But not so fast – some may argue that the Stored Communications Act (“SCA”) puts all of those great cloud-stored communications beyond the reach of a non-party subpoena, and, even worse, serving such a subpoena could lead to some serious and expensive discovery disputes with the opposing side.

The SCA, enacted in 1986 as Title II to the Electronic Communications Privacy Act, certainly impacts both voluntary and involuntary disclosure of electronic communications.  In a sense, the SCA establishes privacy rights for users who store their data remotely with electronic service providers in that it generally prohibits a service provider from disclosing its users’ electronic communications.  At its core, the SCA: (1) limits a service providers’ ability to voluntarily disclose the content its user’s stored communications; and, (2) establishes situations where a service provider may be compelled by the government to disclose that content.  For the purposes of determining whether a service provider is in compliance with the SCA, disclosure under a civil subpoena is treated as voluntary disclosure sought by a private party rather than disclosure compelled by a governmental entity.  Notably, the SCA only restricts a provider from disclosing the “content” of users’ communications; the Act imposes no restriction on the disclosure of non-content information.

Although communications sought might be protected by the SCA, the general prohibition on voluntary disclosure is subject to several exceptions.  For example, providers may voluntarily disclose the content of protected communications where disclosure is necessary for the rendition of services or to law enforcement if the provider has a good faith belief that an emergency situation requires disclosure.  Providers may also disclose the content of communications where the user of the service consents to the disclosure.  Despite the numerous exceptions to the prohibition on disclosure, the SCA contains no exception for disclosure in response to a civil discovery subpoena.  Accordingly, most courts interpreting the SCA have found that service providers are precluded from disclosing the content of covered communications in response to a civil subpoena, absent a clear statutory exception.  To be clear, the SCA does not merely absolve a service provider from responding to a request for covered communications, it actively prohibits disclosure and authorizes a civil action against the provider for unauthorized disclosure.  In some cases, a party who acquires protected communications through a subpoena could even be exposed to sanctions and liability in a civil suit, if the party acquires protected communications through an improper subpoena.  See Theofel v. Farey-Jones, 359 F.3d 1066, 1077 (9th Cir. 2004).  Recognizing the strength of the protections under the SCA, courts in some cases have granted a party’s motion to quash subpoenas to non-party service providers.

But whether communications are even protected by the SCA is a tricky question in itself.  The first step to determining if communications are covered by the SCA is to determine what type of service provider maintains the communication.  The SCA makes a distinction between electronic communication service (“ECS”) providers and remote computing service (“RCS”) providers.  ECS providers are defined as providing users with “the ability to send or receive wire or electronic communications,” while RCS providers offer “computer storage or processing services by means of an electronic communications system.”  Courts have struggled with the distinction, and have recognized that a service provider may provide both RCS and ECS to a single customer, depending on the circumstances.  Several commentators have criticized the ECS/RCS distinction and have advocated for amended legislation, arguing that the distinction is out-dated and that modern service providers do not fit neatly into one category or the other.  Regardless, for now courts and litigants are stuck with the distinction and must analyze the limitations on service providers accordingly.

Under the SCA, ECS providers are precluded from voluntarily disclosing communications that are “in electronic storage” with the provider.  The provision has been interpreted broadly, prohibiting disclosure of basically all communications stored with ECS providers.  On the other hand, RCS providers are precluded from disclosing communications “carried or maintained” by the provider, but only where the communication is maintained “solely for the purpose of providing storage or computer processing services,” and only where “the provider is not authorized to access the contents of any such communications for purposes of providing any services other than storage or computer processing.”  In other words, the SCA provides no protection for communications maintained by RCS providers where the communications are not maintained by the provider for the provision of storage or processing services or if the provider can access the communication for purposes other than for the provision of such services.

The limitations on communications maintained with RCS providers can be critical.  Many cloud-based computing services are offered free-of-charge, but only in exchange for allowing targeted marketing to the users of the services.  Indeed, many cloud-based service agreements allow the service provider to access its users’ content in order to create user-specific advertising.  Under a strict reading of the RCS provisions, such access may constitute authorized access for “providing any services other than storage or computer processing.”  As such, the communications maintained with the RCS provider would not be protected by the SCA given that the targeted advertising constitutes an additional protection-destroying access.  The result highlights the importance of the ECS/RCS distinction.  Merely defining a provider as an RCS provider may place a user’s communications outside the scope of the SCA.

Despite the technicalities in the definitions under the SCA, the general rule remains that a service provider is prohibited from disclosing the contents of its users’ communications in response to a civil discovery subpoena.  Even so, requesting parties still have an avenue for acquiring the documents.  The SCA allows voluntary disclosure of communications where the user consents to disclosure.  Thus, a requesting party can serve a request for production of documents on the opposing side, requesting all relevant communications stored with a cloud-based service provider, and the party would be obligated to retrieve and produce the documents.  See Flagg v. City of Detroit, 252 F.R.D. 346 (E.D. Mich. 2008).  Parties responding to requests for documents (under Federal Rule of Civil Procedure 34 or its state law equivalents) are typically obligated to produce all documents in their possession, custody, or control.  In most jurisdictions, documents within a party’s custody or control are considered to be those documents to which the party has legal access.  Because a user typically has legal access to documents stored with a cloud-computing service, the documents are generally considered to be within the users’ custody or control.  So, while the SCA prohibits serving a subpoena directly on the cloud-based service provider, it does not prohibit serving a document request on the user of that service, and a user of the service will not be able to rely on the SCA’s protections in refusing to produce the requested documents.

When looking for that smoking-gun status update or email, it might be tempting to go straight to provider that maintains an opponent’s data.  But the limitations imposed by the SCA should not be overlooked.  The opposing side might invoke the SCA’s protections and turn an otherwise simple document request into a murky and contentious discovery dispute.  A requesting party can likely avoid the trouble by serving a document request on the opposing party instead of going directly to the cloud-based service provider.  Ultimately, litigants should remember that a treasure trove of information may be stored in the cloud, and utilizing the right discovery mechanism can ensure that the information will be produced.

For more information, please contact Benjamin Cheesbro, John Hutchins, or Alison Grounds.

Two weeks ago, the Federal Trade Commission basically said “to heck” with form factor and responsive Web design by concluding that disclaimers, caveats and related mandatory advertising disclosures cannot be put into a popup window and must be in the same “conspicuous” format — font size and all — regardless of the device or medium. The FDA had already cracked down on trailblazing pharma firms that tried Facebook advertisements on the same grounds. Both enforcement decisions demonstrate a complete lack of familiarity with new media and an inability to flexibly apply the principles of regulatory schemes to changing circumstances.

Even if, unlike advertiser contentions, potential “Do Not Track” mandates for Web browsing would not kill the Internet content industry, the FTC has signaled it is prepared unilaterally to dictate the size of social media ads in the guise of consumer protection. The old guidance allowed for “proximity” of disclosures — that is, disclosures that were “near, and when possible, on the same screen.” The new guidance places heightened emphasis on disclosures being clear and conspicuous to consumers across all platforms. The newly announced principle is that disclosures should be “as close as possible,” with short form disclosures such as hyperlinks or hashtags permitted only when their meaning is understood by consumers. Check out this remarkable assertion, for instance:

If a disclosure is necessary to prevent an advertisement from being deceptive, unfair or otherwise violative of a Commission rule, and if it is not possible to make the disclosure clear and conspicuous, then either the claim should be modified so the disclosure is not necessary or the ad should not be disseminated. Moreover, if a particular platform does not provide an opportunity to make clear and conspicuous disclosures, it should not be used to disseminate advertisements that require such disclosures.

A second and related announcement came on Tuesday from the Securities & Exchange Commission. The SEC is the federal agency which pioneered use of Facebook and other social media services in the corporate realm by providing 2008 guidance that release of corporate earnings and other “material” financial information can permissibly utilize social media. Yet now the same agency — after a fruitless investigation of Netflix CEO Reed Hastings for an innocuous Facebook post — says that companies may treat social media as legitimate outlets for communication, much like corporate Web sites or the agency’s own public filing system called Edgar, but first have to make clear which Twitter feeds or Facebook pages will serve as potential outlets for announcements.

It is difficult to reconcile these new regulatory positions with the objectives the agencies articulate. The SEC saqys it believes that “company disclosures should be more readily available to investors in a variety of locations and formats to facilitate investor access to that information,” but its actions only serve to make the choice of location and format more rigid, and with fines a potential consequence for those pursuing flexibility. Almnost any lawyer counseling public company clients today will advise that financial information that in the future could be considered material by the SEC must be constrained to an official, designated Web page. So much for tweets, Facebook and other real-time forums, they’re just too risky — even though Hastings survived unscathed. The correct approach for the vast majority of the 13,000+ public companies in the U.S. is to steer clear of social media, at least for now, because the downside is simply too great.

Coming from a government that professes to want to ecourage broader use of these new media, that’s classic bi-polarism, obviously not in a happy phase.

For more information, please contact Glenn Manishin.

In its current form, the Act would give states the power to compel online retailers, regardless of location, to collect sales tax from their customers.  Currently, states can only collect sales tax from internet retailers with a physical presence in the state.  This requirement is a product of two Supreme Court decisions, National Bellas Hess v. Illinois Department of Revenue (1967) and Quill v. North Dakota (1992), even though the first of these two decisions obviously predates Internet commerce by more than two decades.  In National Bellas Hess, which involved mail-order sales by an out-of-state company, the Court held that “the many variations in rates of tax, in allowable exemptions, and in administrative and record-keeping requirements could entangle [the company’s] interstate business in a virtual welter of complicated obligations to local jurisdictions.”  The opinion was bolstered twenty-five years later in Quill, involving catalog sales, where the Court noted that “the underlying issue is not only one that Congress may be better qualified to resolve, but also one that Congress has the ultimate power to resolve.  No matter how we evaluate the burdens that use taxes impose on interstate commerce, Congress remains free to disagree with our conclusions.”  In the form of the Marketplace Fairness Act, Congress may soon take the Court up on its invitation.

The Act addresses the burdens on interstate commerce described in National Bellas Hess and Quill by making simplification of a state’s sales tax law a prerequisite to that state’s ability to collect sales tax from out-of-state retailers.  The proposed Act provides states with two options for simplifying their sales tax law.  First, the state can adopt the Streamlined Sales and Use Tax Agreement, which already has been adopted by 24 states to date.  Member states under SSUTA and will have collection authority on the first day of the calendar quarter that is at least 90 days after the Act becomes law.

Option two requires states to implement the following simplification mandates, which are, in fact, the foundation of SSUTA:

1. Provide retailers with at least 90 days’ notice of any rate changes within the state;
2. Designate a single state organization to handle sales tax registrations, filings, and audits;
3. Establish a uniform sales tax base for use throughout the state;
4. Use the destination of the sold goods to determine sales tax rates for out-of-state purchases; and,
5. Provide free software for managing sales tax compliance, and hold retailers harmless for errors that result from relying on state-provided systems and data.

Given the potential revenue windfall for cash-strapped states that e-commerce sales tax represents – up to $11.4 billion according to a University of Tennessee study – it would be shocking not to see the Marketplace Fairness Act (or something like it) enacted soon.  Indeed, a spate of recent state laws on the issue have Amazon, the world’s largest Internet retailer by a large margin and the reason this is often called the “Amazon tax,” lobbying in favor of a nation-wide resolution like the Marketplace Fairness Act.  Through compulsion or agreement, Amazon is currently collecting sales tax in nine states, and is slated to add seven more in the next year.  The states that have passed laws requiring Internet retailers to collect sales taxes have been pushing the boundaries of what qualifies as “physical presence” within the state.  Least controversial are actual offices or warehouses, which courts have typically found constitute physical presence.  Some states, however, claim that simply having an affiliate program, in which third-party sellers can use sites like Amazon as a storefront, qualifies as physical presence.  Such an interpretation was recently upheld by New York’s highest court after having been rejected in Illinois, potentially setting the stage for the U.S. Supreme Court to revisit Quill.  And the broadest definition of “physical presence” currently belongs to Georgia, which has insisted that a retailer has a physical presence in the state when it places ads on Georgia-based websites.  (Perhaps unsurprisingly, Amazon has refused to collect sales tax from Georgia customers and Overstock.com simply severed its ties with Georgia website owners.)

A final reason to suspect that a law like the Marketplace Fairness Act is on the way is the fact that no new tax is being proposed.  Sales taxes that would be covered by the Act are already, technically, owed.  It’s just that the burden is currently on each individual shopper to self-report and pay the tax.  As one would expect, however, compliance is as rare.  Supporters of the Marketplace Fairness Act argue that while it may have made sense to place the burden on consumers in the past, technology has made it as simple to calculate sales tax in the buyer’s location as it is to calculate shipping rates, a routine practice in online commerce, making collection by the Internet retailer as easy as it is for brick and mortar stores.

Given that incentives that states have to find additional, reliable sources of revenue, and the support that the Internet’s most successful retailer is throwing behind a single, nationwide solution, it would appear that the so-called “tax free” days of Internet shopping are numbered.

For more information, please contact Jacob Rogers or John Hutchins.

The case, Tyler v. Michaels Stores, Inc. was filed in federal court in May 2011 as a proposed class action. In January 2012, the district court dismissed the complaint, finding that the plaintiff had not alleged any cognizable injury because all she had alleged was that Michaels had used her ZIP code to locate her full address to send her marketing material. The court found that the intent of the Massachusetts statute was solely to police identity fraud and not to prevent unwanted marketing. The district court determined that ZIP Codes, without the rest of a person’s street address, were personal identification information, and saw a violation of the statute. Without the allegation, however, that Michaels’ actions had caused her to suffer identity theft, the court did not see any actionable harm under the Massachusetts statute.

The federal district court itself realized that it was not the ideal authority to make a conclusive pronouncement on what is a question of state law. As a result, the district court certified three questions to the Massachusetts Supreme Judicial Court about how the statute, Mass. Gen. Laws ch. 93 § 105(a), should be interpreted: (1) Whether ZIP codes are personal identification information; (2) whether a plaintiff may bring an action based on this privacy right absent identity fraud; and (3) whether the words “credit card transaction form” refer equally to an electronic or a paper transaction form. The Supreme Judicial Court answered all three questions  in the affirmative, breathing new life into Ms. Tyler’s lawsuit, and more importantly, creating the possibility of a flood of consumer class action lawsuits against retailers in Massachusetts. Relying on the plain text of the statute and its legislative history, the Supreme Judicial Court diverged from the federal court’s analysis and found that the statute was not simply intended to prevent identity fraud, but also to prevent the disclosure of personal information leading to the identification of a particular consumer generally. Accordingly, a plaintiff does not have to allege that they were the victim of identity fraud to bring an action under Massachusetts law. The Supreme Judicial Court identified two particular types of injury that might be caused by a violation of the statute: (1) “the actual receipt by a consumer of unwanted marketing materials as a result of the merchant’s unlawful collection of the consumer’s personal identification information” (what Tyler alleged); and (2) “the merchant’s sale of a customer’s personal identification information or the data obtained from that information to a third party.” One potential saving grace for retailers is that those who did not actually use the ZIP code to send marketing material or who did not sell the consumer’s information to a third party may not face an action under the statute. This is distinguishable from the equivalent California statute, under which merely asking the ZIP code question can mean an actionable violation.

Before Tyler, most of the attention to the ZIP Code issue was focused on California, the state with the broadest statute among those with laws addressing the collection of personal identification in connection with credit card transactions. The ruling in Tyler comes two years after the Supreme Court of California, in Pineda v. Williams-Sonoma, found that the retailer violated California’s Song-Beverly Act by requesting and recording a ZIP code from a consumer who paid for her purchase by credit card.  Pineda also declared that ZIP codes were “personal identification information” as “components” of the consumer’s full address. That case, which reversed an appellate court’s previous ruling, quickly led to hundreds of class action lawsuits in California against retailers who had requested ZIP codes. In fact, the plaintiff in Tyler explicitly relied on Pineda when filing her case, so Tyler was rightly viewed as test of whether similar litigation would follow elsewhere. While the ZIP code issue is clearly no longer just a California issue after Tyler, the case should also serve as a reminder that businesses should take nothing for granted when it comes to a state court interpreting a state’s consumer privacy laws.

For more information, please contact Eric Unis or John Hutchins.

Recently, the FTC issued a staff report that offers numerous “best practice recommendations” for increasing consumer privacy in the mobile application industry.  The Report, entitled “Mobile Privacy Disclosures: Building Trust Through Transparency,” is a culmination of FTC research and input from various mobile app industry participants.  A brief review of these recommendations as they relate to specific members of the mobile app ecosystem is as follows:

Platforms:

The FTC suggests that platforms, such as Apple, Google, and Blackberry, are “gatekeepers” to the app marketplace and thus have the greatest ability to cause lead with respect to improving mobile privacy disclosure.  The FTC recommends that platforms develop or use one or more of the following methods to enhance mobile-device privacy.

1. Just-in-time disclosures

Platforms have already developed a uniform application programming interface (API) through which apps can access standard categories of content on a mobile device.  Because the API allows platforms to know when an app is accessing potentially sensitive information, it is in a unique position to provide consistent disclosure across applications.  One proposed disclosure is a “just-in-time disclosure,” which would provide a privacy disclosure to consumers that requires affirmative express consent before an app is allowed to access sensitive content through an API.  For instance, any time that an app seeks access to geographical location, photos, contacts, calendar entries, or recordings of audio or video content, a just-in-time disclosure would be required.  To be effective, any disclosure would need to be understandable to an ordinary person, and also clear about the nature of the information that is being provided to the app.

2. Dashboards

The “dashboard” approach, already used by several platforms, allows consumers to revisit and change choices they initially made about an app’s access to their private information.  For example, one dashboard approach would allow users to review all privacy settings related to important categories of data like geolocation, contacts, calendar, and photos.  Another dashboard approach allows users to make privacy choices on an app-by-app basis.

3. Icons

Platforms should also consider the use of icons to alert users when an app is accessing private information.  Some existing platforms already display a small icon at the top of the mobile device screen whenever an app is accessing important information.  For example, on Apple iPhones, a small arrow appears at the top of the screen when geolocation serves are being used.  Because these icons are often small, the FTC suggests that platforms conduct consumer tests to evaluate these alerts’ effectiveness.  The FTC also recommends that platforms consider what types of information, beyond geolocation, should be included in a “dashboard”-type disclosure system.

4. Contracts

Although platforms have the ability to determine what information an app is collecting through APIs, a platform has little way to know how the information being collected will be used.  To that end, the FTC recommends that platforms add provisions to their contracts with app developers requiring them to provide just-in-time disclosures and obtain affirmative express consent before collecting or sharing sensitive information, and reasonably enforce these provisions.  Further, platforms are encouraged to educate app developers on privacy and make available to them important information about consumer privacy considerations as they craft their apps.

5. Do Not Track

The FTC also recommends creation of a “Do Not Track” (“DNT”) mechanism that would allow consumers to prevent transmission of information to third parties as consumers are using apps on their mobile devices.  In developing this mechanism, the FTC recommends that a DNT system be universal, easy to find and use, persistent, effective and enforceable, and limit collection of data, not just its use to serve advertisements.

App Developers:

The FTC recommends that apps create a privacy policy and make it available through the platforms’ app store.  Second, app developers should provide just-in-time disclosures and obtain affirmative express consent when collecting sensitive information outside the platforms’ API, such as financial health or children’s data, or sharing sensitive data with third parties.  Third, app developers are encouraged to improve coordination with advertising networks and other third parties that provide services for apps, so that the apps can provide truthful disclosures to consumers.  Often times, app developers integrate third-party code to facilitate advertising or analytics without a full understanding of how the third party is collecting information and how it is being used.  Greater collaboration with advertising networks and analytics providers can assure app disclosures are accurate and effective.  Finally, app developers are encouraged to participate in self-regulatory programs, trade associations, and industry organizations which can provide industry-wide guidance on how to make uniform, short-form privacy disclosures.

Advertising Networks and Other Third Parties:

Advertising networks and other third parties that provide services for apps are encouraged to improve coordination and communication with app developers so that the app developers can in turn make truthful and complete disclosures to consumers.  If, and when, an effective Do Not Track system is created, advertising networks are encouraged to work with platforms to ensure that implementation is effective.

App Trade Associations:

The FTC recommends that App Trade Associations work together to improve privacy disclosure by developing and improving standardized privacy disclosures, terminology, formats, and model privacy notices.

These recommendations are aimed at increasing privacy protection while also accommodating the rapid innovation and change surrounding the mobile app industry.  Importantly, the FTC has made clear that any “best practice recommendations,” which go beyond existing legal requirements are not intended to serve as a template for law enforcement actions or regulations under laws currently enforced by the FTC.  Nonetheless, adherence to these “best practice recommendations” may protect those in the mobile application industry from later risks as the FTC’s enforcement directives change and these recommendations transition their way into law.  For more information, please contact Karl Broder or John Hutchins.

In its over 500 pages, the HIPAA Omnibus Rule makes some major changes to several HIPAA Rules by, for example, altering the nature of liability for business associates, changing the definition of “breach” for breach notification, and securing increased penalties for HIPAA violations. Beyond these broad, sweeping changes, the Rule alters other, narrower provisions that will affect the way covered entities send communications, handle individuals’ demands, and make judgments on the use and disclosure of PHI on a day-to-day basis.

Right to Request a Restriction of Uses and Disclosures

The HIPAA Omnibus Rule affirms an individual’s right to restrict the disclosure of his information to a health plan where (1) the disclosure is for health care operations or payment and disclosure is not otherwise required by law, and (2) the PHI relates solely to a product or service for which the individual or a third party paid in full, out of pocket. Upon such a request, covered entities must comply with such a restriction and must not disclose the restricted information to the individual’s health plans. Business associates of a health plan are equally prohibited from receiving the restricted PHI.

The Rule gives covered entities guidance on how to comply with this provision. Covered entities are not required to take the time to separate the restricted records, but HHS does require them to flag or make notes to records to identify restricted PHI. Covered entities should understand how this flag works within their own Electronic Health Records. Additionally, where covered entities cannot “unbundle” their services, covered entities must explain this to the individual, and if there is no way to restrict the PHI for just one service or product, all services or products in the bundle must be restricted. However, HHS emphasizes that it is the mandatory duty of covered entities to unbundle and restrict the PHI where they can.

As a protection for the covered entity, where a payment to the covered entity fails, such as for a bounced check, the covered entity can proceed to contact and disclose all relevant information to the health plan to secure payment, but only after the covered entity tries to remedy the situation with the individual, such as by a phone call seeking an alternative form of payment. Covered entities are also allowed to disregard the restriction where the provider needs to justify follow-up care that was not paid out of pocket.

Access of Individuals to PHI

The Privacy Rule has always emphasized the importance of allowing individuals to have access to their own PHI. The HIPAA Omnibus Rule requires that covered entities provide individuals with a copy of the PHI that is maintained in a designated record set in the form and format requested by the individual, and if that is not possible, to reach an agreement with the individual for the provision of that information electronically. The requested information must be provided within 30 days. Covered entities are, however, allowed one 30-day extension if circumstances warrant a delay.

Individuals may designate third parties to receive their information, and the covered entity is required by the HIPAA Omnibus Rule to send the information to that person upon a signed written request. Covered entities are not required to investigate each request to ensure the third party seeking the records is doing so honestly. The Rule does, however, require the covered entity to have policies and procedures in place to verify the third party’s identity when they request access to the PHI, as well as to protect the PHI as it is shared.

Covered entities may charge fees for their efforts in response to a request for information, but the fee must be based on the actual costs incurred to provide the information. For paper records, the fee can only include the costs of supplies and labor, postage, and preparation of a summary of the contents. For electronic records, the fee can include labor costs, and, where requested by the individual, the costs for the electronic media on which the records are transferred (such as a CD or a USB drive), postage (where the electronic media is mailed), and a summary of the contents. The covered entity cannot allocate computer costs or data storage costs to the fee.

Fundraising

The HIPAA Omnibus Rule changes the requirements for fundraising communications. These changes are both more permissive and more restrictive than the previous standards. The Rule is more permissive in that covered entities have significant flexibility in both how they fundraise and how they offer individuals the opportunity to opt out. A covered entity is allowed to decide what method of opt-out the entity uses, provided the method is not unduly burdensome or costly and a statement that the individual may opt out is included in the Notice of Privacy Practices (NPP). It may also choose whether it wants the individual to opt-out of all fundraising communications or only those directed at a specific fundraising campaign. The Rule is more restrictive in that it absolutely prohibits a covered entity from sending fundraising communications once the individual has opted-out of receiving such communications.

The Rule creates new categories of PHI that can be used by covered entities for targeted fundraising communications. These categories include (1) department of service (general department of treatment); (2) treating physician information; and (3) outcome information (including information on death and sub-optimum outcome). These categories join demographic statistics and health insurance status on the list of items the Privacy Rule allows to be used for fundraising. The effect of these new categories is to allow covered entities to use PHI to develop more focused fundraising programs.

Marketing 

Marketing communications are those made to entice a recipient to use or purchase a service or product. Historically, HIPAA required an authorization to make marketing communications, with a few exceptions for certain health-related communications.

The HIPAA Omnibus Rule makes changes to this area. If the covered entity is receiving payment from a third party for making the communication, a “subsidized communication,” then the covered entity must obtain authorizations – there are no longer any exceptions in this case. Because an authorization for each “subsidized communication” is now required, covered entities no longer have to include information about these communications in their NPPs. Likewise, covered entities do not have to include information in their NPPs about appointment reminders, treatment alternatives, and other services, which are for treatment and operations.

The authorization is valid where it meets the general requirements for all HIPAA authorizations and tells the individual he or she may revoke the permission at any time. The authorization must also notify the individual that a third party is paying the covered entity to make the communication. Such notice may be either general or situation- or product-specific, but must at least give the individual an idea of the intended purpose of the use or disclosure.

The HIPAA Omnibus Rule contains an exception for refill reminders, adherence reminders, and delivery system instructions. As long as the remuneration received by the covered entity is reasonably related to the cost of making the communication, and the covered entity does not make a profit, such reminders are not considered marketing communications.

Sale of PHI

Pursuant to the HITECH Act, a covered entity cannot “sell” an individual’s PHI without the individual’s authorization. The HIPAA Omnibus Rule clarifies that the “sale of PHI” includes a covered entity or business associate receiving, directly or indirectly, financial or non-financial remuneration in exchange for PHI. Importantly, a change in ownership of the PHI is not required, and a lease, license, or even access might trigger the protections in this provision. While this prohibition seems very broad, there are several exceptions that will protect many legitimate arrangements. For instance, the “sale of PHI” does not include disclosures for public health purposes, treatment, or operations. Perhaps the largest exception is for disclosures by a covered entity or a business associate, in accordance with the Privacy Rule, for a reasonable, cost-based fee.

If a covered entity or business associate will be receiving remuneration in exchange for PHI, they should evaluate the arrangement to ensure it meets an exception. If it does not, then the covered entity will have to secure the individual’s authorization before proceeding.

Decedents, 50-Year Release

While we all expect to have our protected health information kept private, we give little thought to what happens to that PHI after death. The current HIPAA Privacy Rule requires covered entities to continue protecting the privacy of PHI indefinitely after an individual’s death. This causes hardship for historians and other researchers who could not access records due to HIPAA protections. The HIPAA Omnibus Rule modifies the requirement so that the privacy protections only apply for 50 years after the date of death. HHS emphasizes that this change does not displace stricter state or other laws, or the professional responsibility of medical providers. Additionally, the change is not a mandate that entities keep their records for that long – HIPAA does not have record retention requirements.

Decedents, Disclosures to a Family Member/Others Involved in Care

Changes to this section of the Privacy Rule arose from frustrations of family members of decedents who were unable to access information related to the death of their loved one. The HIPAA Omnibus Rule remedies that situation by allowing covered entities to disclose the decedent’s PHI to a family member or other person involved in the decedent’s care or treatment, but only to the extent the PHI is relevant to the role the family member or other person played in the decedent’s treatment. No release is permissible where the individual expressly stated before death that he preferred the PHI not be released. Importantly this is not a requirement but a permission, which means that if the covered entity doubts the identity or explanation of the person seeking the information, it may deny the request.

Student Immunization in Schools

The HIPAA Omnibus Rule adopts a new provision that allows covered entities in states that have compulsory vaccination laws to disclose immunization records to schools without obtaining formal parental authorization. All that is required is that a covered entity obtains permission, which can be oral or written so long as such permission is documented in the covered entity’s records. This Rule does not change the fact that disclosures to immunization databases are considered to be public health disclosures, so no authorization is required.

HHS emphasizes that this part of the Rule does not affect any state laws. If state law requires authorization for this type of disclosure, HIPAA does not preempt that state law.

For more information, contact Steven “Steve” D. Gravely, Stephen “Steve” D. Rosenthal, Erin S. Whaley or Kelsey S. Farbotko.

To improve information sharing, the EO requires the Secretary of Homeland Security to ensure the production of unclassified reports of cyber threats to the U.S., as well as the dissemination of classified reports to the owners or operators of critical infrastructure authorized to receive them. The Secretary is also directed to expand a voluntary information sharing program to provide classified cyber threat and technical information from the government to eligible critical infrastructure companies or commercial service providers that offer security services to critical infrastructure. The Secretary is also directed to expedite the processing of security clearances to personnel employed by critical infrastructure owners and operators.

In terms of standards, the National Institute of Standards and Technology will lead the development of a Cybersecurity Framework, which will incorporate voluntary consensus standards and industry best practices to the fullest extent possible. A voluntary program to support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and any other interested entities will be established, which will include incentives designed to promote participation in the Framework. And each agency with responsibility for regulating the security of critical infrastructure (the Sector-Specific Agency) will determine whether it has authority to establish requirements based on the Framework and, if such authority is insufficient, the agency shall propose actions to mitigate cyber risk.

For more information about the Executive Order or to discuss the issues it may raise for the energy industry, contact Bonnie Suchman.

The HIPAA Omnibus Rule makes significant changes to both the definition of who qualifies as a business associate and the requirements of business associate agreements. Covered entities routinely hand out business associate agreements to their “business associates,” and their “business associates” routinely sign them, often without giving them a second thought. Going forward, covered entities will have more “business associates” and those business associates will face new obligations to ensure that they are compliant with the Security Rule and some aspects of the Privacy Rule. Almost all covered entities and business associates will need to revise their business associate agreements to incorporate the new requirements of the HIPAA Omnibus Rule.

More Business Associates than Ever Before

The term “business associate” has always covered a fairly significant number of a covered entity’s vendors. The HIPAA Omnibus Rule expands the coverage even further to encompass not only those vendors that “create, receive or transmit PHI on behalf of a covered entity,” but also those that “maintain” PHI on behalf of a covered entity. The Rule also lists, by name, the following types of vendors, which are now considered “business associates.”

• Patient Safety Organizations where they receive PHI in order to analyze patient safety events data
• Health Information Organizations, E-Prescribing Gateways, or other data transmission services where “routine access” to PHI is required
• A Person Offering a Personal Health Record (PHR) to individuals on behalf of a covered entity, such as when a vendor is hired by a covered entity to provide PHR to its patients or enrollees.

Perhaps most importantly, the HIPAA Omnibus Rule makes a business associate’s subcontractor a “business associate.” Prior to the Rule, a business associate was responsible for getting “reasonable assurances” from its subcontractors that the subcontractors would comply with the provisions of the applicable business associate agreement. After the Rule, a business associate must enter into a business associate agreement with each of its subcontractors. Because the subcontractor is a “business associate,” the subcontractor must also comply with the Security Rule and some provisions of the Privacy Rule, including entering into a business associate agreement with each of its subcontractors.

Importantly, the Final Rule reaffirms that regardless of whether a business associate agreement exists, one is deemed to be a business associate from the moment that person or entity creates, receives, maintains, or transmits PHI on behalf of a covered entity or another business associate.

Covered entities should review their current list of business associates and determine if more need to be included. However, the greater impact will be on those whose business makes them business associates to covered entities and those subcontractors that have not previously implemented their own HIPAA compliance programs.

Business Associates Must Comply with All Aspects of the Security Rule

The Health Information Technology for Economic and Clinical Health (HITECH) Act made business associates civilly and criminally liable for violations of several Security Rule provisions. Consistent with the HITECH Act, the HIPAA Omnibus Rule expands the scope of the Security Rule to apply not only to covered entities but also to business associates. In practice, this means that business associates must have HIPAA compliance policies and procedures in place to address the Security Rule’s administrative, physical, and technical safeguards for handling electronic PHI.

Although business associates have been on notice of these changes since the passage of the HITECH Act and subsequently the proposed rule, this short provision in the HIPAA Omnibus Rule gives HHS the clear authority to enforce these duties against noncompliant business associates. It is important that all business associates evaluate the requirements of the Security Rule and ensure that they are compliant.

Business Associates Must Comply with Some Provisions of the Privacy Rule

The HIPAA Omnibus Rule clarifies that business associates can only use and disclose PHI as permitted by the Privacy Rule and its business associate agreements. Business associates are also required to comply with various provisions of the Privacy Rule, including those requiring disclosure to the Secretary as part of a compliance investigation, disclosure to the covered entity or individual upon request, and the Minimum Necessary Standard. Business associates will need to review their policies and procedures to identify any changes that need to be made in response to these requirements.

Business Associate Liability

The HIPAA Omnibus Rule increases the consequences of non-compliance for all business associates. They always have been liable to the covered entities that they serve for failure to comply with the terms of their business associate agreements. Now, business associates are also directly liable to HHS for failure to comply with the following HIPAA rules:

• Making only permissible uses and disclosures;
• Providing breach notification to a covered entity;
• Providing access to copies of electronically held PHI to a covered entity or the individual upon request;
• Disclosing PHI to the Secretary for investigation into the business associate’s HIPAA compliance;
• Providing an accounting of disclosures;
• Complying with the Security Rule requirements;
• Making “reasonable efforts” to adhere to the Minimum Necessary Standard; and
• Entering into business associate agreements with subcontractors that receive PHI.

Business Associate Agreements

With the passage of the HITECH Act and the HIPAA Omnibus Rule, many questioned whether business associate agreements are still necessary. HHS answered in the affirmative – business associate agreements are still needed and may be more important than ever.

The HIPAA Omnibus Rule imposes many important compliance obligations on business associates, but there are a number of areas that the Rule intentionally does not cover and leaves to the parties to address. For example, the Rule still leaves it to the covered entity to define the business associate’s scope of permitted uses and disclosures. The Rule also relies upon the parties to determine where the responsibility should lie with respect to providing access to PHI in response to an individual’s request for his or her own PHI. While these are typically standardized provisions in a covered entity’s template business associate agreement, now is a good time for covered entities to revisit these provisions and ensure that they correctly allocate responsibilities.

It is also a good time for covered entities to review their business associate agreements to remove provisions that are no longer required. For instance, it is no longer necessary for a covered entity to report to the Secretary when there has been an incurable breach of the business associate agreement, but the agreement cannot be terminated. Many covered entities incorporated this requirement into their template agreements and can now remove it so that they are not imposing on themselves an unnecessary contractual requirement.

All of the requirements for a business associate agreement apply equally to business associate-subcontractor agreements as they do to agreements between covered entities and business associates. As a result, business associates will need to develop their own business associate agreements to use with their subcontractors.

Generally, compliance with the HIPAA Omnibus Rule is required by September 23, 2013. However, if a covered entity (1) had a compliant business associate agreement in place on January 25, 2013, and (2) did not modify the agreement between March 26, 2013 and September 23, 2013, then the covered entity has until the earlier of September 23, 2014, or when the agreement renews, to modify the business associate agreement to be compliant with the HIPAA Omnibus Rule.

Breach Notification

The HIPAA Omnibus Rule made some major changes to the current Breach Notification Rule, and most of these changes have a direct effect on business associates’ duties in documenting and notifying others of a breach. For information on the changes to the Breach Notification Rule in the HIPAA Omnibus Rule, see HIPAA Breach Notification Changes—What You Need to Know.

Expanded Enforcement to Business Associates

The HIPAA Omnibus Rule implements the HITECH Act’s mandate that the Enforcement Rule of HIPAA apply to business associates. This means that business associates can be subject to civil or criminal penalties for violations of the Privacy, Security, or Breach Notification Rules. For more information on how the modifications to the Enforcement Rule will impact covered entities and business associates, please watch for our upcoming e-alert.

The HIPAA Omnibus Rule makes extensive changes and clarifications to the HIPAA Rules regarding business associates. With the increased liabilities and responsibilities, covered entities, business associates and those who work with business associates will want to make sure they understand and comply with all of the new legal requirements. For covered entities, this will mean updating their business associate agreements. For business associates, this will mean putting into place, new business associate agreements, updating existing business associate agreements, and implementing HIPAA Privacy and Security compliance policies and procedures.

For more information, contact Steven “Steve” D. Gravely, Stephen “Steve” D. Rosenthal, Erin S. Whaley or Kelsey S. Farbotko.

On Thursday, January 17, 2013, the Department of Health and Human Services (HHS) released its Health Insurance Portability and Accountability Act (HIPAA) Omnibus Final Rule, making significant modifications to the Act’s Breach Notification Rules. This post outlines the changes to those Rules.

In 2009, HHS issued an Interim Final Rule on Breach Notification. Since the publication of that Interim Final Rule, covered entities and business associates have implemented policies and procedures to detect breaches of unsecured Protected Health Information (PHI) and evaluate whether the breach posed a significant risk of financial, reputational or other harm to the individual. If it was determined that the breach did pose a significant risk of harm, then the covered entities would notify the individuals involved of the breach and undertake any other reporting required by the Interim Final Rule.

The HIPAA Omnibus Rule makes some important changes to the breach notification process, which put covered entities and business associates at greater risk of liability for breaches. Every breach is presumed to be reportable. This presumption can be rebutted based on information developed in an investigation. Importantly, it is the responsibility of the covered entity to refute this presumption and maintain any documentation that supports the covered entity’s position that the breach is not reportable.

There is also a very different standard to be used in determining that a breach is not reportable. Unlike the Interim Final Rule’s “risk of harm” standard, the HIPAA Omnibus Rule adopts a “low probability of compromise” standard. Under the new standard, all impermissible uses and disclosures of unsecured PHI must be reported to the individual and the Secretary of HHS unless the covered entity can demonstrate a “low probability that PHI was compromised.” The HIPAA Omnibus Rule requires covered entities or business associates to evaluate the following four factors in their risk analysis:

• The nature and extent of the protected health information involved in the breach, including the types of identifiers and the likelihood of re-identification;
• The identity of the person who impermissibly used the protected health information or to whom the impermissible disclosure was made;
• Whether the protected health information was actually acquired or viewed; and
• The extent to which the risk associated with the impermissible use or disclosure of the protected health information has been mitigated.

This risk analysis must be performed on a case-by-case basis for each and every impermissible use and disclosure of PHI, including limited data sets. Importantly, the Omnibus Rule makes a significant change in removing the exception for limited data sets which lack birth dates and zip codes. This means that covered entities that experience a breach of limited data sets without birth dates and zip codes will have to perform the risk analysis described above.

The burden is on the covered entity or the business associate to provide documentation showing that the release of PHI is either: (i) not a breach; or (ii) that a breach is not reportable because there is a “low probability” that PHI was compromised. The HIPAA Omnibus Rule emphasizes that even if there is a low probability the data was compromised, covered entities should maintain all data and information related to that determination. For instance, breaches of secured PHI are not reportable. Nevertheless, covered entities and business associates need to retain documentation about these breaches and the fact that they involved secured PHI.

The HIPAA Omnibus Rule promises that HHS will release further guidance on the evaluation of the factors for assessing the probability of compromise. Until that time, all covered entities should evaluate their established policies and procedures for handling breaches and determine what steps are needed to come into compliance with these new, mandatory requirements.

Required Notifications

The HIPAA Omnibus Rule adopts the notification requirements from the 2009 Interim Final Rule in their entirety, with a few clarifications. For your convenience, we have included a summary of those requirements here.

Notifying Individuals. For all breaches of unsecured PHI, the covered entity must notify the individual whose PHI was breached “without reasonable delay,” but in no case more than 60 days after the covered entity knows or should have known about the breach. The notification must include a description of the breach, the breached data, and the covered entity’s plan for remedying and mitigating the breach; recommended actions for the individual to take to mitigate any potential harm; and contact information should the individual have questions.

Generally, the notice must be sent to the individual through first class mail or email (if the individual has indicated in writing that email is preferred). If the contact information is wrong or out-of-date, the covered entity may use the following substitute notice procedures. If there were fewer than 10 individuals for whom the covered entity did not have the right contact information, the covered entity has flexibility to determine the manner of notice, as long as it is calculated to reach that person. The HIPAA Omnibus Rule mentions telephone, alternative written notice, email (where it was not preferred), and a website posting. If there were more than 10 individuals for whom the covered entity did not have the right contact information, the covered entity must post a notice to its website or provide notice to a newspaper or broadcast network for distribution in that area. In an emergency, the covered entity may telephone the individuals, but must mail or email a written notice as well.

Media Notification Required. For breaches that affect more than 500 individuals in the same State or jurisdiction, a prominent media outlet must be notified of the breach, and the notice must contain all of the same information as in the individual notification.

Notification to the Secretary of HHS. The Secretary has to be notified of all breaches that require reporting, although the timing differs depending on the scope of the breach. For breaches involving fewer than 500 individuals, a covered entity must keep a log of these events and report them annually to the Secretary. This annual report must be filed within 60 days following the end of the year and should include all reportable breaches that were discovered in the prior year. For any breach affecting more than 500 individuals, the Secretary must be notified immediately, which HHS defines as concurrent with individual notification.

Business Associates. All of the above notification requirements create duties for the covered entity, but the HIPAA Omnibus Rule also adopted duties for business associates. Although business associates are not required to notify affected individuals where they themselves have created a breach, business associates have a duty to notify the covered entities whose information was breached. The business associate must provide the identity of the individuals, as well as any information the covered entity would be required to include in a notification itself. If the covered entity and the business associate so choose, they may contract in their business associate agreement for a delegation of the notification responsibilities to the business associate. The HIPAA Omnibus Rule urges the parties to evaluate their particular circumstances and determine which of the two would have better access to the information needed for a notification.

Importantly, if the business associate is acting as an agent of the covered entity, the covered entity is deemed to have knowledge of the breach as soon as the business associate discovers it and not when it is notified by the business associate. As a result, it is critically important that covered entities evaluate the timeframe that is included in their Business Associate Agreements for their business associates to notify them of a breach to make sure that it will give the covered entity time to respond within the 60 day notification period.

Enforcement and Penalties

The HIPAA Omnibus Rule enhances the penalties that covered entities and business associates face for both breaches and failure to comply with the Breach Notification Rule. The Office of Civil Rights (OCR) can assess a monetary penalty for failures to comply with the Breach Notification Rule. In addition, OCR has the authority to assess penalties for the impermissible uses or disclosures that are reported to the Secretary in accordance with the Breach Notification Rule. Look for a future Troutman Sanders e-alert on the new enforcement provisions in the HIPAA Omnibus Rule.

The enhanced penalties are consistent with HHS’ overall position that it will require stricter compliance with HIPAA and levy greater penalties on those who fail to comply. As a result, it is crucial that covered entities and business associates ensure that their internal policies and procedures incorporate the requirements of the new risk analysis, that they document each and every potential breach they review, and that they undertake all required notifications in a timely manner.

For more information, please contact Steven “Steve” D. Gravely, Stephen “Steve” D. Rosenthal  or Erin S. Whaley, Kelsey S. Farbotko.

One of the most controversial aspects of the Consumer Product Safety Improvement Act of 2008 (CPSIA), a sweeping federal law effecting consumer product safety standards and modernizing the Consumer Product Safety Commission (CPSC), is its requirement that the CPSC establish and maintain an online searchable consumer product safety database.  The CPSIA requires that the database include “[r]eports of harm relating to the use of consumer products” that are received from consumers, government agencies, health care professionals, child service providers, and “public safety entities.”  15 U.S.C. § 2055a(b)(1)(A).  The database, accessible at www.SaferProducts.gov, currently contains approximately 9,000 reports of safety incidents submitted to the CPSC, concerning products as various as washing machines, mountain bikes, cribs, and superhero action figures.  Even before the database went live in March 2011, it was nicknamed the “Database of Doom,” with many critics predicting that it would raise unfounded fears about many consumer products and also lead to a boom in product liability lawsuits by enterprising plaintiffs lawyers who could now research potential cases in one neatly organized website.  A recent federal district court decision, however, could help reduce the possibility of inaccurate information being published.

In Company Doe v. Tenenbaum, Civil Action No. 8:11-cv-02958-AW (D. Md. Oct. 22, 2012), Judge Alexander Williams Jr. addressed the first legal challenge filed against the CPSC based on content to be published in the database. The case was brought by a company whose name and product have remained anonymous and who had been notified by the CPSC that a “report of harm” would be published.  Companies whose products are the subject of reports of harm receive advance notice that the report will be published and can object to publication on the ground that the report is materially inaccurate, although the discretion on whether to publish the report resides with the CPSC. Judge Williams issued a blistering 73-page opinion ruling against the CPSC, enjoining the agency from publishing the report about Company Doe’s product in the database and finding that its intention to publish a materially inaccurate report would violate the Administrative Procedures Act because its actions were both “arbitrary and capricious” and an abuse of discretion.  While the opinion, in its heavily redacted form, provides no details as to what exactly made the report materially inaccurate, it will likely provide helpful guidance as to when a report should not be published.

Company Doe objected that the report was materially inaccurate because medical evidence showed that the harm alleged in the report could not be linked to Company Doe’s product.  In fact, on multiple occasions, the CPSC even acknowledged that the report contained certain inaccuracies and proposed publishing the report in a revised form.  Company Doe maintained that the report was still baseless and inflammatory and would irreparably harm its reputation and financial well-being.  Judge Williams agreed with Company Doe that the CPSC’s actions were contrary to the CPSIA and the agency’s own regulations in that the report was not “related to” the consumer product.  The court found that the CPSC’s decision “to publish the report bears no sensible relation to the purpose the CPSIA aims to advance: to enhance the Commission’s capacity to disseminate information to consumers regarding unsafe products.”  The court further criticized the weakness of the report, calling it “rank speculation” and opining that the odds that Company Doe’s product was involved in the alleged harm were “significantly lower than a coin flip.”

Judge Williams further found that the report was materially inaccurate under the CPSC’s regulations because it was misleading, based on the false impression it created that Company Doe’s product played in the alleged harm, and because the information in the report was “so substantial and important as to affect a reasonable consumer’s decision making about the product.”  The court noted that, “the report bears the Government’s stamp of approval through its publication on an official website that, by its terms, is a repository of reports regarding ‘unsafe product[s].’”  One of the chief criticisms of the database is that it lends the imprimatur of government approval to claims about products that are not always investigated in depth, or at all, and that the public will believe that products are defective and dangerous when they are not.  In Company Doe, the CPSC pointed to the disclaimer posted on the website, which states: “CPSC does not guarantee the accuracy, completeness, or adequacy of the contents of the Publicly Available Consumer Product Safety Information Database on SaferProducts.gov, particularly with respect to information submitted by people outside of CPSC.”  The court, however, did not find the disclaimer compelling and stated that it was “boilerplate and would not interest an ordinary consumer.”  The CPSC also could not rely on the fact that companies who are the subject of reports can post a response to appear below the report on the database.  Judge Williams determined that “ordinary consumers would likely dismiss this measure as disingenuous damage control.”

It is too soon to say exactly to what extent Company Doe will cause the CPSC to refrain from publishing reports of harm on the database when questions are raised concerning their accuracy.  Although the CPSC recently dropped its appeal in Company Doe, its public statements have not indicated that it was changing any of its policies in response to the case.  As a practical matter, businesses who seek to avoid publication of reports about their products will surely hope that the CPSC exercises its discretion properly because of the relative high cost of bringing a challenge in court. Nevertheless, Judge Williams’ rebuke in Company Doe case should give the agency pause before publishing reports of harm that seem to dubiously link a consumer product to the alleged harm.

For more information, please contact Eric Unis or John Hutchins.