September 23, 2014 is fast approaching! It is the date by which all Business Associate Agreements (BAAs) must be brought into compliance with the HIPAA Omnibus Final Rule. On January 17, 2013, HHS published the Omnibus Rule which made significant modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules. Covered entities and business associates generally had until September 23, 2013 to comply with the changes made by the Omnibus Rule. This included bringing certain of their BAAs into compliance. Recognizing, however, that covered entities and business associates may have many BAAs, the Omnibus Rule included an alternative compliance date of September 23, 2014 to update BAAs where (1) there was a compliant BAA in place on January 25, 2013, and (2) the BAA was not modified between March 26, 2013 and September 23, 2013.
With the September 2014 deadline looming, covered entities and business associate are refocusing their attention on BAAs. Covered entities are trying to ensure that they have the appropriate agreements in place with their business associates. Likewise, business associates are making sure that they have proper agreements with their subcontractors.
August 28, 2014 No Comments
It is a fact of modern commerce that consumers consider online reviews when deciding how to spend their dollars on everything from music, to local restaurants, to electronics. But what happens when a business wants to use those reviews to formulate advertising claims? [Read more →]
August 25, 2014 No Comments
In an oral ruling from the bench, Judge Lorraine Preska of the Southern District of New York recently affirmed Magistrate Judge James Francis IV’s April 29, 2014 decision – Matter of a Warrant to Search a Certain Email Account Controlled and Maintained by Microsoft Corporation, (S.D.N.Y. Jul. 31, 2014), - and rejected Microsoft Corporation’s bid to quash a warrant for the search of an Irish user’s content-based information, which was located in a Microsoft data center located in Ireland.
As you may remember from our previous posts, the Stored Communications Act, 18 USC §§ 2701 through 2711, represents, among other things, an attempt at balancing the privacy rights of individuals who expect that their electronic information will remain private against the government’s legitimate interest in gaining access to such information during criminal investigations.
August 13, 2014 No Comments
Health care apps are everywhere. Electronic medical records and mobile devices have led to an explosion of new applications for health care providers and patients. The US Department of Health and Human Services, has provided financial incentives to health care providers to adopt EMRs and provide and to share health data electronically. Since 2011, HHS has supported the widespread adoption of electronic health record (EHR) technology through its Medicare and Medicaid EHR Incentive Programs, which provide money to eligible practitioners and hospitals that can show that they are “meaningfully” using their EHR according to certain specified measures. New and innovative mobile applications can turn platforms in to medical devices. While exciting, this raises obvious questions about data privacy and patient safety. As the use of more advanced technology becomes widespread in the health care industry, questions have arisen surrounding the level and type of regulation required to ensure patient safety.
August 4, 2014 No Comments
If you have a union in your workplace, or if unions have tried to organize workers in your workplace, you know that unions need ways to communicate with your employees. Before the current digital age, unions relied primarily on communicating through informational picketing and leafleting, posters and mailings, and individual and group meeting to encourage unionization or to communicate with members and represented employees. Today, with the modern workplace and internet-connected workers, communications can be conducted far more quickly, efficiently, cheaply and often more effectively through electronic means, such as email. But historically, unions have not been permitted access to company email systems. The current rule is that “employees have no statutory right to use the[ir] Employer’s e-mail system” for non-work-related purposes. If unions and the current Presidential administration get their way, that all might change.
July 22, 2014 No Comments
Breaking the Seal: Does Using Third Party eDiscovery Vendors Raise Privilege and Work Product Issues?
We’re not breaking news when we tell you that the exponential growth of electronic documents generated by clients has complicated the discovery process. Reducing this massive volume of information down to the relevant information needed to resolve a dispute requires the use of technology for collecting, filtering, processing, analyzing and producing electronically stored information. Attorneys now have to deal with metadata, servers, and social media in order to litigate the merits of cases. Ethics rules have been modified to require lawyers to understand the risks and benefits of technology. And preservation sanctions have alerted attorneys to the need to understand the difference between an email server and a locally-archived PST file. Attorneys should not try to lead double lives as data processors and litigators. Given the real need to properly handle these issues, consulting technology and litigation support providers is common and necessary. But does involving these third-party resources create a risk to the attorney client privilege or work product protections?
July 17, 2014 No Comments
Twice previously this year, we posted about the potential consequences to cloud-based media from the legal dispute between streaming video service Aereo and the television broadcast industry. Last week, the Supreme Court, in a 6-3 opinion, resolved much of the uncertainty detailed in those earlier posts. While the Court ruled against Aereo – holding that its transmission of the broadcasters’ content amounted to a public performance and thus violated the networks’ copyright – the majority’s decision took pains to limit its decision to the facts at issue. Justice Breyer, delivering the opinion of the Court, noted that “we have not considered whether the public performance right is infringed when the user of a service pays primarily for something other than the transmission of copyrighted works, such as the remote storage of content.”
June 30, 2014 No Comments
It should no longer be news that, for parties to most lawsuits, responding to discovery entails searching, reviewing, and producing electronically stored information. Also widely recognized is the fact that electronic discovery can be a costly, time-consuming burden. This burden is magnified for a nonparty subject to a request for ESI who likely won’t see any corresponding upside – that is, no need to use the documents produced to support a claim or defense of their own and no need to receive documents from others for the same purposes. Fortunately, therefore, there are some protections built into the Federal Rules that may minimize the burden to a nonparty on the receiving end of a subpoena. But given the relative scarcity of legal authority on the topic, the varying approaches at the state level, and specific facts of any particular case, nonparties facing discovery demands should try to negotiate a response plan that reduces legal risks and costs. A reasonable plan may even include cost shifting.
June 23, 2014 No Comments
Over the past few years, both the Equal Employment Opportunity Commission and the Federal Trade Commission have been closely scrutinizing the time-honored practice of employee background checks. We’ve posted about background checks before – particularly the risky business of relying on online information brokers instead of, or in addition to, a bona fide credit reporting agency. But the EEOC and FTC recently took the very unusual step of jointly issuing two guides on employment background checks, so we thought it might be helpful to give our readers a refresher.
May 1, 2014 No Comments
Recently the United States federal antitrust enforcement agencies — the Federal Trade Commission and the Justice Department’s Antitrust Division — issued a joint policy statement designed to “make it clear that they do not believe that antitrust is, or should be, a roadblock to legitimate cybersecurity information sharing.” The release made headlines globally, but the real story is that the risk of antitrust exposure for exchange of cyber risk information, even among direct competitors, was and remains almost non-existent.
That is because the U.S. antitrust laws (principally Section 1 of the Sherman Act) prohibit horizontal conspiracies and agreements among rivals, like price fixing, that harm competition. In some areas, information exchange can be competitively problematic, for instance where firms share non-public bidding or price data, or M&A transactions where the deal parties “gun jump” by acting as if they were already merged instead of continuing to compete independently. Yet as the policy statement confirmed, “cyber threat information typically is very technical in nature and very different from the sharing of competitively sensitive information such as current or future prices and output or business plans” and is thus “highly unlikely to lead to a reduction in competition.”
That’s hardly new. More than a decade ago DOJ said exactly the same thing in approving a proposal for cybersecurity information sharing in the electric industry, and Antitrust Division chief Bill Baer called the 2014 reaffirmation “an antitrust non-brainer.” But perceptions can have consequences, and some had voiced the fear that the exchange of IT security information among competitors could present a slippery slope, a forum for the kind of hard-core anticompetitive agreements the government loves to prosecute. At least that is what the White House, which called antitrust law “long a perceived barrier to effective cybersecurity,” reasoned in encouraging the FTC-DOJ clarification. So clearing away the underbrush of misinformation should help reassure business executives that companies which share technical cybersecurity information such as indicators, threat signatures and security practices, and avoid exchanging competitively sensitive information like business plans or prices, will simply not run afoul of the antitrust laws.
April 25, 2014 No Comments