June 2012

By Mali Friedman and Simon Frankel

With all eyes on the Affordable Care Act today, the United States Supreme Court also quietly dismissed a case that could have had a profound impact on a wide range of citizens’ rights litigation—First American Financial Corp. v. Edwards.  Stating only that the writ of certiorari had

By Anna Kraus

The Department of Health and Human Services (HHS) has posted on its website the protocol for the HIPAA audits required under the HITECH Act.  Section 13411 of the HITECH Act requires HHS to provide for periodic audits to ensure that covered entities and business associates are in compliance with the HIPAA standards

Sen. Pat Toomey (R-PA) recently introduced a bill in the United States Senate that would establish a federal breach notification requirement for certain companies and preempt state breach notification laws that are currently in effect for 46 states.  The Data Security and Breach Notification Act of 2012, S.3333, would require companies that “collect and maintain personal information of individuals to secure such information and to provide notice to such individuals in the case of a breach of security.”  Toomey cited the “messy patchwork of 46 different state laws” that companies must account for in responding to a data breach, and asserted that, by preempting those laws, his bill would “establish a single reasonable standard for information security and breach notification practices.”

The bill applies to entities that are subject to the Federal Trade Commission’s jurisdiction under Section 5 of the FTC Act, and “common carriers subject to the Communications Act of 1934.”  S.3333 would not apply to financial institutions that are covered under Title V of the Gramm-Leach-Bliley Act or covered entities that are subject to breach notification requirements under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).Continue Reading Sen. Toomey’s Federal Breach Notification Bill Would Preempt More Restrictive State Laws

By Anna Kraus

The Department of Health and Human Services (HHS) announced yesterday that the Alaska Department of Health and Social Services, Alaska’s State Medicaid agency (Alaska Medicaid), has agreed to pay $1.7 million to HHS to settle potential violations of the HIPAA Security Rule.  This is HHS’s first HIPAA enforcement action against a State agency, and HHS stated in the press release that it “expect[s] organizations to comply with their obligations under [the HIPAA rules] regardless of whether they are private or public entities.”

HHS’s Office for Civil Rights (OCR) began investigating Alaska Medicaid after receiving a breach report from the agency in October 2009.  The report indicated that a portable electronic storage device potentially containing electronic protected health information (e-PHI) was stolen from the vehicle of a computer technician employed by the State.  HHS subsequently determined through its investigation that Alaska Medicaid had not complied with HIPAA Security Rule requirements to:

  • complete a risk analysis;
  • implement sufficient risk management measures;
  • complete security training for its workforce members;
  • implement device and media controls; and
  • address device and media encryption.

Continue Reading Alaska Medicaid Agrees to Pay $1.7 Million to Settle HIPAA Security Case

By Anna Kraus

The long-awaited final rule implementing changes to the Health Insurance Portability and Accountability Act (HIPAA) regulations mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act has been delayed once again.  Although the rule was expected by July, the Office of Management and Budget (OMB) has updated its website to note that the review period for the rule has been extended.

OMB had received the rule from the Department of Health and Human Services (HHS) on March 24, 2012, and was expected to complete its review within 90 days, as required by Executive Order 12866.   According to the OMB website, however, the 90-day review period “may be extended indefinitely by the head of the rulemaking agency; alternatively, the OMB Director may extend the review period on a one-time basis for no more than 30 days.”  It is not known whether HHS or OMB extended the review period for the HIPAA/HITECH Rule.Continue Reading OMB Extends Review of HIPAA/HITECH Rule

Recently, officials from the Office of the National Coordinator for Health Information Technology (ONC) in the Department of Health and Human Services stressed the need for data security in connection with providers’ use of mobile devices for health care delivery.  Approximately 81 percent of physicians use smart phones or mobile devices.  The need for data

The House Judiciary Subcommittee on Intellectual Property, Competition, and the Internet recently held a hearing entitled “New Technologies and Innovations in the Mobile and Online Space, and the Implications for Public Policy.”  Much of the discussion focused on the relative merits of self-regulation versus the enactment of comprehensive federal privacy legislation.  (Separately, the Senate Commerce Committee has announced that it will hold a hearing on the adequacy of self-regulation in protecting consumer privacy on June 28.)

In his opening remarks, Rep. Melvin Watt (D-NC) discussed the need for “baseline progressive legislation that will provide certainty to both consumers and companies, and promote a healthy online economy.”   Rep. Watt appeared to support the White House framework of enacting comprehensive federal privacy legislation that would be complemented by industry codes of conduct.  Emphasizing the importance of legislation, Watt surmised that, “without a baseline set of principles with the force of law, privacy policies may be used by larger players in an anti-competitive manner to drive smaller players from the market.”Continue Reading House Hearing Discusses Merits of Comprehensive Federal Privacy Legislation, Self-Regulation

Yesterday, Village View, Inc. reached a settlement with Professional Business Bank, a California state-chartered bank subject to regulation by the Federal Deposit Insurance Corporation (FDIC), over the company’s lawsuit against the bank arising from a data security breach.  In March 2010, Village View lost nearly $400,000 after the company’s bank account was compromised by hackers. 

By: Shel Abramson

The United States District Court for the Northern District of California recently dismissed with prejudice most claims asserted by consumer plaintiffs in In re iPhone Application Litigation, including causes of action under the Stored Communications Act (“SCA”), the Wiretap Act, and other federal and state laws.  Plaintiffs asserted that Apple and a group of “Mobile Industry Defendants,” including Google, violated federal and state laws by allowing third party applications for “iDevices”—the iPhone, iPad, and iPod Touch—to collect and use plaintiffs’ personal information without consent.  This personal information included geolocation information, the iPhone’s unique device identifier (UDID), and other consumer information, such as age or gender.  Two separate putative classes of plaintiffs brought claims against Apple—an iDevices Class and a Geolocation Class.  With respect to defendant Apple, Judge Lucy H. Koh dismissed all of plaintiffs’ claims with prejudice, except for two California state law claims.  All claims against the Mobile Industry defendants were dismissed with prejudice.

In rejecting the SCA and Wiretap claims, Judge Koh provided a thorough analysis of why plaintiffs’ theories did not comport with these complex and specific statutes.  If followed by other courts, this precedent could have a far-reaching effect in limiting plaintiffs’ ability to use these federal statutes to pursue alleged harms arising out of online data collection and use.  We examine Judge Koh’s discussion in some detail after the jump.Continue Reading Key Holdings in the In re iPhone Application Dismissal Order

By Brian Ryoo

On May 30, National Labor Relations Board (“NLRB”) Acting General Counsel Lafe E. Solomon issued his third report on employer social media issues, focusing on “overbroad” employer social media policies.  The report expresses concern about “ambiguous [policies] that contain no limiting language or context” and give employees insufficient notice of their protected rights under the National Labor Relations Act (“NLRA”).  The report describes several recent cases in which the agency found employer social media policies to be unlawful, and it appends an example of a social media policy that is lawful from the NLRB perspective. 

Section 7 of the NLRA protects certain employee rights, such as the right to self-organization, to form, join, or assist labor organizations, and to engage in other concerted activities for the purpose of collective bargaining or other mutual aid or protection.  This protection applies to employees at almost all private employers, whether they have wage or non-supervisory, salaried employees.  NLRB case law interprets the Act to prohibit any work rule that “would reasonably tend to chill employees in the exercise of their Section 7 rights”― a prohibition that it has found implicated by overbroad employer social media policies.

Solomon’s report indicates that NLRB enforcement activity has focused on circumstances in which employers had issued a blanket ban on a broad spectrum of social media activities without including limiting language or clarifying that the rules do not restrict rights protected under Section 7.  Rules that the NLRB will consider lawful “clarify and restrict their scope by including examples of clearly illegal or unprotected conduct, such that they would not reasonably be construed to cover protected activity.”Continue Reading NLRB Issues Updated Report on “Overbroad” Social Media Policies