In light of COVID-19, many organizations are taking advantage of free video conferencing capabilities offered by Zoom. Almost overnight, Zoom has become one of the most popular video conferencing services among businesses and schools. Daily Zoom users have skyrocketed from 10 million users in December 2019 to 200 million users in March 2020. Continue Reading Increased Use of Zoom Raises Privacy and Security Concerns
Businesses subject to the California Consumer Privacy Act (“CCPA”) that have begun exploring the possibility of collecting data from visitors to their facilities to track potential coronavirus exposure and to allow/deny entry must take into consideration the fact that, by doing so, they would almost certainly be collecting data that would constitute personal information under the CCPA. For businesses subject to the CCPA, the question arises as to whether such a practice is permissible.
Even with the proper notice, businesses must also consider what they will do if facility visitors seek to exercise their deletion rights—and whether deleting such information renders
the any such screening program dangerously flawed. The CCPA provides nine exceptions that allow a business to “deny” a request for deletion. However, the CCPA does not include exceptions for public health crises or emergencies. Further, although it may depend on the locality, this type of usage would likely not constitute “complying with a legal obligation,” and therefore would not fall under the exception in Cal. Civ. Code § 1798.105(d)(8).
Accordingly, if a business wishes to deny a request for deletion and stay within the bounds of the CCPA, it must interpret another exception as encompassing using personal information to ensure the safety of employees and visitors and to curb the spread of a global pandemic. One possibility is that screening individuals constitutes an internal use that is “solely internal” and “reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.” Cal. Civ. Code § 1798.105(d)(7). Similarly, it could constitute an internal use “in a lawful manner that is compatible with the context in which the consumer provided the information.” Cal. Civ. Code § 1798.105(d)(9). While both of these exceptions could likely be read broadly enough to allow a colorable argument, both also require that the use be strictly internal. To the extent a business may use such information externally—such as in conjunction with governmental or health agencies when determining potential contamination connections—the exceptions may not apply.
Another possibility is that screening individuals could fall
s under the “detect[ing] security incidents” exception, which is not limited to strictly internal use. Cal. Civ. Code § 1798.105(d)(2). The security incidents exception traditionally applies to information used for information security and anti-fraud purposes. However, “security incident” is not defined in the CCPA, and it is therefore not statutorily limited to that context. Businesses could thus take the position that detecting visitors with coronavirus amounts to detecting a security incident.
Given the current crisis, it seems highly unlikely that the California Attorney General’s Office would focus its resources on businesses that are using information to try to prevent the spread of coronavirus—so long as businesses are not profiting from the information they are collecting. Further, the enforcement deadline is not set to commence until July 1, 2020. Nonetheless, businesses should still be trying to ensure that their practices during this crisis comply with applicable laws, including the CCPA. While none of the CCPA’s deletion exceptions directly fit using personal information to screen for coronavirus, they do provide some cover for businesses that feel that such steps are necessary to ensure the safety of its employees and patrons. So long as businesses are not using this data for other reasons, they likely have a defensible position in the unlikely event that the California Attorney General investigates the practice.
Health care providers, health plans, and others who are subject to HIPAA are sure to have questions about when they may disclose information about individuals who have contracted, or been exposed to, Coronavirus (COVID-19).
To address these questions, the Office of Civil Rights, U.S. Department of Health and Human Services, has issued guidance. First, it published a bulletin, reminding us that the privacy rules of HIPAA continue to apply in an emergency while identifying when the rules allow for the responsible use and disclosure of protected health information in the case of a serious contagion. OCR supplemented that guidance with a second bulletin and an announcement that provide relief from certain requirements to hospitals and telemedicine providers.
The First Bulletin: Basic HIPAA Guidance
The threshold question under HIPAA is whether HIPAA applies at all. It is important to remember that HIPAA’s privacy rules extend only to covered entities (health plans, health care clearinghouses, and most health care providers) and their business associates. If an employee notifies his or her employer that that the employee is self-quarantining because he or she has tested positive for the virus, the employer would not be subject to HIPAA’s requirements with regard to that information. But if an employer finds out that an employee has the virus from the employer’s health plan, that information would be subject to HIPAA.
Even if HIPAA does not apply, its requirements may serve as a useful touchstone for how to handle personally identifiable information in difficult situations.
Under HIPAA, an individual’s protected health information (PHI) may be disclosed without the individual’s authorization in various circumstances, including:
- to providers for the treatment of patients;
- to appropriate authorities engaged in public health activities;
- to individuals at risk for contracting or spreading the virus (if permitted by other applicable laws);
- to an individual’s friends and family members involved in the individual’s care (with the individual’s verbal consent or, often, tacit permission);
- to a person in a position to prevent or lessen a serious and imminent threat to the health and safety of an individual or the public (consistent with other applicable laws and standards for ethical conduct).
Thus, information may be disclosed to the Center for Disease Control and to state and local health departments that are collecting information about the spread of the virus, and HIPAA will not prevent reasonable and appropriate action to alert individuals who have been exposed to the virus.
However, covered entities still need to be mindful of HIPAA’s requirements to safeguard PHI from inappropriate uses and disclosures. Covered entities and business associates must continue to take care to use and disclose only the minimum amount of PHI necessary and to verify the identity and, where appropriate, authority of individuals making inquiries. In view of the attention that the virus is receiving, particular care should be taken in communications with the media.
The Second Bulletin: Relief for Hospitals
Effective March 15, certain hospitals will not be subject to penalty or sanction under HIPAA if they fail to comply with the following HIPAA requirements:
- obtaining a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
- honoring a request to opt out of the facility directory. See 45 CFR 164.510(a).
- distributing a notice of privacy practices. See 45 CFR 164.520.
- addressing a patient’s request for privacy restrictions. See 45 CFR 164.522(a).
- addressing a patient’s request for confidential communications. See 45 CFR 164.522(b).
This waiver is limited in scope and duration. It extends only to hospitals that have instituted a disaster protocol and that are located in an emergency area identified in the HHS Secretary’s January 31, 2020 public health emergency declaration. The waiver extends only up to 72 hours from the time a hospital implements its disaster protocol.
The Announcement: Relief for Telemedicine Providers
Effective March 17, OCR will not impose penalties on telemedicine providers who, in good faith, communicate with patients through any non-public facing communication product. The policy applies to video and audio products and to communications about all telemedicine issues, not only issues pertaining to COVID-19. Thus, a provider could video chat with a patient about a sprained ankle on Apple FaceTime, Facebook Messenger video chats, Google Hangouts video, Skype, or a similar service. Providers should enable all available encryption and privacy modes when using these applications and are encouraged to notify patients of that the use of such applications introduce certain privacy risks.
The relief does not extend to public facing applications, such as Facebook.
Providers may seek out services that aim to be HIPAA-compliant from vendors that will enter into business associate agreements. However, OCR will not impose penalties for “the lack of a BAA with video communication vendors or any other noncompliance with the HIPAA Rules that relates to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency.”
Absent a specific exception, individuals and entities that are subject to HIPAA must comply with its privacy and security requirements. Those requirements include provisions that allow for the proper use and disclosure of protected health information in a number of ways relevant to the current public health emergency. OCR has provided enforcement relief to telemedicine providers and certain hospitals for a limited range of HIPAA violations. Covered entities and business associates under HIPAA should watch for additional guidance, and should be mindful that the current state of emergency will end at some, as yet undefined, date in the future and with it, the specific relief offered by OCR will also likely end.
The successful management of COVID-19 relies on the quick analysis and collection of health data, which can raise privacy issues particularly in the European Union. In order to help data controllers manage their COVID-19 response plans under the General Data Protection Regulation (GDPR) and other EU privacy laws, the European Data Protection Board (EDPB) released a statement discussing how governments and companies can process personal data in response to COVID-19. Continue Reading EDPB Clarifies Privacy Rules for COVID-19
In the midst of a global pandemic, readers may have overlooked the recent issuance by the California Office of Attorney General (OAG) of a second set of modifications to the California Consumer Privacy Act (CCPA) regulations. Continue Reading California AG Issues Second Set of Modifications to CCPA Regulations
As people across the country and world try to figure out how to protect themselves against the spread of coronavirus, hackers are working hard to spread their own viruses. Indeed, various cybersecurity firms have reported that the amount of malicious emails containing the word “coronavirus” has significantly increased since the end of January.
Many of these phishing schemes involve emails that purport to be from a reputable health-related organization, such as the World Health Organization (WHO) or the Center for Disease Control (CDC), providing safety information through an attachment or link. Although the emails may look legitimate, in reality, they are simply means to steal personal information:
In another common scheme, hackers spoof emails from business partners or employers, requesting payment of invoices for coronavirus-related purchases (e.g., facemasks or hand sanitizer) or personal information related to remote work programs.
While many businesses have taken significant efforts to help employees identify phishing scams—such as tags to identify external emails—they should consider reminding employees of the increased potential for phishing emails in the wake of coronavirus. Companies that have not yet implemented technical controls to thwart phishing emails at the firewall or to alert employees about suspicious emails may want to consider doing so now.
The widespread use of social media platforms make them ideal for companies trying to reach a large audience. Pharmaceutical and consumer products industries frequently maintain their own social media accounts and partner with celebrities, physicians, patients, and “influencers”—i.e., individuals who have achieved online celebrity and whose posts reach a wide audience—to endorse their products through social media campaigns. Although U.S. regulatory agencies have already been closely monitoring the development of these advertising platforms, the Food & Drug Administration (FDA) and the Federal Trade Commission (FTC) have both recently announced efforts to modernize their understanding of the impact that endorsers have on consumers, signaling the likelihood of more aggressive enforcement in the near future.
The FDA has proposed two studies geared towards evaluating the impact of different types of endorsers (celebrity, physician, patient, and influencer) and payment disclosures on consumers. The agency has invited comments on:
- whether the proposed collection of information is necessary for the proper performance of FDA’s functions, including whether the information will have practical utility;
- the accuracy of FDA’s estimate of the burden of the proposed collection of information, including the validity of the methodology and assumptions used;
- ways to enhance the quality, utility, and clarity of the information to be collected; and
- ways to minimize the burden of the collection of information on respondents, including through the use of automated collection techniques, when appropriate, and other forms of information technology.
The comment period ends on March 30, 2020.
The FTC is currently engaging in a systematic review of its regulations and guides, and is accepting comments on its existing “Guides Concerning the Use of Endorsements and Testimonials in Advertising” (the Guides). The Guides serve an advisory purpose, assisting businesses and others to conform their endorsement and advertising practices to the requirements of Section 5 of the FTC Act. The topics that the FTC is seeking comments on include the following key areas:
- modifications to the Guide that are necessary in response to technological, economical, or environmental changes;
- the effectiveness and necessity of disclosing material connections;
- consumers’, with an emphasis on young consumers’, understanding of disclosures of material connections;
- the practice of offering incentives to individuals who are not endorsers in exchange for positive reviews;
- the practice of soliciting feedback and funneling satisfied customers to review sites and dissatisfied consumers to further customer service resolution centers; and
- the use of affiliate links.
Commissioner Rohit Chopra released a statement on February 12, 2020 in which he encouraged “[codifying] elements of the existing endorsement guides into formal rules so that violators can be liable for civil penalties.” Businesses interested in having their input considered by the FTC should submit their responses to the FTC’s request for comments before the comment deadline of April 21, 2020.
The actions taken by these regulatory agencies reflect a growing interest in how a company uses endorsers to market consumer products and suggests that the regulatory landscape may soon evolve. Ballard Spahr will continue to monitor this space for further developments. In the meantime, FDA and FTC regulated companies should consider submitting comments to the appropriate regulatory authority and revisting their advertising practices with regard to endorsements.
On Friday, February 7, 2020, the California Attorney General’s (AG) Office released modified regulations to the California Consumer Privacy Act (CCPA). The modified regulations incorporate amendments to the CCPA signed into law after the AG’s Office promulgated regulations in October 2019. The modified regulations also reflect public comments made during the initial comment period, which concluded in December 2019. Overall, the modified regulations provide helpful clarifications that should lessen compliance burdens for a number of industries. Of note, the modified regulations:
- Limit Definition of Personal Information. The modified regulations clarify that “personal information” does not include information that a business collected but cannot reasonably link to a consumer. For example, “if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household” then the IP address would not be “personal information.” This is a particularly important limitation for businesses that don’t have a direct relationship with California consumers but rather only collect personal information via the website.
- Define Reasonable Accessibility. The initial proposed regulations included a new requirement that privacy policies and online notices be reasonably accessible, without offering any definition of the standards. The modified regulations state that reasonable accessibility means compliance with generally recognized industry standards, such as the Web Content Accessibility Guidelines, v2.1 – the prevailing standard used for ensuring compliance with the Americans with Disability Act (ADA) website accessibility requirements.
- Requiring Just–in–Time Notice for Unexpected Data Collection: The modified regulations state, “When a business collects personal information from a consumer’s mobile device for a purpose that the consumer would not reasonably expect, it shall provide a just-in-time notice containing a summary of the categories of personal information being collected and a link to the full notice at collection. For example, if the business offers a flashlight application and the application collects geolocation information, the business shall provide a just-in-time notice, such as through a pop-up window when the consumer opens the application, which contains the information required by this subsection.” This requirement aligns with Federal Trade Commission (FTC) guidelines and the 2020 Network Advertising Initiative (NAI) Code of Conduct.
- Removal of Webform Requirement. The modified regulations remove a requirement set forth in the initial proposed regulations requiring businesses to provide two or more methods for consumers to submit consumer access requests, one of which was an interactive webform. The modified regulations permit businesses to meet this requirement by providing a toll-free number and a designated email address.
- Limiting Search Obligations in Response to Right to Know Requests. The modified regulations clarify that a business is not required to search for personal information in response to a right to know request where the business: does not maintain the personal information in a searchable or reasonably accessible form; the business maintains the personal information for legal or compliance purposes; the business does not sell or use the personal information for a commercial purpose; and the business describes to the consumer the categories of records that may contain personal information that the business did not search. This limitation partly addresses the question of whether (and when) right to know requests include access to data held in hard to search, unstructured systems.
- Opt–Out buttons. The modified regulations includes examples of compliant opt-out buttons.
There are other changes to the regulations that have the effect of limiting some of the other compliance burdens for businesses. As expected, however, the modified regulations do not provide additional clarity regarding the meaning of “sale/sell/selling” or define what “reasonable data security” means.
The AG’s Office will accept public comments to the modified regulations until February 24, 2020. The regulations are expected to be finalized in April or May 2020.
Although the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) may yet announce one or two year-end settlements, it appears that 2019 will be known more for the implementation of changes in HIPAA enforcement policy than for any of the particular matters that OCR resolved. Last April, OCR announced that it would lower the maximum penalties assessed for most categories of HIPAA violations. Previously, the same maximum $1.5 million cap applied to all categories of violations, regardless of severity. The new policy lowered the limit to:
- $25,000, when an entity does not know and would not have known of the violation when exercising reasonable diligence.
- $100,000 when the violation is due to reasonable cause.
- $250,000 when the violation arises from willful neglect, but is corrected.
Only violations that result from willful neglect and are not corrected remain subject to the $1.5 million cap.
It initially appeared that the new enforcement policy was producing a dramatic reduction in all settlement amounts. A settlement reached before (although announced after) publication of the new policy resulted in a $3 million penalty payment, while the penalty amounts for the first few settlements that followed the guidance never topped $100,000. However, as 2019 progressed, OCR announced a number of larger settlements. For example:
- OCR imposed a penalty of approximately $2.15 million against Jackson Health System for violations that included staff members’ unauthorized access to the protected health information (PHI) of a professional athlete, the unauthorized access by an employee of records of more than 24,000 patients (records that were eventually sold), and the loss of certain patient records. The Health System waived its right to a hearing and did not contest OCR’s Notice of Proposed Determination.
- OCR imposed a penalty of $1.6 million against the Texas Health and Human Services Commission after it discovered a vulnerability in a web application designed to collect and report information for Medicaid waiver programs. The Commission discovered the breach when an unauthorized user reported gaining access to the application without entering credentials. Following an investigation, OCR determined that PHI had been placed on a public server that allowed an undetermined number of unauthorized users to view names, Social Security numbers, Medicaid numbers and treatment information of approximately 6,500 individuals.
- OCR secured a settlement of $3 million with the University of Rochester Medical Center (URMC) after URMC reported that a flash drive containing PHI was lost and an unencrypted laptop that contained PHI was subsequently stolen from a treatment facility. Following an investigation, OCR determined that URMC had failed to conduct a thorough risk analysis of vulnerabilities of the electronic PHI (ePHI) in its possession and to implement sufficient policies and procedures safeguarding the movement of hardware and media containing ePHI within and outside of the facility, including a failure to sufficiently encrypt ePHI.
- Sentara Hospitals agreed to pay approximately $2.2 million to settle allegations that it inappropriately disclosed PHI of 577 patients when it mailed the billing statements for these patients to the wrong addresses. Sentara reported the breach to OCR, but incorrectly limited its report to eight individuals based on its erroneous understanding that it was required to report breaches only if they disclosed specific medical information, such as a patient’s diagnosis or treatment. In addition, Sentara failed to report all affected individuals even after OCR advised it of its requirement to report all violations.
In total, half of the announced OCR actions involved more than $1.5 million in penalties (it is worth keeping in mind that the annual cap applies per type of violation, so multiple types of violations may result in assessments that exceed the $1.5 million per-type cap), while the remaining half ranged from $10,000 to $100,000. Two of the smaller settlements involved OCR’s first enforcement actions related to its Right of Access Initiative, which focuses on the rights of individuals to receive copies of their medical records in a timely manner without being overcharged. Both of those actions resulted in settlements of $85,000.
2019 continued a trend set in prior years by starting slowly. Eight of the ten assessments announced by OCR occurred after mid-September.
Absent any late-breaking announcements for actions resolved at the end of last year, the total assessments for 2019 will amount to a little more than $12 million. That amount is less than half the record-setting amount of 2018, although the number of actions resolved was similar. It is difficult to assess how much of this decrease is attributable to the new enforcement policy. 2018 appears to have been an anomaly with more than half of the assessments arising from the $16 million settlement with Anthem.
Given the sharp division between large and small settlements, it appears that OCR is making distinctions that place violations in different categories of severity and that treat certain violations as being of the same or a different type. At this time, there is only a small sample space with limited information as to how OCR is making these distinctions. OCR announcements for situations where they assessed penalties without reaching an agreement provide significantly greater information on how OCR views certain matters, but still leave much to speculation.
Ultimately, parsing out what leads to larger vs. smaller penalties should not guide an entity’s approach on how to address HIPAA’s privacy and security requirements. Health care providers, health benefit plans, healthcare clearinghouses, and their respective business associates ought to take diligent measures to safeguard PHI and otherwise comply with HIPAA. If a violation does occur, it should be addressed promptly and thoroughly to minimize the harm to individuals and to prevent it from happening again. And, even though the penalties may be relatively small, those subject to HIPAA should aim to respond timely and appropriately to an individual’s request for records.
Happy (belated) New Year! 2020 marks the second anniversary of CyberAdviser. In the word of data privacy and cybersecurity, a great deal has happened over that span of time, including the enactment of the GDPR, BDLC (Brazil’s new privacy law), and the CCPA, the continued expansion of data breach and biometrics litigation, important US federal and state enforcement activity, enactment of the CLOUD Act, guidance from the Supreme Court regarding Article III standing (especially critical in privacy related litigation) and privacy protections for mobile devices, numerous data breaches (over 5000 reported breaches, affecting 8 billion records in 2019), historic FTC settlements with Facebook and Equifax, the development of new AI and machine learning technologies raising new privacy and security concerns, among other important developments. Here is a link to our 10 most read blog posts of 2019:
2020 promises to be a very active year for this blog. Already several states have proposed CCPA-style privacy laws. It is also likely that other states will pass biometric protection laws, and data broker registration laws. The FTC is also expected to announce new proposed regulations to the Safeguards Rule in the coming year. India has a new proposed privacy law that we are closely monitoring. The Supreme Court will be hearing a challenge to the constitutionality of the TCPA. We will be blogging about these issues as they develop. We will also be tracking litigation under the CCPA’s new private right of action for data breaches, and enforcement actions by state AGs with regard to data privacy.
We want to thank our many readers around the world who continue to make this blog such a success. If you’d like to learn more about Ballard Spahr’s Privacy & Data Security Group, please visit our website.