Health Information Omnibus Rule adds will empower the patient – finally

The U.S. Department of Health and Human Services (HHS) has updated the data privacy and security rules involving electronic health records by finalizing the omnibus rule regarding these increasing protections.

First enacted under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and expanded under the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, these rules have created both incentives for health care providers to digitize health records and obligations to protect the data from loss or misuse.

In the 2013 omnibus rule, HHS has moved to increase the individual patient’s interest in the health data system by expanding the patient’s rights regarding their health records.

  • Patients can ask for a copy of their electronic medical record in an electronic form.
  • When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan.
  • Parents and guardians should find it easier to give permission to share proof of a child’s immunization with a school.
  • Patients must give permission before that individual’s health information is sold under an expanded number of conditions.

Digitization has swept most industries in the fifteen years since HIPAA was first enacted. Nonetheless, the cost of record conversion, concerns over privacy, and competitive issues that incentive health organizations to avoid cooperation have slowed the transition to electronic health records. The incentives of the HITECH Act and the new rule should continue pushing to complete the conversion.

The HHS press release added this observation:

 “This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” said HHS Office for Civil Rights Director Leon Rodriguez.   “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

Full implement of the new rules will take 12-18 months, providing health care providers time to adjust their processes to meet the new obligations. The 563 page rule can be viewed here. HHS’s announcement of the rule is found here.

When to shred your Facebook page

Two recent cases (both analyzed quite thoughtfully in Eric Goldman’s blog) highlight the importance of anticipating the unintended audiences. These situations are not unique, but they provide stark reminders of why each person should be diligent about social media and its impact. The first lesson provides a stark reminder that broad complaints lose their context online. As report in the Matter of the Tenure Hearing of Jennifer O’Brien, State Operated School District of the City of Patterson, Passaic County, 2013 WL 132508 (Jan. 11, 2013), a2452-11, Ms. O’Brien was a tenured, certified elementary school teacher in the Patterson, NJ schools. O’Brien had been assigned a technology coordinator at School No. 29. The next year she found herself at School No. 21. assigned to teach the first grade, with 23 students, “[a]lmost all [of whom] were six years old. All were either Latino or African-American.” The court reports the posts:

On March 28, 2011, O’Brien posted two statements on Facebook, an internet social-networking site. The first statement was, “I’m not a teacher — I’m a warden for future criminals!” The second statement was, “They had a scared straight program in school — why couldn’t [I] bring [first] graders?”

Perhaps Ms. O’Brien was frustrated at her reassignment; perhaps this was dark humor. It was insensitive, disparaging of these six year olds, and found to constitute conduct unbecoming a teacher. Her defense that six or seven of the student were disciplinary problems or had stolen from her seems a bit non-responsive. Posting to her friends, which numbered above 300, amounted to a broadcast and resulted in her termination. She never should have made such a post. But how does she rectify it? The answer to that leads to the second incident listed on the Goldman blog. In Allied Concrete v. Lester, 2013 Va. LEXIS 8 (Jan. 10, 2013), Venkat Balasubramani writes of a dispute in which the survivor in a wrongful death action is told by her attorney’s paralegal to “to “clean up” his Facebook page because he didn’t “want any blow-ups of this stuff at trial.” While the Facebook page was subject to discovery, at least in part because the plaintiff sent a Facebook message to an attorney for the defendant. Having failed to exclude the Facebook page, the lawyer was concerned that embarrassing pictures would negatively influence the jury and affect the damage award. He should have been worried that instructing the paralegal to advise the client to destroy documents could lead to sanctions and affect the trial. In this case the sanctions were levied at $542,000 and an additional $180,000 was ordered paid to cover costs of the defendants. (Admittedly, the plaintiff made matters worse by lying about the deletion and evading the discovery requests.) While sanctions of this size should highlight the need to be cautious about what to post and when to remove the posts, matters involving federal investigations are even riskier. The Sarbanes-Oxley anti-shredding laws extend to any destruction of material related to an ongoing federal investigation. The law is extremely broad:

18 USC § 1519 – Destruction, alteration, or falsification of records in Federal investigations and bankruptcy Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both.

Although enacted as part of Sarbanes-Oxley, the law does not have any limitations regarding publicly traded companies, corporate fraud – or seemingly any limitations at all. If the eventual investigation includes a federal agency or inquiry, then the knowing destruction of a record constitutes a violation. And records aren’t pressed in vinyl or lacquer. Tweets, posts, photos, and video will all be covered under the statute. A quick collection of examples serves to illustrate the point:

Individuals prosecuted under Section 1519 include: an employee of a private community corrections center, for providing an inmate with a clean urine sample and falsely completing official paperwork regarding the sample, United States v. Jensen, 248 Fed. Appx. 849 (10th Cir. 2007); a woman who destroyed a CD containing child pornography that belonged to her boyfriend after learning that he was under investigation by the FBI, United States v. Wortman, 488 F.3d 752 (7th Cir. 2007); a Pennsylvania state senator, for destroying e-mails pertaining to matters under federal investigation, United States v. Fumo, 2007 U.S. Dist. LEXIS 79454 (E.D. Pa 2007); and an ophthalmologist, for falsifying and creating false medical records in order to defraud Medicare and Medicaid, United States v. Mermelstein, 487 F.Supp.2d 242 (E.D.N.Y. 2007). — Obstruction of Justice under Sarbanes-Oxley: A Broad Reach by Michael G. Considine and Caroline Bersak Hyde

As a result, removals of Facebook pages, Tumblr photographs or other online content could result in a 20-year federal prison sentence if the content is removed after the owner of the account becomes aware that a federal agency is taking an interest in a matter relating to the post. Since the crime is committed if the removal is done pursuant to an indictment, investigation, or “in relation to or contemplation of” such a matter, once a federal inquiry could be triggered, it is potentially too late to remove the content. The obvious lesson is not to post harmful comments or embarrassing statements. The second best step is to remove harmful content to reduce ongoing embarrassment and damage while preserving the removed content for investigators. After all, nothing in the law requires a person continue an ongoing harm; the duty is to disclose to investigators and that goal can be accomplished without continuing the public disclosure. If the situation in Patterson had created interest in pursuing a federal civil rights claim on behalf of the first grade students, then suddenly the question of social media decorum easily escalates to a federal investigation. In such a case, the comments can only be removed if they are fully archived so that there is no spoliation of the evidence. If a teacher in Ms. O’Brien’s position tried to delete the Facebook account to make the situation go away, that teacher could be facing federal prison rather than merely a tenure hearing. This raises not a lesson but a warning. The overbreadth of these statutes grants far to much prosecutorial discretion and the ability to layer multiple criminal sanctions on, one-atop-another. Trivial acts may suddenly result in prosecutions for decades of potential jail time. Strong laws require predictable outcomes and equal treatment. Selective enforcement of overly broad provisions achieve no social goals. The final lesson is for employers to develop, enforce and train their staff members on the importance of both social media policies and document retention policies. Companies face challenges enforcing either policy, but when they come in conflict, employees and their supervisors can land in jail. Maybe the best time to shred that social media account is right this minute – unless, of course, there is any federal interest in investigating the content.

Netflix Wins Congressional Protection to go Social in US under New Law

An amendment to the 1988, Video Privacy Protection Act provides videotape services the ability to allow their customers to opt in for video rental and viewing data. Under the new legislation, companies such as Netflix, Hulu, and Crackle will be able to let their users share what they have been watching through their social media services.

President Obama is expected to sign the bill into law this week.

netflix1Video companies will use the new law to encourage their users to post what they are watching to their friends and family – encouraging greater viewership on that platform. Netflix already provides this option on its European platform, but concerns over the reach of the Video Privacy Protection Act limited the company’s use of social media in the U.S.

Earlier this year, Hulu lost a claim in which it argued the Video Privacy Protection Act did not extend to online content suppliers. The California District Court hearing the case disagreed, stating “a plain reading of a statute that covers videotapes and “similar audio visual materials” is about the video content, not about how that content was delivered (e.g. via the Internet or a bricks-and-mortar store).” The decision to allow the class action against Hulu to proceed (and a settlement by Netflix in a similar situation) set the stage for legislative action.

The law was originally enacted in response to the disclosure of Supreme Court Nominee Robert Bork’s videotape records. The law extended similar protections for library records. (The American Library Association reports that 48 of the 50 states have such statutes.) In addition to the federal law, many states also have laws protecting rental and viewership records, so compliance at the state level may somewhat deter the roll-out of the automated “frictionless sharing” of viewership data.

At the heart of the privacy rules stand a constitutional assertion that free speech often starts with unmonitored access to information. The freedom to read divergent, controversial, or even antisocial and seditious materials is essential to develop an open, robust and unfettered political debate. To punish a person merely for accessing controversial content will ultimately stifle expression, creating a far greater evil than the content being discouraged.

Perhaps because this form of privacy is rooted in First Amendment protections, it was the one privacy rule in which U.S. residents had greater legal protections than their European counterparts.

The law provides consumers the ability to withdraw consent at any time. Nonetheless, expect to see a great many status updates about your acquaintances’ viewing habits by the end of the year. Opting out of those might not be as easy.

Beyond debunking the Facebook Notice

In response to the widespread posting of copyright warnings on Facebook, David Pogue wrote a short blog “You Can Stop Spreading That Facebook Notice Now” which correctly attempted to get people to stop repeating the useless post. His advice was correct – the post doesn’t have any effect – but perhaps there is more to the hoax than his article suggests.

The post quoted by Mr. Pogue is presented as follows:

     In response to the new Facebook guidelines, I hereby declare that my copyright is attached to all of my personal details, illustrations, comics, paintings, crafts, professional photos and videos, etc. (as a result of the Berner Convention).

For commercial use of the above my written consent is needed at all times!

Facebook is now an open capital entity. All members are recommended to publish a notice like this, or if you prefer, you may copy and paste this version.

Snopes, the anti-misinformation site, has already debunked this hoax. It cites two other variations. In them, they add some privacy constraints as well:

The contents of this profile are private and legally privileged and confidential information, and the violation of my personal privacy is punishable by law.

UCC 1-103 1-308 ALL RIGHTS RESERVED WITHOUT PREJUDICE.

Mr. Pogue explains why he considers the post a hoax, then sites to a Facebook statement and to Snopes for confirmation. He is absolutely right that the post is ineffective. He may not, however, be accurate in other regards.

For example, Facebook explained the falsity as follows: “There is a rumor circulating that Facebook is making a change related to ownership of users’ information or the content they post to the site. This is false. Anyone who uses Facebook owns and controls the content and information they post, as stated in our terms. They control how that content and information is shared. That is our policy, and it always has been.”

First, the actual terms of the Facebook policy are a bit more nuanced: “For content that is covered by intellectual property rights, like photos and videos (IP content), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook (IP License). This IP License ends when you delete your IP content or your account unless your content has been shared with others, and they have not deleted it.”

  • The Facebook user owns the copyright in everything she uploads.
  • Facebook gets full use of that content.
  • If the user account is terminated, Facebook can still use the content so long as “your content has been shared with others, and they have not deleted it” – which means most content is never deleted.

So Facebook is completely correct that the posting does not affect the copyright in the posted content, but it fails to completely explain the consequences of the contract.

Second, this is a contract rather than a policy. This is important since contracts can be amended. But only according to the contract terms. In the case of Facebook, this means that only Facebook can propose changes to the contract – not the user – and users agreed that “Your continued use of Facebook following changes to our terms constitutes your acceptance of our amended terms.” This means the language cannot be used as a contractual modification.

Still on contract law, there is the curious reference to the Uniform Commercial Code (UCC). Since the UCC applies to the sale of goods, it has no bearing on a social media user website. Moreover, UCC 1-103 merely recites the proposition that the statute does not eliminate additional common law protections such as “capacity to contract, principal and agent, estoppel, fraud, misrepresentation, duress, coercion, mistake, Bankruptcy, or other validating or invalidating cause[s]….” UCC 1-308 is a bit closer to the issue. If the contract had not already been formed, then reserving one’s rights means that the performance under the contract does not automatically mean the contract has been accepted.

The posting may not be a “hoax” so much as a failed attempt to react to the unequal bargaining power between a web site provider and an individual user. That it fails does not make it a joke. The frustration may be very real.

The privacy statements of the attempted reservation of rights similarly fails. Something posted publicly does not become private through a disclaimer. If one’s settings are entirely private and posts are limited to a select group of people, some limited privacy might survive. This statement will not help in that regard.

One final note about Mr. Pogue’s column should also be noted. He chides the hoax author for describing the “Berner Convention.” Mr. Pogue reminds his readers that “you’re already protected by copyright law” – which is true, but ignores the contractual waivers that have limited its scope. He then goes on to say “there’s no such thing as the Berner Convention. There’s a Berne Convention, which covers literary works.”

I am hoping that Mr. Pogue – a journalist who makes his living as a writer and columnist focusing on law and technology – understands that literary works under U.S. and international law include the following under copyright law:

  1. literary works;
  2. musical works, including any accompanying words;
  3. dramatic works, including any accompanying music;
  4. pantomimes and choreographic works;
  5. pictorial, graphic, and sculptural works;
  6. motion pictures and other audiovisual works;
  7. sound recordings; and
  8. architectural works.

The Berne Convention coverage is slightly different than the U.S. law (quoted above) in this regard, but it certainly includes all the photographs, music files, videos, poems, and pictures that a person uploads. It is not limited to fictional works of book length or any other more limited definition of literary works.

Mr. Pogue did not say anything of the sort. But the tone and the inference suggest he thinks the reference to the Berner Convention was much more egregious than a typo in the title. And while this doesn’t affect his advice to stop using the clause on Facebook, it makes one wonder – at least a little bit.

So stop using the Facebook disclaimer. Don’t negotiate a contract after you have agreed to its terms. Don’t expect that Facebook’s acknowledgement of user copyrights will actually change the company’s use of the uploaded content. And finally, don’t expect most journalists to understand the difference between copyright, patent, and trademark – they’re just in the business of creating content after all.

Lack of Network Diligence Will Cost Dearly

Northwest Florida State College acknowledged on Oct. 10, 2012 that it has been the subject of a data breach. The announcement explained the attack included “Northwest Florida State College student data on 76,500 current and past students as well as student data on approximately 200,000 Bright Futures scholars across the State of Florida” as well as 3200 employees.

The breach seems to have been identified and corrected approximately two weeks prior to this announcement, around Sept. 24th. But the report acknowledges that the break-in began May 21st and continued unabated for three months.

The NWFSC student information compromised in the security breach contains public directory information including name and address, as well as confidential student data including birth date and Social Security number. The Bright Futures scholars’ data file includes all State of Florida Bright Futures eligible students during the 2005-06 and 2006-07 academic years. This data file contains student names, Social Security numbers, dates of birth, ethnicity and gender. No student academic files have been compromised.

The Chronicle of Higher Education reports that “cases of identity theft have already been reported, with information used to take out loans or open store accounts and make purchases.”

An update by the university regarding the intrusion added details regarding the attack:

At this point in time, the personal information of employees includes name, birthdate, employee Direct Deposit bank routing and account number information, and Social Security number. Approximately 50 employees to date have reported issues with identity theft, including the college president, faculty and staff.

For universities struggling in a weak economy, high tuition, and questions on the return in investment, failures to protect the information of prospective or current students could prove disastrous. Senior university leadership should learn from the obligations under HIPAA and Sarbanes-Oxley to stay very informed and engaged in the security of their students – both offline and online. That the president of the university was personally targeted by the attackers makes the need for diligence even more important.

It is also a good reminder that all of us receiving funds via direct deposit need to become more diligent checking our accounts.

The university has set up a website at http://www.nwfsc.edu/security/.

Significant revisions to Children’s Online Privacy Protection Rule triggers supplement review

In 1998 Congress responded to the growing demand for protection from invasions of privacy and the potential for marketers or predators to target young children by passing the Children’s Online Privacy Protection Act (COPPA). The Children’s Online Privacy Protection Rule (16 CFR part 312) provides the rules governing the implantation of the law.

As described in the Federal Register, the COPPA Rule include three key features:

Among other things, the Rule requires that operators provide notice to parents and obtain verifiable parental consent prior to collecting, using, or disclosing personal information from children under 13 years of age. The Rule also requires operators to keep secure the information they collect from children and prohibits them from conditioning children’s participation in activities on the collection of more personal information than is reasonably necessary to participate in such activities. The Rule contains a ‘‘safe harbor’’ provision enabling industry groups or others to submit to the Commission for approval self-regulatory guidelines that would implement the Rule’s protections.

In April 2010 the FTC began a process to update the Rules. A notice was sent out in September 2011, generating 350 comments regarding the proposed changes. After receiving the comments and reviewing its own proposal, the FTC substantially changed the proposed update to the Rule. As a result, the FTC has issues a Supplemental Notice of Proposed Rulemaking under which comments will be accepted until September 10, 2012.

Instructions for submitting comments are found in the Notice. Comments can be submitted electronically by clicking here.

The FTC explains the changes as follows:

The proposed modifications to the definitions of “operator” and “website or online service directed to children” would allocate and clarify the responsibilities under COPPA when third parties such as advertising networks or downloadable software kits (“plug-ins”) collect personal information from users through child-directed websites or services. The Commission proposes to state within the definition of “operator” that personal information is “collected or maintained on behalf of” an operator where it is collected in the interest of, as a representative of, or for the benefit of, the operator. This change would make clear that an operator of a child-directed site or service that chooses to integrate the services of others that collect personal information from its visitors should itself be considered a covered “operator” under the Rule.

The Commission also proposes to modify the definition of “website or online service directed to children” to:

  1. Clarify that a plug-in or ad network is covered by the Rule when it knows or has reason to know that it is collecting personal information through a child-directed website or online service;
  2. Address the reality that some websites that contain child-oriented content are appealing to both young children and others, including parents. Under the current Rule, these sites must treat all visitors as under 13 years of age. The proposed definition would allow these mixed audience websites to age-screen all visitors in order to provide COPPA’s protections only to users under age 13; and,
  3. Clarify that those child-directed sites or services that knowingly target children under 13 as their primary audience or whose overall content is likely to attract children under age 13 as their primary audience must still treat all users as children.

Finally, the Commission proposes to modify the Rule’s definition of “personal information” to make clear that a persistent identifier will be considered personal information where it can be used to recognize a user over time, or across different sites or services, where it is used for purposes other than support for internal operations. In connection with this change, the Commission proposes to modify the definition of “support for internal operations” in order to explicitly state that activities such as: site maintenance and analysis, performing network communications, use of persistent identifiers for authenticating users, maintaining user preferences, serving contextual advertisements, and protecting against fraud and theft will not be considered collection of “personal information” as long as the information collected is not used or disclosed to contact a specific individual, including through the use of behaviorally-targeted advertising, or for any other purpose.

Taken together, these changes attempt to deal with the increasing use of cross-platform sign-ins and authentication. They do not, however, deal directly with social media or other websites that have no provisions for compliance with the Rule but instead encourage users under the age of 13 to mis-identify themselves to the benefit of the website operator.

As the Washtington Post noted, “vague language … could allow companies supplying online ads — or even Facebook and Twitter which sometimes appear as little icons on Web sites — to avoid the parental consent process.”

Still, the update addresses at least some of the important changes to the structure of internet communications and the importance of mobile apps as a platform for communications.

September 10th is coming fast. Public comments will be critical in effectively shaping the update to the Rule.

Fourth Circuit Joins Ninth in Limiting CFAA – Setting Stage for More Action

In 1986, Congress amended its earlier attempt to combat computer crime with the Computer Fraud and Abuse Act of 1986. It was further expanded in 2001 under the USA Patriot Act. The CFAA serves as both a criminal and civil statute.  It has both strong criminal penalties for unauthorized entry into computer systems and provides an express private cause of action – enabling injured parties to sue intruders using the federal law as the basis for their claims.

The most controversial aspect of the CFAA has been the meaning of unauthorized access. Among the violations, Congress has made it a crime to “intentionally accesses a computer without authorization or exceeds authorized access….” The statute provides some additional guidance. The addition of exceed has its own definition. It means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” § 1030(e)(6). So it seems fairly clear that using one’s password to acquire documents for which one has no right to read is a violation of the statute.

But data theft is more nuanced than just this. What about downloading documents when the person downloading has authority to use the material, but then uses that material in an unauthorized manner. Put another way – if an employee is fired and then takes the files she has had at home and brings them to her next employer, it is unlikely an CFAA claim can be made. Conversely, if she returns to work the day after being fired and downloads all the company documents, she has certainly violated the CFAA since her termination ending her authorized access to the computer. But what about the situation when one downloads the documents intending trade secret theft prior to being fired or quitting the company?

In a recent Fourth Circuit opinion, WEC Carolina Energy Solutions LLC v. Miller, 2012 U.S. App. LEXIS 15441 (4th Cir. July 26, 2012) faced this situation.

The court explained the split of authority interpreting the statute:

In short, two schools of thought exist. The first, promulgated by the Seventh Circuit … holds that when an employee accesses a computer or information on a computer to further interests that are adverse to his employer, he violates his duty of loyalty, thereby terminating his agency relationship and losing any authority he has to access the computer or any information on it. Thus, for example, the Seventh Circuit held [in Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006)] that an employee who erased crucial data on his company laptop prior to turning it in at the end of his employment violated the CFAA. It reasoned that his “breach of his duty of loyalty terminated his agency relationship . . . and with it his authority to access the laptop, because the only basis of his authority had been that relationship.”

The second, articulated by the Ninth Circuit … interprets “without authorization” and “exceeds authorized access” literally and narrowly, limiting the terms’ application to situations where an individual accesses a computer or information on a computer without permission. Thus, in [United States v. Nosal, 676 F.3d 854, 863 (9th Cir. 2012) (en banc)] the Ninth Circuit, sitting en banc, held that the defendant’s coconspirators, a group of employees at an executive search firm, did not violate the CFAA when they retrieved confidential information via their company user accounts and transferred it to the defendant, a competitor and former employee. It reasoned that the CFAA fails to provide a remedy for misappropriation of trade secrets or violation of a use policy where authorization has not been rescinded.

The Fourth Circuit opinion attempts to make sense of the language with a simple, plain language approach. “Congress has not clearly criminalized obtaining or altering information ‘in a manner’ that is not authorized,” the court explained. “Rather, it has simply criminalized obtaining or altering information that an individual lacked authorization to obtain or alter.”

This separates the Fourth Circuit from the Seventh Circuit and even distinguishes it somewhat from other courts. Employees who hack into their employers’ computer systems to steal data or who use the username and password of other employees to gain greater access to computer systems will remain liable under the CFAA. But those who take electronic files home to work on them at night without express permission were beyond the scope of the CFAA. Similarly, those disgruntled employees who steal electronic files while on the job may be violating their terms of employment, company policies, and state laws but they are not violating the CFAA in the Fourth Circuit.

Since it is better that the interpretation of a statute does not turn on the language in the employee handbook, this is a better result. Companies can still protect themselves by limiting access to sensitive information. Other laws protect theft of trade secrets and other torts provide remedy for breach of fiduciary duties. On the other hand, the distinction between the circuits need not be as stark. An employee who erases all company data before returning equipment has likely exceeded the authority to alter the data. This result is consistent with the outcome in the WEC and a court can still reach such misconduct under the cleaner interpretation of the Fourth Circuit.

While it remains to be seen whether the Fourth Circuit opinion invites Supreme Court review, it may be sufficiently well reasoned to invite other circuits to reconsider interpretations of the statute that go beyond the language Congress enacted.