February 2013

This post is part of our series on key aspects of the final HITECH omnibus rule published by the U.S. Department of Health and Human Services (HHS) in the Federal Register on January 25, 2013. Previous posts are available here. The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements.

The final HITECH omnibus rule adopts a number of modifications to Subparts C and D of Part 160 (HIPAA Enforcement Rule) to implement Section 13410 of the HITECH Act. Most significantly, the rule includes modifications to implement Section 13410(a) of the HITECH Act, which requires HHS to formally investigate a complaint if a preliminary investigation indicates a possible violation due to willful neglect, and to impose a civil money penalty for a violation due to willful neglect.Continue Reading HITECH Update #12: HHS Modifies HIPAA Enforcement Provisions

A bill reintroduced in the U.S. House of Representatives on Wednesday would prohibit employers and schools from requesting or demanding access to employees’ or students’ personal social-media accounts.

The bill, titled the “Social Networking Online Protection Act,” would bar employers from requesting or requiring that employees or job applicants provide the employer access to personal e-mail or social-networking accounts.  The bill also would bar employers from firing or otherwise retaliating against an employee or applicant for refusing or complaining about such a request. Violations would carry a civil penalty of up to $10,000, and the bill would authorize the Secretary of Labor to seek an injunction against practices that violate the law.

The bill would establish similar protections for students or applicants at colleges and K-12 schools receiving federal funds. Continue Reading Bill Would Set Federal Restrictions on Employer, School Access to Personal Online Accounts

This post is part of our series on key aspects of the final HITECH omnibus rule published by the U.S. Department of Health and Human Services (HHS) in the Federal Register on January 25, 2013. Previous posts are available here. The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements.

The final rule implements Section 13405(d) of the HITECH Act, which generally prohibits a covered entity or a business associate from engaging in a “sale” of an individual’s PHI without authorization.

Definition of Sale of PHI.  In response to requests from commenters, HHS amended its proposed rule to provide a definition of “sale of PHI.”  Section 164.502(a)(5)(ii)(B)(1) defines “sale of PHI” to mean a disclosure of PHI when the covered entity or business associate “directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI.”  HHS expressly refused to limit this definition to instances where there is a transfer of ownership of PHI.  Furthermore, HHS included a broad interpretation of “remuneration.”  In contrast to the marketing provision where remuneration must be financial, HHS will consider nonfinancial benefits received in exchange for PHI as falling within the scope of the rule.

However, payments a covered entity may receive in the form of grants, contracts, or other arrangements to perform programs or activities using PHI (i.e., a research study) will not be considered sale of PHI because “any provision of PHI to the payer is a byproduct of the service being provided.”  Rather, a sale of PHI occurs when the covered entity or business associate is being compensated “primarily” for supplying PHI.Continue Reading HITECH UPDATE #11: New Restrictions on “Sale” of Personal Health Information

The European Commission, together with the High Representative of the Union for Foreign Affairs and Security Policy, has today published a CyberSecurity Strategy alongside a Commission proposed Directive on Network and Information Security (“NIS”).

While much of the Strategy and Directive is aimed at Member State governments (e.g., to improve capabilities and cooperation to prevent and respond to cyber-attacks), several proposals target private companies in the energy, transport, financial services and health sectors, as well as “enablers of key internet services” such as providers of cloud computing services, app stores, e-commerce platforms, internet payment gateways, search engines and social networks. 

These companies would be required, under the Directive, to implement security measures to “guarantee a level of security appropriate to the risk presented . . . having regard to the state of the art”.  

Further, they would have to notify competent national authorities of any security incident that has a significant impact on the continuity of core services they provide — effectively extending current EU incident reporting requirements, which only apply to communication network and service providers, to a broad universe of private sector companies.  To be clear, this incident reporting obligation is separate from and additional to the proposal for all companies to report breaches of personal data to national supervisory authorities under the Commission 2012 proposal for a General Data Protection Regulation.

The Commission also intends to launch “a platform on NIS solutions” to develop “incentives for the adoption of secure ICT solutions” — considering technical norms, standards and possibly EU-wide certification schemes — to be applied to ICT products used in Europe, and to make recommendations to ensure cybersecurity across the ICT value chain.  The Commission also will examine how major providers of ICT hardware and software could inform national competent authorities on detected vulnerabilities that could have significant security-implications.

The EU institutions will now start to review the Strategy and proposed Directive.  The process to adopt the Directive could take two years, at which point Member States will be required to implement the legislation into national laws, which could take another 18 months or more.Continue Reading EU Adopts CyberSecurity Strategy and Proposes Network and Information Security Directive

We are very pleased to announce that Jetty Tielemans, co-chair of Covington’s Global Privacy and Data Security practice group, has been appointed to the Executive Committee of the International Association of Privacy Professionals (the “IAPP”).  Other members of the six-person committee include IAPP president and CEO, Trevor Hughes, and the

Continue Reading Covington’s Tielemans to IAPP Executive Committee

On Monday, the California Supreme Court, by a slim 4-3 majority, held that California’s Song-Beverly Credit Card Act of 1971 (“Song-Beverly”) does not apply to online purchases in which a product is downloaded electronically, finding that Apple was not liable under the statute for collecting plaintiff Krescent’s telephone number and address in order to complete credit card purchases of various digital downloads from the iTunes store.

In a lengthy opinion that considered the statutory text and legislative history, the Court overturned a lower court’s finding that Song-Beverly prohibited Apple from collecting personal identification information (“PII”) in connection with an online transaction.  Song-Beverly generally prohibits retailers from requesting or requiring as a condition to accepting credit card payment, that the cardholder be required to provide PII upon a credit card transaction form or otherwise.  In Pineda v. Williams Sonoma Stores—decided in early 2011—the California Supreme Court held that ZIP codes were PII, and that the defendant had violated Song-Beverly by requesting the plaintiff’s ZIP code during a credit card transaction that took place in a traditional brick-and-mortar retail store, a decision that spurred a wave of Song-Beverly litigation in California.

In Krescent, the California Supreme Court determined that Song-Beverly was enacted by the California legislature with the intent of safeguarding consumer privacy while also protecting consumers and retailers from undue risk of fraud.  It then reasoned that online purchases are different from brick-and-mortar purchases: 

The safeguards against fraud that are provided in section 1747.08(d) are not available to the online retailer selling an electronically downloadable product.  Unlike a brick-and-mortar retailer, an online retailer cannot visually inspect the credit card, the signature on the back of the card, or the customer‘s photo identification.  Thus, … the key antifraud mechanism in the statutory scheme . . . has no practical application to online transactions involving electronically downloadable products.”

Continue Reading CA Supreme Court Holds That Song-Beverly Does Not Apply To Online Purchases For Electronic Downloads

As a reminder, telecommunications carriers must submit their annual certifications regarding customer proprietary network information (CPNI) by March 1.  CPNI is private customer information concerning telecommunications. Telecommunications carriers and providers of interconnected Voice over Internet Protocol (VoIP) must certify annually to the FCC that they comply with their obligations to protect and limit disclosure of CPNI.Continue Reading CPNI Certifications Due on March 1

Path, a social networking mobile app, has agreed to enter into a settlement with the Federal Trade Commission (“FTC”) regarding charges that the company deceived consumers by collecting contact information from users’ mobile address books without notice and consent.  The agreement also resolves charges that the company violated the Children’s Online Privacy Protection Act (“COPPA”) by collecting personal information from children under  13 years old without parental notice and consent.  Path did not admit any liability by entering into the consent decree, which is for settlement purposes only.

The FTC alleged that the Path application included an “Add Friends” feature that allowed users to make new connections within the app.  Users were given three options when using the “Add Friends” functionality:  “Find friends from your contacts,” “Find Friends from Facebook,” or “Invite friends to join Path by email or SMS.”  Regardless of which option was chosen, Path automatically collected and stored contact information from the address book on the user’s mobile phone.  The FTC argued that this practice was contrary to representations made in the company’s privacy policy that only certain technical information, such as IP address, browser type, and site activity information, was automatically collected from the user.  Under the settlement, Path agreed to implement a comprehensive privacy program and obtain biennial, independent privacy assessments for the next twenty years. Continue Reading FTC Settles Deception, COPPA Charges Against Social Networking App Path