’s computer systems does not exceed such authorization, as defined under the CFAA, unless he accesses information on the computer to which he is not permitted.

Based on its narrow interpretation of the statute, the court found the employer failed to state a claim under the CFAA because the employee had authorization to access the confidential and proprietary documents that he later emailed to himself, even if he used the documents for an improper purpose. Additionally, because the employee did not access the proprietary pricing tool himself (he persuaded his colleague who has access to the tool to send it to him), he did not “exceed his authorization.”

The lesson for employers is to restrict access to confidential and proprietary information on their systems to employees with a business need for the information. Employers also should make sure that appropriate security measures are in place to prevent employees from sharing this confidential and proprietary information with co-workers without prior approval.