February 2011

In this third post on the forthcoming HIPAA/HITECH regulations, we will discuss potential modifications to the rules regarding authorization for future research.  In earlier posts, we covered the Department of Health and Human Service’s (HHS) proposed treatment of communications about currently prescribed drugs and remunerated treatment communications

Future Research

In the proposed rule issued last July, HHS stated that it is “considering whether to modify its interpretation that an authorization for the use or disclosure of protected health information for research be research-study specific.”  The agency was prompted to revisit this issue after hearing concerns from covered entities and researchers about how the current interpretation encumbers secondary research, results in individuals being re-contacted to sign multiple authorization forms at different points in the future, and is inconsistent with the Common Rule.


Continue Reading HIPAA/HITECH Regulations are Coming: What do Pharmaceutical Companies Need to Know? (Part 3 of 5)

This is the second in our series on provisions of the HHS proposed rule implementing the HITECH Act that, if included in the final rule, are likely to have the greatest impact on the business operations of pharmaceutical and other life sciences companies.  We previously covered HHS’s proposed treatment of refill reminders and other communications about currently prescribed drugs.  HHS has indicated that the final rule will be issued in March.

Today, we will look at the new requirements contained in the HHS proposed rule issued last July for what HHS is calling “remunerated treatment communications.” 

Remunerated Treatment Communications

The HIPAA Privacy Rule generally requires that a covered entity obtain prior written authorization from an individual before using that individual’s protected health information for marketing purposes.  Prior to the HITECH Act, certain communications, including those related to treatment and care coordination, were excluded from the definition of marketing.  But under the HITECH Act, if a covered entity or business associate is compensated by a third party for making certain communications (including those related to treatment and care coordination), the covered entity generally must obtain prior authorization.  As we previously reported, the HITECH Act contains one limited exception for communications about currently-prescribed drugs.


Continue Reading HIPAA/HITECH Regulations are Coming: What do Pharmaceutical Companies Need to Know? (Part 2 of 5)

We have previously reported on the Federal Trade Commission’s December 2010 preliminary staff report, “Protecting Consumer Privacy In An Era of Rapid Change.”  With the February 18, 2011 extended deadline to comment on the report quickly approaching, the Berkeley Center for Law & Technology held a roundtable on Browser Privacy Mechanisms last week. 

Participants included spokespersons from the FTC, privacy groups such as the Center for Democracy & Technology and Electronic Frontier Foundation, representatives from Microsoft, Google, and Mozilla, and leading academics and technologists.

FTC Commissioner Julie Brill noted that although most of the buzz around the preliminary staff report has focused on Do Not Track, the report has three principle components—Privacy By Design, Choice, and Transparency.  She commented that although industry has been slow to deal with these issues in the past, the response this time appears to be much stronger and more focused.  As of the roundtable, the FTC already had received more than 200 comments and expects the Commission’s server to be tested by the volume of comments anticipated on the deadline. 

Brill also outlined the five components by which FTC will judge a choice mechanism offered to consumers (whether through a self-regulatory mechanism or congressional action).


Continue Reading Roundtable, Commissioner Brill Discuss Preliminary FTC Staff Report

We covered in a previous post ongoing litigation in the D.C. Circuit between the American Bar Association and Federal Trade Commission over the scope of the FTC’s Red Flags rule.  On January 20, 2011, the FTC filed a supplemental brief analyzing the impact of the recently-enacted Red Flag Program Clarification Act of 2010 on the

As we previously reported, the Office for Civil Rights within the Department of Health and Human Services (HHS) has indicated that the final rule implementing changes to the HIPAA regulations under the HITECH Act will be issued in March.  The proposed rule, released last July, contains sweeping changes to the privacy, security, and enforcement rules promulgated under HIPAA.  In this and four subsequent blog posts, we will explore aspects of the proposed rule relating to marketing, clinical research, and the sale of protected health information.  These changes, if included in the final rule, are likely to have the greatest impact on the business operations of pharmaceutical and other life sciences companies.  (Although generally not regulated under HIPAA directly, such companies often have arrangements with entities that are covered entities or business associates under HIPAA.)

Communications About Currently Prescribed Drugs

The first topic we will address is HHS’s proposed treatment of refill reminders and other communications about currently prescribed drugs.  The HIPAA Privacy Rule generally requires that a covered entity obtain prior written authorization from an individual before using that individual’s protected health information for marketing purposes.  Prior to the HITECH Act, certain communications, including those related to treatment and care coordination, were excluded from the definition of marketing.  But under the HITECH Act, if a covered entity or business associate is compensated by a third party for making certain communications (including those related to treatment and care coordination), the covered entity generally must obtain prior authorization.


Continue Reading HIPAA/HITECH Regulations are Coming: What do Pharmaceutical Companies Need to Know? (Part 1 of 5)

The Federal Trade Commission recently posted a frequently asked question designed to remind health care providers and health plans of their obligations when they become aware of medical identity theft.  The FAQ describes medical identity theft as occurring “when someone uses another person’s name or insurance information to get medical treatment, prescription drugs or surgery.  It

Ringleader Digital — an online advertising firm specializing in the mobile market — has agreed to settle two putative class actions that were filed against it last fall.  The plaintiffs alleged that Ringleader violated the federal Computer Fraud and Abuse Act, 18 U.S.C. § 1030, as well as various state privacy and consumer protection laws, by using HTML5 software to track users’ online activities.  Under the proposed settlement agreement [PDF], Ringleader will pay $30,000 to the named plaintiffs in both actions and $670,000 in attorneys’ fees.  The proposed agreement also provides for significant injunctive relief.

This is the second notable settlement of a privacy litigation in the past three months.  As we discussed in a previous post, online marketing firms Quantcast and Clearspring settled several privacy suits arising from the alleged use of “Flash cookies” to track users’ browsing activities for advertising purposes.  As with the Quantcast/Clearspring settlement, the settlement announced in the Ringleader cases is somewhat surprising given the strong defenses Ringleader appeared to have to the asserted claims and the limited release obtained.  Eric Bosset, Simon Frankel, Mali Friedman, and I recently published an article in the Intellectual Property & Technology Law Journal that details some of those defenses.        


Continue Reading Ringleader Agrees to Settle Privacy Suits

In a decision with implications for all California retailers, the California Supreme Court ruled [PDF] yesterday that a customer may not be asked to provide his or her ZIP code during an in-person credit card transaction.  At issue in Pineda v. Williams-Sonoma Stores, Inc. was the scope of California’s Song-Beverly Credit Card Act of 1971, Cal.

The European Commission has proposed a Passenger Name Record Directive that would require airlines to provide EU Member States with data on passengers arriving from, or departing to, countries outside the EU.  Under the proposal, copies of such PNR data held on an airline’s reservation system would be transferred to a dedicated “Passenger Information Unit&rdquo