PrivacyAlert June


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

PrivacyAlert June

  1. 1. Nixon Peabody LLP Privacy Alert Legal and political developments affecting privacy ™ Vol. 2, No 1 June 2001 Health Information Privacy The Surprise HIPAA Announcement – The Basics The HIPAA rule on health information privacy, final as of April 14, 2001 takes effect in two years. The announcement by HHS Secretary Tommy G. Thompson surprised health care lobbyists and the health care industry alike. Secretary Thompson, just a few days prior, said the rule would probably be delayed. HHS will, however, provide guidance and, possibly, modifications to the rule before full compliance is required in 2003, but it is unclear exactly when such guidance and modifications will be published. As adopted, the HIPAA health information privacy rule limits the use and disclosure of individually identifiable health care information by "covered entities," such as doctors, hospitals, pharmacies, medical billing services, health care plans and HMOs. Estimates of the cost of compliance range from $10 billion to $40 billion. Background The HIPAA health information privacy rules were required to be implemented by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and were published by the U.S. Department of Health and Human Services ("HHS") on December 28, 2000. The 1996 HIPAA legislation was designed in part to develop a set of privacy rules to govern the explosive growth in use and distribution of sensitive health information by providers of health care and related services through electronic means. The preamble to the rule describes a number of abusive uses of health informa- tion and describes privacy as a "fundamental" right. While many state and federal rules already apply to health information privacy, the HIPAA rules are the first comprehensive set of federal rules dealing with privacy at virtually each stop in the health care system. HIPAA also has two other components, the Transaction Rule, published last August, and the Security Rule, which has not yet been published. These three rules, when final, govern the security of data, uniform methods for electronic storage, transmission and access, and privacy rights. The General Rule The general rule governing health information privacy is that no covered entity, e.g., a health care provider, health care plan, pharmacy or medical clearinghouse, can use or distribute protected health information (except when provided to the Privacy Alert is intended as an information source for the clients and friends of Nixon Peabody LLP. TM Its content should not be construed as legal advice, and readers should not act upon information in this publication without professional counsel.
  2. 2. Privacy Alert A publication of Nixon Peabody LLP patient) without the patient’s "consent" or "authorization." In some cases exceptions to the consent or authorization requirement apply. An example would be a medical emergency. The devil is, of course, in the details. For example: • Written Consent — Prior written consent to health care providers will be the new starting point before any health care provider can use or disclose protected health information to carry out treatment, payment or health care operations. Information that does not identify the individual is not covered. Consent can be revoked, and exceptions exist, including use or disclosure for medical emergencies, treatment of inmates, public health crisis or disease control. Any health care provider — such as a physician — can, under the rule, condition treatment on obtaining an initial consent or restoring a revoked consent. All patients must be advised that they may review the covered entities’ privacy policy. The consent requirement was added to the final rule after initial comments were filed with HHS. It has drawn criticism for the cost and the complexity of compliance, as well as delaying patient treatment. • Written Authorization — A patients’ written authorization is required before the use or disclosure of health care information that is not for a "permissible purpose." Generally, this is information received for a purpose that is not treatment, payment or health care operations. For example, a written authorization is needed before a patient’s health information can be included on a list for marketing purposes. Unlike consents, a health care provider cannot refuse treatment if an authorization is not provided or is revoked. • Patient Access to Records — Disclosure and use of health information without consent or authorization is permissible if the disclosure is made only to the patient. Also, for the first time patients receive the right of full access to medical records. The right includes the ability to correct errors or misstatements appearing in the record. • Privacy Notices — Each covered entity must develop a health information notice to be made available at a patient’s request describing how it uses and distributes health care information. The notice must also advise that patients have the right to request restrictions on the use or distribution of records. Covered entities, however, are not required to agree to restrict use or distribution. The list that covered entities provide of uses and distribution of health information will be a lengthy one. Reportedly, a model privacy notice developed by the American Hospital Association and listing possible uses of health information covered nine pages. • Restrictions on Information Use by Business Associates — The rule also restricts the use of health information by business associates of covered entities. For purposes of the rule, a business associate is any entity or individual with whom the covered entity does business and includes accountants and lawyers. The rule requires business associates who receive protected health care information to safeguard the information and restrict their use to the same as that of the covered entity, and it requires that covered entities receive "satisfactory assurances" that business associates will safeguard health information. Under the rule, the best evidence of a satisfactory assurance is for the covered entity to contract with business associates to limit information use. Under the rule, HHS can examine records of business associates. • Security and Safeguards — HIPAA health information privacy rules will require staff training, physical and informational security measures, and safeguards for protecting health information. Training must be documented and must be provided to new employees within a reasonable time. • Review and Penalties — The rule also creates a system for compliance review by HHS Office of Civil Rights and a system of sanctions ranging from civil penalties of $100 per day to criminal charges, which could lead to prison sentences of up to ten years and fines of up to $250,000. 2
  3. 3. Privacy Alert A publication of Nixon Peabody LLP Principal Concepts or Terms of the Health Information Privacy Rule In the four hundred or so Federal Register pages covered by the HIPAA health information privacy rule, there are a number of terms or concepts needed to understand the rule. Among the most important are: • Health Information — This term covers any information that relates to the past, present or future physical or mental health or condition of an individual, and the provision of health care to that individual or payments for health care by that individual. The health care information can be created or received by an array of diverse entities, such as a health care provider, employer health care plan, school, life insurer, public health service or clearinghouse. Importantly, the information can be oral, written or recorded in any medium. This means virtually all such communications can be deemed protected health information. • Minimum Necessary Information Use or Requests — The HIPAA health information privacy rule also requires covered entities that disclose information to establish procedures to disclose, use or request only the "minimum necessary" to accomplish the intended purpose. Health care providers are excluded from the minimum necessary standard for information "distributed" to them for treatment purposes. It does not, however, apply to the health care providers "use" of such information. The Rule provides no guidance on what the "minimum necessary" should be. • Privacy Officials and Staff Training — Each covered entity will be required to designate a privacy official as a focal point for compliance. Staff training on privacy for methods, policies and procedures a covered entity uses to protect privacy is required. • Employers — The rule requires that group health plans cannot disclose protected health information about employees to employers except as it relates to providing and paying for health care. Employers will also be required to create firewalls between company officials who work on company health plans and those involved in personnel or employment related matters. Preemption of State Laws The new rule provides a form of federal preemption of state law but contains numerous exceptions allowing state law to control. If a state law provides greater protection than the baseline or floor protections provided in HIPAA, then the stronger state law would prevail. This approach is similar to financial privacy and like financial privacy could create a patchwork of state laws that override or modify federal law requirements. Compliance Date The rule requires compliance by April 14, 2003, under most circumstances. Small health plans (under fifty members) have until 2004. The HIPAA health information privacy rules and the rules relating to standards for electronic transactions and security standards mark the beginning of a complex and costly effort to bring comprehensive privacy rules to the nation’s health care system. Because of the vast number of users, many diverse entities, such as schools, employers, financial institutions and government agencies, will need to understand the rules. Portions of the rules will probably be modified by HHS and Congress may well intervene at a future time. Compliance efforts need to begin but future HHS guidelines and modifications also need to be monitored. Privacy Alert will continue to report on developments in this area. 3
  4. 4. Privacy Alert A publication of Nixon Peabody LLP International Privacy Safe Harbor – Still a Work in Progress As of May 31, 2001, only about forty-four U.S. companies had signed up for Safe Harbor treatment resulting from the accord negotiated with the U.S. and Europe last year (see The European Commission Safe Harbor — The Basics in Nixon Peabody Privacy Alert, Vol. 1 No. 1). The largest are Dunn and Bradstreet and Hewlett Packard and (reportedly) Microsoft. The Safe Harbor program took effect on November 1, 2000, and allows U.S. companies that voluntarily certify to a level of privacy protection to continue to receive transmissions of personal data from Europe without violating the European Union’s 1998 privacy directive. Under the directive, privacy data cannot be transferred to any country whose privacy pro- tection laws do not ensure an "adequate" level of protection. U.S. privacy laws were deemed not adequate. A moratorium on enforcement of the directive by the EU expires on July 1, 2001, unless extended. The U.S. Department of Commerce has been actively recruiting U.S. companies to participate in the Safe Harbor Agreement. It has established a Web site to provide information and has conducted outreach seminars in various U.S. cities in the past several months. Because U.S. businesses remain indifferent if not hostile to Safe Harbor, criticism by both the U.S. and Europe on Safe Harbor and its benefits is becoming more animated. In recent Congressional hearings, the U.S. was characterized by some witnesses as "insensitive" to fundamental privacy rights. Europe, on the other hand, wascriticized for imposing extra- territorial laws upon the U.S. The fundamental concerns with Safe Harbor seem to be the following: • Safe Harbor Requirements Exceed Current U.S. Privacy Law in Several Areas — Under Safe Harbor, U.S. companies agree to submit to FTC enforcement of EU privacy laws if EU officials or self-certifying organizations detect continued uncorrected violations of Safe Harbor. The FTC would be authorized to treat violations as unfair trade practices. Many U.S. companies are reluctant to have the FTC enforce European laws in U.S. courts in light of the very active role the FTC has already undertaken in the privacy area. • Safe Harbor Is Nonbinding Outside of Europe — U.S. companies are also worried that voluntary compliance under the Safe Harbor only affects collection and transmission of personal data in Europe and not other parts of the world. A number of countries, many of whom are important trading partners, have adopted European Union-like privacy laws with extra-territorial impact on data transfers. In Canada, for example, a new privacy law adopted about five months ago requires U.S. companies importing data about Canadians to abide by Canada’s privacy law. Signing the EU Safe Harbor could, it is asserted, weaken the ability to negotiate standstills or forebearances with other nations. • Financial Institutions Are Excluded — The EU wanted a U.S. federal agency to enforce repeated violations of Safe Harbor in the U.S. The Commerce Department recommended the FTC, citing its broad authority to police unfair or deceptive practices. Financial institutions, such as banks, thrifts and credit unions, are by law exempt from FTC jurisdiction and thus not covered by Safe Harbor. Recently, the Chairman of the House Committee on Financial Services, Mike Oxley (R-OH), wrote Treasury Secretary Paul O’Neil advising him that the House Financial Services Committee was troubled by the failure of the EU to grant adequacy determinations to U.S. financial services firms. Treasury will soon begin discussions with the EU on why financial services firms should receive adequacy determination and argue that Gramm-Leach-Bliley has strengthened privacy protections to which U.S. financial institutions are subject. • Model Contracts — With the enforcement moratorium looming and U.S. companies signing up for Safe Harbor, the EU has approved and circulated another authorized alternative, model contract language. By adopting model contract clauses, a data importer in the U.S. could continue to import data after July 1, 2001, without entering into separate agreements with each EU company from which data is transmitted. Model contracts would be in 4
  5. 5. Privacy Alert A publication of Nixon Peabody LLP lieu of Safe Harbor but many of the model contract provisions are also viewed skeptically, including: • The requirement to submit to audits by the data exporter; • The requirement to compensate parties incurring damages as a result of a violation of the model contract. • Allowing customers to have unprecedented access and rights of correction for imported data. • Prohibiting retransmission of data to another non-EU country. The model contract language requires the approval of the European Parliament expected to take place before July 1. Privacy Litigation Fleet Mortgage Case: More High-Stakes Consumer Privacy Litigation In the still fresh historical record of why Congress imposed tough new financial privacy legislation on the nation’s finan- cial institutions, most observers point to the U.S. Bancorp case. In that 1999 case, brought by Minnesota’s Attorney General Mike Hatch, U.S. Bancorp allegedly shared credit card numbers of its customers with a telemarketing firm even though its privacy policy appeared to prohibit such sharing. The practice allowed telemarketers to sell dental insurance and other products to U.S. Bancorp customers without asking for card numbers. U.S. Bancorp, which recently merged with First Star, settled the case in about thirty days. However, the case gave renewed momentum to privacy advocates at the time the finan- cial modernization bill was coming before the House Banking Committee. With the impending July 1, 2001, Gramm-Leach-Bliley enforcement date looming, a new case involving Fleet Mortgage, Inc. and telemarketers has been filed by Attorney General Hatch. This one, while similar to U.S. Bancorp, has an impor- tant twist in that it is based in part on alleged violations of federal telemarketing laws by Fleet Mortgage even though the telemarketing was done by non-affiliated companies. The Fleet Mortgage lawsuit was filed by Minnesota on December 28, 2000. Fleet Mortgage, Inc. is a nationwide mortgage servicing company with about three million customers and is an affiliate of New England’s largest banking company, Fleet Boston Financial Corp. Minnesota Attorney General Hatch based the Fleet case on pre-Gramm-Leach-Bliley law. As with U.S. Bancorp, the lawsuit challenges a form of selling called "pre-acquired account telemarketing." The program allowed fees to be automatically charged to customers’ mortgage accounts after a trial period without the telemarketer having to obtain the customer’s signature approving the charge. The lawsuit alleges also that Fleet engaged in deceptive marketing practices and violations of customers’ privacy rights. Allegedly, Fleet shared with telemarketers detailed information about its customers’ mortgages, including account num- bers, monthly payment amounts, and current mortgage balances. Armed with this information, telemarketers were able to target mortgage customers for memberships in certain buying clubs offering discounts on legal services or auto repairs and to add the charges to monthly mortgage statements. According to the complaint, the critical aspects of Fleet’s pre-acquired account telemarketing were: • Providing Mortgage Account Numbers to Telemarketers — Although customers never gave written approval or the mortgage account number to telemarketers, the agreement to a trial membership allowed the charges to be assessed on the mortgage account without obtaining written approval or other traditional evidence of consumer consent. 5
  6. 6. Privacy Alert A publication of Nixon Peabody LLP • Apparent Inconsistency with Fleet Mortgage’s Privacy Policy — The May 1999 "Privacy Policy" for Fleet mortgage customers said that Fleet Mortgage shared information with companies who provide services that may be beneficial, but that Fleet "share[s] only the minimum amount of information necessary for that company to offer its product or service." The complaint asserted that Fleet disregarded its own privacy policy when it disclosed account numbers since account numbers were not "necessary" for telemarketers to call Fleet’s customers. • Telemarketing Act — Fleet Mortgage was also viewed by Minnesota as a "telemarketer" even though its independent telemarketing partners and not Fleet Mortgage employees made the actual calls. The Federal Telemarketing and Consumer Fraud and Abuse Prevent Act (15 U.S.C. § 6101-6108) was applied, according to Attorney General Hatch, for the first time to a financial institution even though it did not directly engage in the practices. Fleet is actively defending the lawsuit, which is pending in Federal District Court. In April 2001, the court denied Fleet’s motion to dismiss the case. No trial date has been set. Fleet Mortgage – The Fallout Attorneys General from other states and plaintiffs’ class action lawyers are all following the Fleet case. For example, Bruce Marks, a Boston-based activist and Chief Executive of the Neighborhood Assistance Corporation of America ("NACA") recently threatened a national class-action suit against Fleet using a Boston law firm already on retainer to the group. In March 2001, NACA sent postcards to more than 100,000 Fleet mortgage customers in New England publicizing Fleet’s telemarketing practices. Later, NACA protested Fleet’s actions at Fleet’s annual board meeting in Boston, again threaten- ing the class action lawsuit. Fleet has announced the sale of Fleet Mortgage to Washington Mutual, the nation’s largest thrift institution. The transaction will close later this year. As the Fleet litigation progresses, it should continue to garner national attention. It is a cautionary tale on the risks of telemarketing partnerships and the activism of state officials and the plaintiffs’ bar. All of Fleet’s actions occurred before federal financial privacy laws were enacted. How this will develop after the July 1, 2001 enforcement date for Gramm-Leach-Bliley privacy rules is still unknown. Privacy Litigation U.S. Courts in D.C. Rule Against Trans Union on Credit Headers and Target Marketing The month of April was not kind to the giant credit bureau Trans Union. On April 13, 2001, the U.S. Court of Appeals for the District of Columbia ruled that Trans Union could not continue to sell customer lists known as "target marketing lists" to marketing firms because the practice violated the Fair Credit Reporting Act. Trans Union has been fighting this issue since 1992 when the FTC filed an administrative complaint. The United States District Court for the District of Columbia later in the month issued a ruling on a summary judgment motion holding that Trans Union’s sale of customer names, addresses and social security numbers, known as "credit headers," was "financial information" and subject to the restrictions in the Gramm-Leach-Bliley Act. Trans Union had said that lists of names and addresses were not financial information as contemplated by Gramm-Leach-Bliley and that the FTC exceeded its authority in writing financial privacy rules holding that they were. 6
  7. 7. Privacy Alert A publication of Nixon Peabody LLP Customer Lists Sale of target marketing lists derived from consumer reports had been a significant revenue source for all credit bureaus. In 1992, the FTC filed a complaint against credit bureaus under the Fair Credit Reporting Act which said that target marketing lists could not be sold to marketers who had no authorized purpose for receiving the information. Other credit bureaus reached accommodations with the FTC but Trans Union did not. After lengthy administrative proceedings and appeals, the Court of Appeals found for the FTC. Trans Union was required to terminate selling of target marketing lists within ten days. Credit Headers In the credit header case, Trans Union said, among other things, that the Gramm-Leach-Bliley Act applied only to "finan- cial information" and that credit header information, which is essentially the top line of a credit report and usually includes only names, addresses and social security numbers, was not financial. The District Court strongly disagreed saying that the FTC, in its rulemaking capacity under the Gramm-Leach-Bliley Act, was well within the discretion permitted agencies in interpreting credit header information as financial information. Notably, the court said in the Trans Union case that the "context" in which information is provided is more significant than the intrinsic nature of the information itself. Privacy Regulation and Legislation Real Estate Brokers Could Be Subject to Federal Privacy Rule If real estate brokers lose their epic battle to prevent banks from engaging in real estate brokerage and property manage- ment, they may have a double defeat. First, new competitors will enter the real estate business. But second, realtors will be subject to the complex and costly new financial privacy rules under Gramm-Leach-Bliley. The comment period on the rule proposed by Federal Reserve Board Rule expired on May 1, 2001. Privacy responsibilities will kick in because of the broad meaning of the definition of "financial institution" in the Gramm-Leach-Bliley Act. If an activity is authorized under law or regulation for financial holding companies or bank holding companies, it makes any entity (even if it is not a bank) "substantially engaged" in that activity subject to the same privacy notice rules as banks, credit unions or insurance brokers. Personal tax preparation, for example, is deemed a financial activity, and law firms or accounting firms providing those services are subject to the financial privacy rules. Real estate brokers have voiced their vigorous opposition to the proposed rule. There are no indications when or whether the proposed rule will be issued in final form. Children’s Privacy FTC Settles First Children’s Privacy Cases In April 21, 2000, the Children’s Online Privacy Protection Act ("COPPA") became effective. About one year later, the FTC announced the settlement of its first enforcement actions under COPPA against operators of Web sites. The owners of the three Web sites —, and – paid fines totaling $100,000 in settlement of FTC complaints that they were collecting information that could be used to identify children in violation 7
  8. 8. Privacy Alert A publication of Nixon Peabody LLP of COPPA. The operators are also required to delete all personally identifying information on children collected since the COPPA rules took effect. The FTC stated that this was the first COPPA related enforcement action. Under COPPA, there are special privacy rules for Web sites directed to children or where a Web site operator has actual knowledge that it is collecting personal infor- mation from a child under thirteen years of age. Among these rules is the need to obtain verifiable parental consent before collecting such information. Privacy Notes Opt Outs The American Banker recently reported that only 5% of bank customers who receive privacy notices with opt out rights are exercising those rights by actually opting out of receiving information from nonaffiliated third parties. State Actions One complicating factor in achieving reasonable means of privacy compliance for business operating in multiple states is the ability of states to write laws which conflict with federal laws. Many states are actively exploring their options. For example, there are pending twelve bills on telemarketing alone in Massachusetts, according to the Massachusetts Bankers Association. California’s Senate approved opt in legislation this month which would require financial institutions to get permission before sharing customer information with nonaffiliated third parties. Identity Theft The FDIC said recently that identity theft affects more than 500,000 persons per year. If you would have any questions or require further information regarding these or other matters, please call your regular Nixon Peabody contact or feel free to contact one of the attorneys listed below, who serve as our Privacy AlertTM Board of Editors: • in our Washington office, Raymond Gustini, Editor, (202) 585-8725, and Laurin Mills, (202) 585-8515 • in our New York City office, Bart Pisella, (212) 940-3038 • in our Rochester office, Bruce Baker, (585) 263-1232 • in our Boston office, Leigh-Ann Patterson, (617) 345-1258 8