Accretive had partnered with two Minnesota hospitals to deliver “revenue cycle operations” services, including scheduling, registration, admissions, billing, collection and payment functions.  For one of the Minnesota hospitals, Accretive also performed “care coordination” services.  Because both the revenue cycle and care coordination services required the hospitals (HIPAA-covered entities) to disclose protected health information (PHI) to Accretive, Accretive qualifies as a “business associate” under HIPAA, and therefore must comply with certain HIPAA requirements or face civil or criminal penalties.

The Minnesota AG’s allegation that Accretive violated HIPAA stems from an incident in July 2011, when the laptop of an Accretive employee was stolen out of the back of his rental car in Minneapolis.  According to the complaint, the laptop contained PHI of approximately 24,000 patients, including each patient’s name, address, phone number, social security number, and whether the patient had any of 22 listed conditions (including HIV, bipolar disorder, schizophrenia, depression, high blood pressure, seizure disorder, etc.).  The complaint alleges that the laptop was password protected, but the data were not encrypted.  The complaint further claims that Accretive notified approximately 17,000 patients from the two hospitals about the incident, but a computer expert from one of the hospitals later discovered the PHI of an additional 7,000 patients, whom Accretive had not notified of the breach.

The Minnesota AG alleges that the company breached its obligations under HIPAA to use appropriate safeguards to prevent the misuse or disclosure of PHI, to adequately train its employees, to use appropriate administrative, technical, and physical safeguards to protect PHI, and to adequately identify and respond when PHI was compromised.  In all, the complaint lists eight separate violations of HIPAA.  The complaint also alleges various violations of state law, alleging that Accretive violated the Minnesota Health Records Act, the Minnesota Prevention of Consumer Fraud Act and Uniform Deceptive Trade Practices Act, and Minnesota Debt Collection Law.   

The complaint seeks a preliminary and permanent injunction preventing Accretive from violating federal and state privacy laws, statutory damages, costs of the action, and attorneys’ fees.  Furthermore, the complaint seeks an order requiring Accretive to disclose to patients the data it has about them and where and how such data is stored.

Business Associates Beware

The HITECH Act, enacted in 2009, expanded the authority to bring a civil HIPAA action to state Attorneys General, where previously only the federal government could bring such a claim, and expanded civil liability to business associates.  So far, the AGs of Vermont and Connecticut have brought civil HIPAA claims against covered entities in their States.  However, this action by the Minnesota AG marks the first time that an enforcement action has been brought against a business associate.  HHS has yet to bring a HIPAA action against a business associate, and is still in the process of promulgating final HITECH regulations (expected in March).  Thus, the Minnesota AG’s action should put all companies that may potentially qualify as “business associates” under HIPAA on notice that it is vitally important that they ensure their companies’ operations are in compliance with HIPAA requirements. 

Yesterday, the Senate Committee on Homeland Security and Governmental Affairs held a hearing on the “Cybersecurity Act of 2012.” Senator Joseph Lieberman (I-CT) introduced the bill, S. 2105, on Tuesday with co-sponsors Senators Susan Collins (R-ME), Dianne Feinstein (D-CA), and John D. Rockefeller, IV (D-WV). S. 2105 builds on prior cybersecurity bills introduced in this and prior Congresses and resulted from a lengthy consultation process -- shepherded by Senate Majority Leader Reid and Minority Leader McConnell -- with private sector stakeholders, the Executive Branch, and other interested parties. Upon introducing the bill earlier this week, Majority Leader Reid and Committee Chairman Lieberman said that they intended not to hold any committee mark-up and instead would bring the bill directly to the floor for a full vote in March.

As currently drafted, S. 2105 would centralize responsibility for cybersecurity of civilian infrastructure in the Department of Homeland Security (DHS) and require the Secretary of Homeland Security, in consultation with owners and operators of covered critical infrastructure, to conduct risk-based assessments of cybersecurity threats to covered critical infrastructure. The Secretary would have the authority to designate “systems or assets” as covered critical infrastructure if a cyber attack on the system or asset could “reasonably result” in “the interruption of life-sustaining services . . . sufficient to cause” a “mass casualty event” or mass evacuations, or “catastrophic economic damage to the United States.” The bill also would require the Secretary, based on the risk assessments and working with owners and operators of covered critical infrastructure, to establish cybersecurity performance requirements. Owners and operators would have flexibility to determine how best to meet the performance requirements.

Other provisions of the bill address government cybersecurity, future needs, and the international dimensions of cybersecurity:

• The bill would consolidate existing DHS cyber offices into a new National Center for Cybersecurity and Communications (“NCCC”), to be headed by a Senate-confirmed presidential appointee.  The NCCC would have responsibility for, among other things, coordinating federal cybersecurity efforts, conducting risk assessments of covered critical infrastructure, and developing national incident response plans.
• With respect to the government’s own security posture and preparedness, the bill would substantially revise the Federal Information Security Management Act of 2002 (FISMA) and move toward continuous monitoring and risk assessment of federal systems.
• To ensure future cybersecurity needs can be met, the bill mandates education and awareness campaigns, establishes a federal Cyber Scholarship-for-Service program, amends hiring authority for federal cybersecurity employees, and requires development of a national cybersecurity research and development plan.
• The bill focuses on the international dimensions of cybersecurity, directing the Secretary of State to designate a senior level State Department official to coordinate U.S. diplomatic engagement on international cyber issues, provide strategic direction and coordination for U.S. policy on international cyber issues, and coordinate with relevant Federal agencies to develop interagency plans regarding international cybersecurity.

Witnesses at yesterday’s hearing included co-sponsor Senator Rockefeller, who pledged to introduce an amendment to the bill on the floor to require businesses to disclose material information relating to information security risks and events in filings with the Securities and Exchange Commission (a proposal that had been kept out of the bill in the face of opposition from industry); and co-sponsor Senator Feinstein, who pressed for the inclusion of federal data breach notification requirements in the bill.

In time allotted for questioning, Senator John McCain (R-AZ) expressed concerns over the bill, echoing a letter that he and six other Republican Ranking Members of Committees sent earlier this week to Majority Leader Harry Reid (D-NV) and Minority Leader Mitch McConnell (R-KY).  Senator McCain criticized the bill’s co-sponsors and Senate leadership for a lack of consultation with the other ranking members and committees -- a criticism that Senator Lieberman refuted.  Senator McCain announced that after the Presidents’ Day holiday he and the letters’ other signatories intend to introduce their own cybersecurity bill focusing on a cooperative approach to information sharing with the private sector.

The second panel of the hearing featured Secretary of Homeland Security Janet Napolitano, who was the only witness from the executive branch.  The third panel included testimony from former Secretary of Homeland Security Thomas Ridge (now the Chairman of the National Security Task Force for the U.S. Chamber of Commerce); Stewart A. Baker, former Assistant Secretary of Homeland Security; Dr. James A. Lewis of the Center for Strategic and International Studies; and Scott Charney, the Corporate Vice President for Trustworthy Computing at Microsoft.

The report is based on the staff's survey of apps offered in the Android Market and the Apple App store. Staff focused on "the types of apps offered to children; the age range of the intended audience; the disclosures provided to users about the apps’ data collection and sharing practices; the availability of interactive features, such as connecting with social media; and the app store ratings and parental controls offered for these systems."

Notably, the report stated that the FTC expects the whole app ecosystem to "play an active role in providing key information to parents who download apps." Specifically, the report outlined the following:  

• App developers should provide parents information about (1) what information an app collects, (2) how the information will be used, and (3) with whom the information will be shared, using short disclosures or icons that are easy to find and understand on the small screen of a mobile device. App developers also should alert parents if the app connects with social media, or allows targeted advertising to occur through the app.
• Third parties that collect information through apps should disclose their privacy practices, whether through a link on the app promotion page or another easily accessible method.
• App stores should provide a more consistent way for developers to display information regarding their app’s data collection practices and interactive features. The FTC stated, for example, that app stores could provide a designated space for developers to disclose this information and standardized icons to signal specific features, such as connections with social media services. In addition, the FTC emphasized that app stores should be enforcing developer agreements that require developers to disclose the information their apps collect.

The report expressed a preference for disclosures that are provided prior to the parent's purchase of the app, noting that "[i]nformation provided to parents after downloading an app is, in staff’s view, less useful in the parent’s decision-making since, by then, the child may already be using the app and the parent already could have been charged a fee."

In addition, the report focused on disclosures involving in-app purchases, interactive features, and targeted advertising.  The report states that the FTC is considering whether additional protections are needed with respect to in-app purchase capabilities in apps for children.  It emphasized that "confusing and hard-to-find disclosures do not give parents the control that they need in this area." Staff believe that the presence of social features within an app is highly relevant to parents selecting apps for their children, and that such functionality should be disclosed prior to download.  And the report states that "parents need clear, easy-to-read, and consistent disclosures regarding the advertising that their children may view on apps, especially when that advertising is personalized based on the child’s in-app activities.”

As we have blogged about here and here, the FTC currently is reviewing its rules implementing the Children’s Online Privacy Protection Act, which governs the online collection, use, and disclosure of personal information from children under the age of 13.  

In June 2011, the Council, through a Mobile Working Group, released guidance analyzing mobile payment applications and validating such applications within the Payment Application Data Security Standard (PA-DSS).  The working group will next turn its attention to releasing best practice guidance for mobile payments.  As we recently covered in a previous post, the FTC also recently announced it would host a workshop on April 26, 2012, to discuss mobile payments.      

Under the new rules, companies will need to obtain prior express written consent from consumers before making prerecorded or autodialed telemarketing calls to consumers.  The FCC’s rule changes also eliminate the “established business relationship” exemption in its existing rule, which allows these calls to residential “landline” phones without consent.  The new restrictions will require written consent even for companies that have done business with the call recipient in the past. 

One area of dispute over the new rules related to whether the “written” consent requirement could be satisfied electronically and what steps were necessary to make the consent effective.  Consistent with the FTC’s approach, the FCC concluded that “written” consent can be provided electronically, such as through a website form.  However it is provided, though, the FCC requires “clear and conspicuous disclosure” about what the consumer is consenting to and an “unambiguous” agreement to receive calls at a phone number designated in the consent document.  Like the FTC, the FCC also warned that consents would not be effective if the consent is a condition of purchasing goods or services.

An additional change to maintain consistency with the FTC’s rule is a requirement that telemarketing calls that use a prerecorded voice include an interactive “opt-out” mechanism, which would allow the call recipient to opt out of future calls by pressing a button.  Finally, the FCC imposed new restrictions on so-called “call abandonment,” which occurs when there is no live telemarketer available to take an autodialed call.

Although the FCC’s rule changes have a broad impact on the telemarketing business, they do not impact non-telemarketing calls, even if they are made using an autodialer or include a prerecorded voice.  As a result, prior written consent is not required for autodialed calls that do not advertise a product or service, including calls by nonprofits or for political purposes.  Also, the new restrictions do not apply to informational calls that may be commercial in nature, such as calls from an airline informing passengers that their flights have been delayed or calls from a bank informing a customer of fraudulent charges to her account, and exclude certain health care-related calls that are regulated under HIPAA, which already imposes a written consent requirement.

The new FCC rules will not be effective until they are approved by the Office of Management and Budget.  Once that happens, companies will have a year to obtain prior written consent to covered telemarketing calls and to stop covered calls to consumers with whom they have established business relationships.  The other rule changes have shorter timetables:  the interactive opt-out requirement will go into effect after 90 days, and the abandonment restrictions after 30 days.

A consumer reporting agency is a company that assembles or evaluates information relating to consumers for the purpose of furnishing “consumer reports” to third-parties.  Consumer reports include information that relates to an individual’s character, reputation or personal characteristics and are used or expected to be used for employment, housing, credit, or other similar purposes.  It follows that if a company provides criminal background information to employers about prospective or current employees, the company is a consumer reporting agency because the information pertains to the employees’ character, reputation, or personal characteristics.  The definitions in the FCRA are broad and may encompass many companies that are unaware their services fall within the scope of the statute.

The FTC’s letters do not take a position with respect to the marketers’ applications but encourage the marketers to review their applications and policies and procedures in light of the FCRA.

Google’s new privacy policy also faces scrutiny from regulators in the EU, where Google recently rejected a request by the Article 29 Working Party to “pause” the rollout of the policy, and in the U.S., where members of the House have sought additional information from the company on the meaning of the changes for consumers.  

The Association does not recommend a specific approach that U.S. courts should take when called upon to adjudicate a discovery dispute involving foreign data protection law; rather, the report suggests that current law provides the necessary guidance courts need to deal with the conflicts that may arise. The guidance is mostly contained in the Supreme Court’s 1987 Aerospatiale v. District Court of Iowa decision, where the Court advised that

American courts, in supervising pretrial proceedings, should exercise special vigilance to protect foreign litigants from the danger that unnecessary, or unduly burdensome, discovery may place them in a disadvantageous position. . . . In addition, we have long recognized the demands of comity in suits involving foreign states, either as parties or as sovereigns with a coordinate interest in the litigation. . . . . American courts should therefore take care to demonstrate due respect for any special problem confronted by the foreign litigant on account of its nationality or the location of its operations, and for any sovereign interest expressed by a foreign state.

The Aerospatiale decision identified the considerations set out in § 437(1)(c) Restatement of Foreign Relations Law as a suitable starting point for the comity analysis. Those considerations, include:

• The importance to the litigation of the information requested;
• the specificity of the request;
• whether the information originated in the United States;
• whether alternative means exist to obtain the information; and
• whether the interests of the United States outweigh the interests of the foreign jurisdictions in maintaining confidentiality.

(The report also notes that some courts have applied an additional factor to address the potential hardship that a producing party might suffer from compliance with the discovery requests.)

Despite the existence of this guidance, however, the Association found that few courts actually have limited the production pursuant to the discovery request under the Federal Rules. The Association’s new rule urges courts to give due regard to the Aerospatiale factors.

It of course remains to be seen whether courts will respond to the ABA’s call. But in any case, the Association has done much to bring awareness to this increasingly important issue.

California joins the ranks of several other states in which legislation that would restrict access to the audio of 911 calls has been introduced.  In 2010, Alabama enacted a law that generally exempts audio recordings of 911 calls from the state open records law.  While some like Norma Torres argue that privacy of calls is necessary to ensure that individuals facing emergencies will call for help promptly, journalists and some free speech advocates argue that access is important to ensure that public safety officials are held accountable for handling calls correctly.